keep-state rules inadequately handles big UDP packets
or fragmented IP packets?
Dmitriy Demidov
dima_bsd at inbox.lv
Tue Mar 17 11:33:20 PDT 2009
On Tuesday 17 March 2009, Paolo Pisati wrote:
> FYI i have a patch for ipfw nat that reassemble a packet before nat[*],
> but if the idea of an explicit packet reassembly action sounds good, i
> could move the code over there.
>
> [*] actually the patch is really simple, it's just a call to ip_reass()
> with some glue code, but nonetheless it could be used more globally.
It's sounds like the thing I'm looking for! How hard it would be to make it?
If it is unacceptable to turn it on by default (for some reasons, if any) then
can it be implemented as additional ipfw rule allowing to turn him on/off
when needed? Something like:
ipfw add 100 scrub-ip ip from any to me
More information about the freebsd-ipfw
mailing list