keep-state rules inadequately handles big UDP packets
or fragmented IP packets?
Luigi Rizzo
rizzo at iet.unipi.it
Sun Mar 15 02:56:50 PDT 2009
On Sun, Mar 15, 2009 at 12:38:37PM +0300, Sergey Matveychuk wrote:
> Dmitriy Demidov wrote:
> >Hi Luigi. Thank you for answer.
> >It is a big "surprise" for me that reassembling of IP datagrams is done
> >not *before* they go into firewall, but *after* :(
>
> But what's wrong with it? A fragment got from net, pass firewall and
> store. After all fragments we got, OS reassembly a packet and pass it
> through firewall again.
Currently we don't have a way to re-invoke the firewall after
reassembly. In fact, we should probably provide hooks before and
after reassembly, and use them in a configurable way.
cheers
luigi
More information about the freebsd-ipfw
mailing list