keep-state rules inadequately handles big UDP
packets or fragmented IP packets?
Julian Elischer
julian at elischer.org
Tue Mar 17 15:39:38 PDT 2009
Luigi Rizzo wrote:
> On Tue, Mar 17, 2009 at 11:02:48PM +0100, Paolo Pisati wrote:
>> Luigi Rizzo wrote:
>>> Thinking more about it, i believe that calling reass as an explicit
>>> firewall action is useless, because if ip_reass fails due to lack of
>>> all fragments you are back to square one:
>>> what do I do with this fragment ?
>>>
>> AFAIK ip_reass() never fails: if it's the last fragment it reassembles
>> the packet and return it, else it queues the fragment for later
>> reassembly.
>
> Ok then we may have a plan:
>
> you could do is implement REASS as an action (not as a microinstruction),
> with the following behaviour:
>
> - if the packet is a complete one, the rule behaves as a "count"
> (i.e. the firewall continues with the next rule);
>
> - if the packet is a fragment and can be reassembled, the rule
> behaves as a "count" and the mbuf is replaced with the full packet;
>
> - if the packet is a fragment and cannot be reassembled, the
> rule behaves as a "drop" (i.e. processing stops)
> and the packet is swallowed by ipfw.
>
> This seems a useful behaviour, but it must be documented very
> clearly because it is not completely intuitive. Perhaps we should
> find a more descriptive name.
So what is the behaviour when you reassemble a 5K packet,
and then it has to be forwarded out another interface with 1500 MTU.
>
> Good progress!
>
> cheers
> luigi
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
More information about the freebsd-ipfw
mailing list