Date: Fri, 3 Apr 2009 21:16:52 +0300 From: Dmitriy Demidov <dima_bsd@inbox.lv> To: Paolo Pisati <p.pisati@oltrelinux.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <200904032116.52684.dima_bsd@inbox.lv> In-Reply-To: <49D49AEB.20701@oltrelinux.com> References: <200903132246.49159.dima_bsd@inbox.lv> <20090317223511.GB95451@onelab2.iet.unipi.it> <49D49AEB.20701@oltrelinux.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 02 April 2009, Paolo Pisati wrote: > Luigi Rizzo wrote: > > Ok then we may have a plan: > > > > you could do is implement REASS as an action (not as a microinstruction), > > with the following behaviour: > > > > - if the packet is a complete one, the rule behaves as a "count" > > (i.e. the firewall continues with the next rule); > > > > - if the packet is a fragment and can be reassembled, the rule > > behaves as a "count" and the mbuf is replaced with the full packet; > > > > - if the packet is a fragment and cannot be reassembled, the > > rule behaves as a "drop" (i.e. processing stops) > > and the packet is swallowed by ipfw. > > > > This seems a useful behaviour, but it must be documented very > > clearly because it is not completely intuitive. Perhaps we should > > find a more descriptive name. > > committed yesterday in HEAD as "reass" action, and here is the 7.x > patch: http://people.freebsd.org/~piso/ipfw-reass-7x.diff Hi Paolo. Thank you for this work! I think it is a good feature that will makes ipfw more clear and extends it's usability for future use. Hey, you deserve a reward for this work! Do you remember about 500WMZ bounty? Please, if you wanna to get it - contact with me outside of this list. Or I will transfer this money as a donation into FreeBSD Foundation :) Good luck!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200904032116.52684.dima_bsd>