From owner-freebsd-net  Mon Jan 29  9:59: 0 2001
Delivered-To: freebsd-net@freebsd.org
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
	by hub.freebsd.org (Postfix) with ESMTP
	id 22B2037B698; Mon, 29 Jan 2001 09:58:32 -0800 (PST)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.11.0/8.11.0) id f0THw2886968;
	Mon, 29 Jan 2001 19:58:03 +0200 (EET)
	(envelope-from ru)
Date: Mon, 29 Jan 2001 19:58:02 +0200
From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: Archie Cobbs <archie@dellroad.org>
Cc: Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu>, net@FreeBSD.ORG,
	Archie Cobbs <archie@FreeBSD.ORG>
Subject: Re: ipfw message
Message-ID: <20010129195802.B83844@sunbay.com>
Mail-Followup-To: Archie Cobbs <archie@dellroad.org>,
	Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu>, net@FreeBSD.ORG,
	Archie Cobbs <archie@FreeBSD.ORG>
References: <20010129105926.B27558@sunbay.com> <200101291744.JAA20568@curve.dellroad.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200101291744.JAA20568@curve.dellroad.org>; from archie@dellroad.org on Mon, Jan 29, 2001 at 09:44:07AM -0800
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jan 29, 2001 at 09:44:07AM -0800, Archie Cobbs wrote:
> Ruslan Ermilov writes:
> > I think I have found a bug here.  When the ``divert foo ... udp ...'' rule
> > has no destination port specification, everything works as documented, i.e.
> > all fragments are reassembled and get diverted to the divert(4) to port
> > ``foo''.  If I add the destination port specification, only the first
> > (offset zero) fragment gets diverted:
> 
> Yep.. diversion happens before reassembly, but diverted packets
> are only delivered after reassembly.
> 
> So if not all of the fragments are diverted, the packet is lost
> because only an incomplete portion of it gets diverted.
> 
> To "fix" this bug would require reassembling *all* (or a large
> portion of the) packets passing through the kernel, which is probably
> not a win.  A workaround is to match conservatively (i.e., match
> all udp packets) and have the userland code just reinject any
> false positives.
> 
Or add ``divert same-port udp from any to any frag''...


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message