From owner-freebsd-hackers  Sun Aug 18 15:48:44 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id PAA17878
          for hackers-outgoing; Sun, 18 Aug 1996 15:48:44 -0700 (PDT)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA17871
          for <hackers@freebsd.org>; Sun, 18 Aug 1996 15:48:42 -0700 (PDT)
Received: from rover.village.org (localhost [127.0.0.1]) by rover.village.org (8.7.5/8.6.6) with ESMTP id QAA01272; Sun, 18 Aug 1996 16:48:38 -0600 (MDT)
Message-Id: <199608182248.QAA01272@rover.village.org>
To: Poul-Henning Kamp <phk@critter.tfs.com>
Subject: Which fragments to discard (was Re: ipfw vs ipfilter)
Cc: hackers@freebsd.org
In-reply-to: Your message of Sun, 18 Aug 1996 16:42:33 +0200
Date: Sun, 18 Aug 1996 16:48:37 -0600
From: Warner Losh <imp@village.org>
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Poul-Henning Kamp writes:
: This is a common mistake, only offset==1 needs to be discarded.

Hmmm, since there are no comments in ip_fw.c as to why only offset 1
is a problem, I'll have to ask here.  Why is that?

A quick look at Stephens[*] shows that offset 2 could be used to rewrite
the TCP flags, or if you have IP options that you can pad things such
that even the TCP ports get overwritten.  What have I missed?

Warner

[*] Stephens isn't good at explaining exactly what the ip_off is, but
glosses over this detail, so maybe some of my thick-headedness on this
comes from that gloss.