Date: Tue, 29 May 2007 13:57:21 +0900 From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= <jinmei@isl.rdc.toshiba.co.jp> To: freebsd-net@freebsd.org Subject: how ipfw2 handles fragmented packets Message-ID: <m1zm3okz0u.wl%jinmei@isl.rdc.toshiba.co.jp>
next in thread | raw e-mail | index | archive | help
Hello, I have a question about how the ipfw2 implementation performs stateful operation for (IPv4/IPv6) fragmented packets. Is it possible to make a state for a flow and match that state against fragmented packets? As far as I can see from the source code (sys/netinet/ip_fw2.c) it seems impossible because a state matching done in lookup_dyn_rule_locked() only compares src/dst address/ports. I'm also not sure whether the routine that follows IPv6 extension headers in ipfw_chk() is correct. It continues the processing after seeing a fragment header regardless of the offset value, but it should be meaningless except the first fragment (which has 0 offset). If I miss something, could anyone point it out? Thanks, JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m1zm3okz0u.wl%jinmei>