Date: Mon, 29 Jan 2001 09:44:07 -0800 (PST) From: Archie Cobbs <archie@dellroad.org> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu>, net@FreeBSD.ORG, Archie Cobbs <archie@FreeBSD.ORG> Subject: Re: ipfw message Message-ID: <200101291744.JAA20568@curve.dellroad.org> In-Reply-To: <20010129105926.B27558@sunbay.com> "from Ruslan Ermilov at Jan 29, 2001 10:59:26 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Ruslan Ermilov writes: > I think I have found a bug here. When the ``divert foo ... udp ...'' rule > has no destination port specification, everything works as documented, i.e. > all fragments are reassembled and get diverted to the divert(4) to port > ``foo''. If I add the destination port specification, only the first > (offset zero) fragment gets diverted: Yep.. diversion happens before reassembly, but diverted packets are only delivered after reassembly. So if not all of the fragments are diverted, the packet is lost because only an incomplete portion of it gets diverted. To "fix" this bug would require reassembling *all* (or a large portion of the) packets passing through the kernel, which is probably not a win. A workaround is to match conservatively (i.e., match all udp packets) and have the userland code just reinject any false positives. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101291744.JAA20568>