Date: Tue, 6 May 1997 11:27:57 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: zbs@softec.sk (Basti Zoltan) Cc: freebsd-hackers@freebsd.org Subject: Re: divert still broken? Message-ID: <199705061827.LAA16912@bubba.whistle.com> In-Reply-To: <c=CS%a=_%p=Softec%l=CLEOPATRA-970506064115Z-2@cleopatra.softec.sk> from "Basti, Zoltan" at "May 6, 97 08:41:15 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> >I'm doing some more work on ipfw and divert to solve a need we have... > >and planning on making these changes (how much gets checked in to be > >determined later by group consensus, but patch will be available): > > While you are at it, would you please have a look at > fragmented packets processing. Currently (2.2.1-RELEASE) > IP packets with fragment offset > 0 can match TCP and UDP > source port and destination port rules (but not TCP flags). > This is clearly wrong, since TCP and UDP ports are always > in the first fragment of a fragmented packet. Yes.. I'll fix this. But it brings up another question.. how should we defend against UDP packets that are fragmented into a very small fragment (that doesn't contain the whole header) followed by the rest of the packet? Note this is not a problem for TCP, thanks to our implementing the recommendation of RFC 1858. Should ipfw be able enforce a "minimum" initial fragment length? What is the best strategy here? Or maybe I'm missing something obvious that makes this not a problem. Thanks, -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705061827.LAA16912>