keep-state rules inadequately handles big UDP packets
or fragmented IP packets?
Paolo Pisati
p.pisati at oltrelinux.com
Thu Apr 2 04:22:09 PDT 2009
Luigi Rizzo wrote:
>
> Ok then we may have a plan:
>
> you could do is implement REASS as an action (not as a microinstruction),
> with the following behaviour:
>
> - if the packet is a complete one, the rule behaves as a "count"
> (i.e. the firewall continues with the next rule);
>
> - if the packet is a fragment and can be reassembled, the rule
> behaves as a "count" and the mbuf is replaced with the full packet;
>
> - if the packet is a fragment and cannot be reassembled, the
> rule behaves as a "drop" (i.e. processing stops)
> and the packet is swallowed by ipfw.
>
> This seems a useful behaviour, but it must be documented very
> clearly because it is not completely intuitive. Perhaps we should
> find a more descriptive name.
>
committed yesterday in HEAD as "reass" action, and here is the 7.x
patch: http://people.freebsd.org/~piso/ipfw-reass-7x.diff
--
bye,
P.
More information about the freebsd-ipfw
mailing list