Date: Fri, 26 Jan 2001 21:00:54 +0100 From: mouss <usebsd@free.fr> To: Archie Cobbs <archie@dellroad.org>, Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu> Cc: hackers@FreeBSD.ORG Subject: packet redirection design problem [Divert Sockets & Fragmentation revisited] Message-ID: <4.3.0.20010126202555.06e24350@pop.free.fr> In-Reply-To: <200101261843.KAA09789@curve.dellroad.org> References: <Pine.SOL.4.21.0101252258280.9067-100000@gradient.cis.upenn.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
"IP filtering engines" that do something to packet based on rule matching have a problem when fragmentation comes to play. In the case of a "packet redirector' such as divert, the problem is that only the first fragment will match the rule, if the rule uses ports or whatever info contained in the payload. The problem occurs if the packet (that should match) is subject to change by the engine (either redirection, nat, blocking, ...) IP Filter handles such situation with specific code. It would be a nice thing if this is added to standard code so that packet filters writers do not need to add their own. Any opinions? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.0.20010126202555.06e24350>