keep-state rules inadequately handles big UDP packets or fragmented IP packets?

[Paolo Pisati]

Luigi Rizzo wrote:
> Can you put a description in the manpage especially on the
> assumptions and side effects of the reass option ?
>
> E.g. as i read it,
> + you need to make sure that the fragments are not dropped before
>   the 'reass' (so you cannot rely on port numbers to decide
>   accept or deny). This is obvious but a very common mistake;
> + reass silently queues the fragment if it does not reass, so it
>   opens up a bit of vulnerability. Again obvious, but people
>   won't realise if they don't see the code.
>   
someone else already pointed out that i should mention 
net.inet.ip.maxfrag*, i'll come up
with an updated man page later today.

-- 

bye,
P.