cvs commit: src/sys/netinet ip_fw2.c

David Malone dwmalone at maths.tcd.ie
Tue May 16 01:29:18 PDT 2006


> Interesting - thanks for the pointer.  Unless every stack DTRT we can't
> use the flow_id, though - or we break otherwise legal connections.  In the
> given case we would open a state with SYN+flow_id and got a reply SYNACK+0
> which wouldn't hash the same as the SYN we sent out.  No matching state,
> no connection.

Indeed - we need to get into the position where almost all stacks
do the right thing before we can use the flow label as a key of any
sort in the firewalling process. If people have noticed problems
with this, I'd be interested in knowing which stacks are incriminated.

	David.


More information about the cvs-src mailing list