keep-state rules inadequately handles big UDP packets
or fragmented IP packets?
Luigi Rizzo
rizzo at iet.unipi.it
Tue Mar 17 15:29:50 PDT 2009
On Tue, Mar 17, 2009 at 11:02:48PM +0100, Paolo Pisati wrote:
> Luigi Rizzo wrote:
> >
> >Thinking more about it, i believe that calling reass as an explicit
> >firewall action is useless, because if ip_reass fails due to lack of
> >all fragments you are back to square one:
> > what do I do with this fragment ?
> >
>
> AFAIK ip_reass() never fails: if it's the last fragment it reassembles
> the packet and return it, else it queues the fragment for later
> reassembly.
Ok then we may have a plan:
you could do is implement REASS as an action (not as a microinstruction),
with the following behaviour:
- if the packet is a complete one, the rule behaves as a "count"
(i.e. the firewall continues with the next rule);
- if the packet is a fragment and can be reassembled, the rule
behaves as a "count" and the mbuf is replaced with the full packet;
- if the packet is a fragment and cannot be reassembled, the
rule behaves as a "drop" (i.e. processing stops)
and the packet is swallowed by ipfw.
This seems a useful behaviour, but it must be documented very
clearly because it is not completely intuitive. Perhaps we should
find a more descriptive name.
Good progress!
cheers
luigi
More information about the freebsd-ipfw
mailing list