Date: Tue, 17 Mar 2009 23:02:48 +0100 From: Paolo Pisati <p.pisati@oltrelinux.com> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov <dima_bsd@inbox.lv>, Alex Dupre <ale@FreeBSD.org> Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <49C01E08.9050709@oltrelinux.com> In-Reply-To: <20090317190123.GB89417@onelab2.iet.unipi.it> References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> <20090317190123.GB89417@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Luigi Rizzo wrote: > > Thinking more about it, i believe that calling reass as an explicit > firewall action is useless, because if ip_reass fails due to lack of > all fragments you are back to square one: > what do I do with this fragment ? > AFAIK ip_reass() never fails: if it's the last fragment it reassembles the packet and return it, else it queues the fragment for later reassembly. and i guess we must extend ip fragment detection together with the reass action because 'frag' matches only packet with a non-zero offset (aka not the first fragment). bye, P.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49C01E08.9050709>