Hello,
I've got just one nit, which is probably overcautious, so I don't insist:
> @@ -231,8 +245,16 @@ void
> pf_free_fragment(struct pf_fragment *frag)
> {
> struct pf_frent *frent;
> + struct pf_frnode*frnode;
>
> - RB_REMOVE(pf_frag_tree, &pf_frag_tree, frag)
Hi,
markus@ has seen problems with IPv4 fragments on high volume IPsec
tunnels. The fragment id gets reused to fast, this causes packet
loss and the situation does not recover. Details are in RFC 4963
"IPv4 Reassembly Errors at High Data Rates".
In ESP IPsec tunnels source/destination address a
