Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Jun 2002 07:19:33 -0700 (PDT)
From:      Archie Cobbs <>
To:        Luigi Rizzo <>
Subject:   Re: a bug in divert handling of fragments
Message-ID:  <>
In-Reply-To: <> "from Luigi Rizzo at Jun 21, 2002 07:38:04 am"

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Luigi Rizzo writes:
> This is in disagreement with the comment, and almost certainly
> not what one wants, so I believe this has to be fixed.
> I see two possible alternatives:
>   #1:   only trust divert info for the fragment with offset 0
>         (i.e. the one which should have headers etc.)
>   #2:   keep as good the info from the first incoming fragment with
>         a non-zero *divinfo (i.e. one which matched a divert rule).
> I would prefer #1 because it is less prone to attacks and easier to
> implement, and also because there is a lot more information that
> the firewall can use to select the packet.

#1 sounds good to me too..


Archie Cobbs     *     Packet Design     *

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>