Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jun 2002 07:38:04 -0700
From:      Luigi Rizzo <>
Subject:   a bug in divert handling of fragments
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi, there is a case with divert/tee of fragmented packets on
which I would like clarifications:

in ip_input.c::ip_reass(), a comment says:

    #ifdef IPDIVERT
         * Transfer firewall instructions to the fragment structure.
         * Any fragment diverting causes the whole packet to divert.
        fp->ipq_div_info = *divinfo;
        fp->ipq_div_cookie = *divert_rule;
        *divinfo = 0;
        *divert_rule = 0;

However, the code as you see above does not check for existing
divert info, and just overrides whatever state  was there with info
from the latest incoming fragment.

This is in disagreement with the comment, and almost certainly
not what one wants, so I believe this has to be fixed.
I see two possible alternatives:

  #1:   only trust divert info for the fragment with offset 0
        (i.e. the one which should have headers etc.)

  #2:   keep as good the info from the first incoming fragment with
        a non-zero *divinfo (i.e. one which matched a divert rule).

I would prefer #1 because it is less prone to attacks and easier to
implement, and also because there is a lot more information that
the firewall can use to select the packet.

Comments anyone ?


To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>