Date: Tue, 13 Nov 2007 23:45:01 -0700 From: Curby <curby.public@gmail.com> To: freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Fwd: Fragmented Packet Reassembly and IPFW2 Message-ID: <5d2f37910711132245n3e699b57i1746594462725a09@mail.gmail.com> In-Reply-To: <5d2f37910711132244w39e73eb0nb8d8ac460dd15fcd@mail.gmail.com> References: <5d2f37910711131439x56bb2028maa40b0475feffde4@mail.gmail.com> <opt1rk69dr4fjv08@nuclight.avtf.net> <5d2f37910711132244w39e73eb0nb8d8ac460dd15fcd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian and Vadim, thank you both for your replies. Here's a really old quote: "The ip_input() routine in the kernel then dequeues the packet, performs sanity checks on the packet and determines the destination for the packet. If the destination is the local computer, the kernel will perform packet reassembly. " from http://usenix.net/events/bsdcon02/full_papers/lidl/lidl_html/index.html Also, this poster is less sure but suggests that this might happen: http://osdir.com/ml/freebsd.isp/2003-02/msg00091.html I also think that Linux iptables only sees reassembled packets (at least some of the time, e.g. when it is legitimate traffic destined for the host itself), so this isn't altogether wild and crazy. If in fact reassembly does not happen, I should remove that rule as frags will likely not match using a check-state rule because they lack tcp/udp header information. Is there a way in ipfw to allow frags that claim to be related to a known-good first frag but drop others? Something like check-state but for fragments 1 and above, in other words. The odd thing is that I didn't see any dropped packets in my logs or notice any disrupted traffic (e.g. in a web browser) before this conference, where frags were suddenly flying all over. Thanks again for your help! --Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5d2f37910711132245n3e699b57i1746594462725a09>