keep-state rules inadequately handles big UDP packets
or fragmented IP packets?
Paolo Pisati
p.pisati at oltrelinux.com
Tue Mar 17 15:14:10 PDT 2009
Luigi Rizzo wrote:
>
> Thinking more about it, i believe that calling reass as an explicit
> firewall action is useless, because if ip_reass fails due to lack of
> all fragments you are back to square one:
> what do I do with this fragment ?
>
AFAIK ip_reass() never fails: if it's the last fragment it reassembles
the packet and return it, else it queues the fragment for later
reassembly.
and i guess we must extend ip fragment detection together with the reass
action because 'frag' matches only packet with a non-zero offset
(aka not the first fragment).
bye,
P.
More information about the freebsd-ipfw
mailing list