keep-state rules inadequately handles big UDP
packets or fragmented IP packets?
Luigi Rizzo
rizzo at iet.unipi.it
Wed Mar 18 09:10:41 PDT 2009
On Wed, Mar 18, 2009 at 08:52:18AM -0700, Julian Elischer wrote:
> Luigi Rizzo wrote:
> >On Tue, Mar 17, 2009 at 03:39:45PM -0700, Julian Elischer wrote:
> >...
> >>>Ok then we may have a plan:
> >>>
> >>>you could do is implement REASS as an action (not as a microinstruction),
> >>>with the following behaviour:
> >>>
> >>>- if the packet is a complete one, the rule behaves as a "count"
> >>> (i.e. the firewall continues with the next rule);
> >>>
> >>>- if the packet is a fragment and can be reassembled, the rule
> >>> behaves as a "count" and the mbuf is replaced with the full packet;
> >>>
> >>>- if the packet is a fragment and cannot be reassembled, the
> >>> rule behaves as a "drop" (i.e. processing stops)
> >>> and the packet is swallowed by ipfw.
> >>>
> >>>This seems a useful behaviour, but it must be documented very
> >>>clearly because it is not completely intuitive. Perhaps we should
> >>>find a more descriptive name.
> >>So what is the behaviour when you reassemble a 5K packet,
> >>and then it has to be forwarded out another interface with 1500 MTU.
> >
> >Good point. One option would be that when REASS is called from the
> >output path, it always act as "count" and never calls ip_reass()
> >
> >Would that work ? The firewall in the output path is called before
> >fragment, locally generated packets are not fragmented, and if
> >don't want stray fragment you should have already called "reass"
> >in the inbound path through the firewall ?
>
> yeah but what if you reassemble on input, and then the packet is routed?
it should work -- ip_output() gets the full packet,
the firewall is called on line 441 before
ip_fragment() which is on line 568.
cheers
luigi
More information about the freebsd-ipfw
mailing list