Date: Tue, 17 Mar 2009 20:33:09 +0200 From: Dmitriy Demidov <dima_bsd@inbox.lv> To: Paolo Pisati <p.pisati@oltrelinux.com> Cc: freebsd-ipfw@freebsd.org, Luigi Rizzo <rizzo@iet.unipi.it>, Alex Dupre <ale@freebsd.org> Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <200903172033.09731.dima_bsd@inbox.lv> In-Reply-To: <49BFB9B2.9090909@oltrelinux.com> References: <200903132246.49159.dima_bsd@inbox.lv> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 17 March 2009, Paolo Pisati wrote: > FYI i have a patch for ipfw nat that reassemble a packet before nat[*], > but if the idea of an explicit packet reassembly action sounds good, i > could move the code over there. > > [*] actually the patch is really simple, it's just a call to ip_reass() > with some glue code, but nonetheless it could be used more globally. It's sounds like the thing I'm looking for! How hard it would be to make it? If it is unacceptable to turn it on by default (for some reasons, if any) then can it be implemented as additional ipfw rule allowing to turn him on/off when needed? Something like: ipfw add 100 scrub-ip ip from any to me
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903172033.09731.dima_bsd>