From owner-freebsd-hackers  Tue May  6 11:29:02 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA26593
          for hackers-outgoing; Tue, 6 May 1997 11:29:02 -0700 (PDT)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA26587
          for <freebsd-hackers@freebsd.org>; Tue, 6 May 1997 11:29:00 -0700 (PDT)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id LAA24815; Tue, 6 May 1997 11:28:23 -0700 (PDT)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma024809; Tue May  6 11:27:57 1997
Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id LAA16912; Tue, 6 May 1997 11:27:57 -0700 (PDT)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199705061827.LAA16912@bubba.whistle.com>
Subject: Re: divert still broken?
In-Reply-To: <c=CS%a=_%p=Softec%l=CLEOPATRA-970506064115Z-2@cleopatra.softec.sk> from "Basti, Zoltan" at "May 6, 97 08:41:15 am"
To: zbs@softec.sk (Basti Zoltan)
Date: Tue, 6 May 1997 11:27:57 -0700 (PDT)
Cc: freebsd-hackers@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL25 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


> >I'm doing some more work on ipfw and divert to solve a need we have...
> >and planning on making these changes (how much gets checked in to be
> >determined later by group consensus, but patch will be available):
> 
> While you are at it, would you please have a look at 
> fragmented packets processing. Currently (2.2.1-RELEASE)
> IP packets with fragment offset > 0 can match TCP and UDP 
> source port and destination port rules (but not TCP flags). 
> This is clearly wrong, since TCP and UDP ports are always
> in the first fragment of a fragmented packet.

Yes.. I'll fix this.

But it brings up another question.. how should we defend against
UDP packets that are fragmented into a very small fragment (that
doesn't contain the whole header) followed by the rest of the packet?

Note this is not a problem for TCP, thanks to our implementing the
recommendation of RFC 1858.

Should ipfw be able enforce a "minimum" initial fragment length?
What is the best strategy here?

Or maybe I'm missing something obvious that makes this not a problem.

Thanks,
-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com