From owner-freebsd-ipfw@FreeBSD.ORG  Tue Mar 17 18:33:20 2009
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 227541065679;
	Tue, 17 Mar 2009 18:33:20 +0000 (UTC)
	(envelope-from dima_bsd@inbox.lv)
Received: from smtp6.apollo.lv (smtp6.apollo.lv [80.232.168.167])
	by mx1.freebsd.org (Postfix) with ESMTP id C4C3F8FC12;
	Tue, 17 Mar 2009 18:33:19 +0000 (UTC)
	(envelope-from dima_bsd@inbox.lv)
Received: from [87.110.84.86] (unknown [87.110.84.86])
	by smtp6.apollo.lv (Postfix) with ESMTP id 4E548219EF;
	Tue, 17 Mar 2009 20:33:32 +0200 (EET)
From: Dmitriy Demidov <dima_bsd@inbox.lv>
To: Paolo Pisati <p.pisati@oltrelinux.com>
Date: Tue, 17 Mar 2009 20:33:09 +0200
User-Agent: KMail/1.9.10
References: <200903132246.49159.dima_bsd@inbox.lv>
	<49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com>
In-Reply-To: <49BFB9B2.9090909@oltrelinux.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="koi8-r"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200903172033.09731.dima_bsd@inbox.lv>
X-Lattelecom-MailScanner-Information: Please contact the ISP for more
	information
X-Lattelecom-MailScanner-ID: 4E548219EF.4BED5
X-Lattelecom-MailScanner: Found to be clean
X-Lattelecom-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
	score=-0.901, required 5, BAYES_00 -2.60, RCVD_IN_PBL 0.91,
	RDNS_NONE 0.10, SPF_FAIL 0.69)
X-Lattelecom-MailScanner-From: dima_bsd@inbox.lv
X-Spam-Status: No
Cc: freebsd-ipfw@freebsd.org, Luigi Rizzo <rizzo@iet.unipi.it>,
	Alex Dupre <ale@freebsd.org>
Subject: Re: keep-state rules inadequately handles big UDP packets
	or	fragmented IP packets?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2009 18:33:20 -0000

On Tuesday 17 March 2009, Paolo Pisati wrote:
> FYI i have a patch for ipfw nat that reassemble a packet before nat[*],
> but if the idea of an explicit packet reassembly action sounds good, i
> could move the code over there.
>
> [*] actually the patch is really simple, it's just a call to ip_reass()
> with some glue code, but nonetheless it could be used more globally.

It's sounds like the thing I'm looking for! How hard it would be to make it?
If it is unacceptable to turn it on by default (for some reasons, if any) then 
can it be implemented as additional ipfw rule allowing to turn him on/off 
when needed? Something like:
ipfw add 100 scrub-ip ip from any to me