Date: Sun, 15 Mar 2009 11:58:54 +0200 From: Dmitriy Demidov <dima_bsd@inbox.lv> To: Sergey Matveychuk <sem@freebsd.org> Cc: freebsd-ipfw@freebsd.org, Luigi Rizzo <rizzo@iet.unipi.it> Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <200903151158.54572.dima_bsd@inbox.lv> In-Reply-To: <49BCCC9D.30109@FreeBSD.org> References: <200903132246.49159.dima_bsd@inbox.lv> <200903142031.53326.dima_bsd@inbox.lv> <49BCCC9D.30109@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 15 March 2009, Sergey Matveychuk wrote: > Dmitriy Demidov wrote: > > Hi Luigi. Thank you for answer. > > It is a big "surprise" for me that reassembling of IP datagrams is done not *before* they go into firewall, but *after* :( > > But what's wrong with it? A fragment got from net, pass firewall and > store. After all fragments we got, OS reassembly a packet and pass it > through firewall again. > >>it is not related to dynamic rules, but to the fact that >>that the firewall is called before reassembling packets. >>The info (port numbers especially) is not available >>in the fragments so the firewall cannot do anything. >>The only solution would be to call the firewall >>after reassembly. I am not sure if there is any work in progress >>for that. If I got it right from Luigi explanation, then problem we see here happens this way: ipfw receivs fragmented IP datagrams what contains splited UDP packet insight (IP-fragment1/UDP-head) + (IP-fragment2/UDP-tail), and it can not procead second one because of lack of UDP header? IP reassembling happens after ipfw?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903151158.54572.dima_bsd>