Date: Tue, 17 Mar 2009 20:01:23 +0100 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Paolo Pisati <p.pisati@oltrelinux.com> Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov <dima_bsd@inbox.lv>, Alex Dupre <ale@FreeBSD.org> Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <20090317190123.GB89417@onelab2.iet.unipi.it> In-Reply-To: <49BFB9B2.9090909@oltrelinux.com> References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 17, 2009 at 03:54:42PM +0100, Paolo Pisati wrote:
> Alex Dupre wrote:
> >Luigi Rizzo ha scritto:
> >>it is not related to dynamic rules, but to the fact that
> >>that the firewall is called before reassembling packets.
> >>The info (port numbers especially) is not available
> >>in the fragments so the firewall cannot do anything.
> >>The only solution would be to call the firewall
> >>after reassembly. I am not sure if there is any work in progress
> >>for that.
> >
> >FWIW pf has "traffic normalization" feature ("scrub" keyword), that
> >reassembles packets before inspection. Unfortunately, it works with
> >IPv4 packets, but lacks IPv6 support.
> >
> FYI i have a patch for ipfw nat that reassemble a packet before nat[*],
> but if the idea of an explicit packet reassembly action sounds good, i
> could move the code over there.
>
> [*] actually the patch is really simple, it's just a call to ip_reass()
> with some glue code, but nonetheless it could be used more globally.
Thinking more about it, i believe that calling reass as an explicit
firewall action is useless, because if ip_reass fails due to lack of
all fragments you are back to square one:
what do I do with this fragment ?
And the answer can only be the same that you would implement
without the mechanism: unconditionally accept all fragments past
the first one, and do the actual filtering on the first fragment.
If you drop the fragments, you would be unable to rebuild the
full packet.
The only thing that would actually make a difference, i believe,
is the ability to call the firewall after ip_reass() instead
of just before (of course you'd need some microinstruction to
check who is calling you, and make different decisions in
the various cases).
cheers
luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090317190123.GB89417>