From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 17 18:56:03 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 78CF1106566B; Tue, 17 Mar 2009 18:56:03 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.9.129]) by mx1.freebsd.org (Postfix) with ESMTP id D14B28FC0C; Tue, 17 Mar 2009 18:56:02 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 6330673098; Tue, 17 Mar 2009 20:01:23 +0100 (CET) Date: Tue, 17 Mar 2009 20:01:23 +0100 From: Luigi Rizzo To: Paolo Pisati Message-ID: <20090317190123.GB89417@onelab2.iet.unipi.it> References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <49BFB9B2.9090909@oltrelinux.com> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov , Alex Dupre Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2009 18:56:03 -0000 On Tue, Mar 17, 2009 at 03:54:42PM +0100, Paolo Pisati wrote: > Alex Dupre wrote: > >Luigi Rizzo ha scritto: > >>it is not related to dynamic rules, but to the fact that > >>that the firewall is called before reassembling packets. > >>The info (port numbers especially) is not available > >>in the fragments so the firewall cannot do anything. > >>The only solution would be to call the firewall > >>after reassembly. I am not sure if there is any work in progress > >>for that. > > > >FWIW pf has "traffic normalization" feature ("scrub" keyword), that > >reassembles packets before inspection. Unfortunately, it works with > >IPv4 packets, but lacks IPv6 support. > > > FYI i have a patch for ipfw nat that reassemble a packet before nat[*], > but if the idea of an explicit packet reassembly action sounds good, i > could move the code over there. > > [*] actually the patch is really simple, it's just a call to ip_reass() > with some glue code, but nonetheless it could be used more globally. Thinking more about it, i believe that calling reass as an explicit firewall action is useless, because if ip_reass fails due to lack of all fragments you are back to square one: what do I do with this fragment ? And the answer can only be the same that you would implement without the mechanism: unconditionally accept all fragments past the first one, and do the actual filtering on the first fragment. If you drop the fragments, you would be unable to rebuild the full packet. The only thing that would actually make a difference, i believe, is the ability to call the firewall after ip_reass() instead of just before (of course you'd need some microinstruction to check who is calling you, and make different decisions in the various cases). cheers luigi