From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 2 11:22:08 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F4C510656D4 for ; Thu, 2 Apr 2009 11:22:08 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from contactlab34-bk-3.contactlab.it (contactlab34-bk-3.contactlab.it [93.94.34.3]) by mx1.freebsd.org (Postfix) with ESMTP id CED248FC4F for ; Thu, 2 Apr 2009 11:22:07 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) DKIM-Signature: v=1; a=rsa-sha1; d=contactlab.it; s=s768; c=simple/simple; q=dns/txt; i=@contactlab.it; t=1238670060; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=ovojCWfEovtfREXxZpdbcROmBjw=; b=tlkZiYMhGtyX3fAsiVHCYh6Say7j7n/wNCzxIqHPaDPQJXR5B4D7OOWl3Y79rE/t nFFUk1j5DHeznBMxNAU13qMEzIm9Xaj3+AUoJK07YPPfa7WzG1TQMLvCK9huMhKB; Received: from [213.92.0.53] ([213.92.0.53:59232] helo=mail0.tomato.it) by vmta3.contactlab.it (envelope-from ) (ecelerity 2.2.2.37 r(28822M)) with ESMTP id B1/6F-11151-CEA94D94; Thu, 02 Apr 2009 13:01:00 +0200 Received: from ferret.tomato.lan (fast.tomato.it [62.101.64.91]) by mail0.tomato.it (Postfix) with ESMTP id 1FBCB2842E; Thu, 2 Apr 2009 13:01:23 +0200 (CEST) Message-ID: <49D49AEB.20701@oltrelinux.com> Date: Thu, 02 Apr 2009 13:00:59 +0200 From: Paolo Pisati User-Agent: Thunderbird 2.0.0.19 (X11/20090226) MIME-Version: 1.0 To: Luigi Rizzo References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> <20090317190123.GB89417@onelab2.iet.unipi.it> <49C01E08.9050709@oltrelinux.com> <20090317223511.GB95451@onelab2.iet.unipi.it> In-Reply-To: <20090317223511.GB95451@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov , Alex Dupre Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 11:22:09 -0000 Luigi Rizzo wrote: > > Ok then we may have a plan: > > you could do is implement REASS as an action (not as a microinstruction), > with the following behaviour: > > - if the packet is a complete one, the rule behaves as a "count" > (i.e. the firewall continues with the next rule); > > - if the packet is a fragment and can be reassembled, the rule > behaves as a "count" and the mbuf is replaced with the full packet; > > - if the packet is a fragment and cannot be reassembled, the > rule behaves as a "drop" (i.e. processing stops) > and the packet is swallowed by ipfw. > > This seems a useful behaviour, but it must be documented very > clearly because it is not completely intuitive. Perhaps we should > find a more descriptive name. > committed yesterday in HEAD as "reass" action, and here is the 7.x patch: http://people.freebsd.org/~piso/ipfw-reass-7x.diff -- bye, P.