keep-state rules inadequately handles big UDP
packets or fragmented IP packets?
Julian Elischer
julian at elischer.org
Wed Mar 18 08:52:42 PDT 2009
Luigi Rizzo wrote:
> On Tue, Mar 17, 2009 at 03:39:45PM -0700, Julian Elischer wrote:
> ...
>>> Ok then we may have a plan:
>>>
>>> you could do is implement REASS as an action (not as a microinstruction),
>>> with the following behaviour:
>>>
>>> - if the packet is a complete one, the rule behaves as a "count"
>>> (i.e. the firewall continues with the next rule);
>>>
>>> - if the packet is a fragment and can be reassembled, the rule
>>> behaves as a "count" and the mbuf is replaced with the full packet;
>>>
>>> - if the packet is a fragment and cannot be reassembled, the
>>> rule behaves as a "drop" (i.e. processing stops)
>>> and the packet is swallowed by ipfw.
>>>
>>> This seems a useful behaviour, but it must be documented very
>>> clearly because it is not completely intuitive. Perhaps we should
>>> find a more descriptive name.
>> So what is the behaviour when you reassemble a 5K packet,
>> and then it has to be forwarded out another interface with 1500 MTU.
>
> Good point. One option would be that when REASS is called from the
> output path, it always act as "count" and never calls ip_reass()
>
> Would that work ? The firewall in the output path is called before
> fragment, locally generated packets are not fragmented, and if
> don't want stray fragment you should have already called "reass"
> in the inbound path through the firewall ?
yeah but what if you reassemble on input, and then the packet is routed?
>
> cheers
> luigi
More information about the freebsd-ipfw
mailing list