Date: Mon, 13 Mar 2000 00:55:04 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Luigi Rizzo <luigi@info.iet.unipi.it> Cc: Mike Heffner <spock@techfour.net>, freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw doesn't match when src == dest Message-ID: <Pine.NEB.3.96L.1000313005405.6734F-100000@fledge.watson.org> In-Reply-To: <200003130545.GAA89213@info.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Actually, this post was with regards to the fragment handling comment you made, and not the buffer problem, to which I'll commit the patch for shortly. Could you comment on the potential accuracy of my observations about over-zealous dropping of fragments? :-) On Mon, 13 Mar 2000, Luigi Rizzo wrote: > Hi, > the original poster found out the problem -- a call to inet_ntoa() > (or similar function) which returned a ptr to a static buffer was used > twice in the same function, with obvious results. > > cheers > luigi > > > > > > Hello, > > > > > > > > When I recently redid my firewall, I wanted to block a strange packet from my > > > > cablemodem, > > > > > > > > Deny P:2 192.168.100.1 192.168.100.1 in via ed1 > > > > > > are you sure that the logging code prints the right thing ? > > > I noticed (from source code analysis) it does strange things with > > > fragments, it might as well misbehave with short packets etc. > > > > Having spent about two minutes looking at the ipfw code, it looks like > > there are no false accepts for ultra-fragmented UDP/TCP/ICMP packets > > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000313005405.6734F-100000>