From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 17 18:33:20 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 227541065679; Tue, 17 Mar 2009 18:33:20 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp6.apollo.lv (smtp6.apollo.lv [80.232.168.167]) by mx1.freebsd.org (Postfix) with ESMTP id C4C3F8FC12; Tue, 17 Mar 2009 18:33:19 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from [87.110.84.86] (unknown [87.110.84.86]) by smtp6.apollo.lv (Postfix) with ESMTP id 4E548219EF; Tue, 17 Mar 2009 20:33:32 +0200 (EET) From: Dmitriy Demidov To: Paolo Pisati Date: Tue, 17 Mar 2009 20:33:09 +0200 User-Agent: KMail/1.9.10 References: <200903132246.49159.dima_bsd@inbox.lv> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> In-Reply-To: <49BFB9B2.9090909@oltrelinux.com> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200903172033.09731.dima_bsd@inbox.lv> X-Lattelecom-MailScanner-Information: Please contact the ISP for more information X-Lattelecom-MailScanner-ID: 4E548219EF.4BED5 X-Lattelecom-MailScanner: Found to be clean X-Lattelecom-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.901, required 5, BAYES_00 -2.60, RCVD_IN_PBL 0.91, RDNS_NONE 0.10, SPF_FAIL 0.69) X-Lattelecom-MailScanner-From: dima_bsd@inbox.lv X-Spam-Status: No Cc: freebsd-ipfw@freebsd.org, Luigi Rizzo , Alex Dupre Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2009 18:33:20 -0000 On Tuesday 17 March 2009, Paolo Pisati wrote: > FYI i have a patch for ipfw nat that reassemble a packet before nat[*], > but if the idea of an explicit packet reassembly action sounds good, i > could move the code over there. > > [*] actually the patch is really simple, it's just a call to ip_reass() > with some glue code, but nonetheless it could be used more globally. It's sounds like the thing I'm looking for! How hard it would be to make it? If it is unacceptable to turn it on by default (for some reasons, if any) then can it be implemented as additional ipfw rule allowing to turn him on/off when needed? Something like: ipfw add 100 scrub-ip ip from any to me