how ipfw2 handles fragmented packets
JINMEI Tatuya / 神明達哉
jinmei at isl.rdc.toshiba.co.jp
Tue May 29 04:58:31 UTC 2007
Hello,
I have a question about how the ipfw2 implementation performs stateful
operation for (IPv4/IPv6) fragmented packets. Is it possible to make
a state for a flow and match that state against fragmented packets?
As far as I can see from the source code (sys/netinet/ip_fw2.c) it
seems impossible because a state matching done in
lookup_dyn_rule_locked() only compares src/dst address/ports.
I'm also not sure whether the routine that follows IPv6 extension headers
in ipfw_chk() is correct. It continues the processing after seeing a
fragment header regardless of the offset value, but it should be
meaningless except the first fragment (which has 0 offset).
If I miss something, could anyone point it out?
Thanks,
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
jinmei at isl.rdc.toshiba.co.jp
More information about the freebsd-net
mailing list