From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 17 22:14:09 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F7C1106566B for ; Tue, 17 Mar 2009 22:14:09 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from averell.mail.tiscali.it (averell.mail.tiscali.it [213.205.33.55]) by mx1.freebsd.org (Postfix) with ESMTP id 063B88FC19 for ; Tue, 17 Mar 2009 22:14:08 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from newluxor.wired.org (94.36.82.161) by averell.mail.tiscali.it (8.0.022) id 499F0393010A5C24; Tue, 17 Mar 2009 23:02:55 +0100 Message-ID: <49C01E08.9050709@oltrelinux.com> Date: Tue, 17 Mar 2009 23:02:48 +0100 From: Paolo Pisati User-Agent: Thunderbird 2.0.0.18 (X11/20081214) MIME-Version: 1.0 To: Luigi Rizzo References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> <20090317190123.GB89417@onelab2.iet.unipi.it> In-Reply-To: <20090317190123.GB89417@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov , Alex Dupre Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Mar 2009 22:14:10 -0000 Luigi Rizzo wrote: > > Thinking more about it, i believe that calling reass as an explicit > firewall action is useless, because if ip_reass fails due to lack of > all fragments you are back to square one: > what do I do with this fragment ? > AFAIK ip_reass() never fails: if it's the last fragment it reassembles the packet and return it, else it queues the fragment for later reassembly. and i guess we must extend ip fragment detection together with the reass action because 'frag' matches only packet with a non-zero offset (aka not the first fragment). bye, P.