keep-state rules inadequately handles big UDP packets
or fragmented IP packets?
Luigi Rizzo
rizzo at iet.unipi.it
Thu Apr 2 04:27:24 PDT 2009
On Thu, Apr 02, 2009 at 01:00:59PM +0200, Paolo Pisati wrote:
> Luigi Rizzo wrote:
> >
> >Ok then we may have a plan:
> >
> >you could do is implement REASS as an action (not as a microinstruction),
> >with the following behaviour:
> >
> >- if the packet is a complete one, the rule behaves as a "count"
> > (i.e. the firewall continues with the next rule);
> >
> >- if the packet is a fragment and can be reassembled, the rule
> > behaves as a "count" and the mbuf is replaced with the full packet;
> >
> >- if the packet is a fragment and cannot be reassembled, the
> > rule behaves as a "drop" (i.e. processing stops)
> > and the packet is swallowed by ipfw.
> >
> >This seems a useful behaviour, but it must be documented very
> >clearly because it is not completely intuitive. Perhaps we should
> >find a more descriptive name.
> >
> committed yesterday in HEAD as "reass" action, and here is the 7.x
> patch: http://people.freebsd.org/~piso/ipfw-reass-7x.diff
Good job.
Can you put a description in the manpage especially on the
assumptions and side effects of the reass option ?
E.g. as i read it,
+ you need to make sure that the fragments are not dropped before
the 'reass' (so you cannot rely on port numbers to decide
accept or deny). This is obvious but a very common mistake;
+ reass silently queues the fragment if it does not reass, so it
opens up a bit of vulnerability. Again obvious, but people
won't realise if they don't see the code.
cheers
luigi
More information about the freebsd-ipfw
mailing list