From owner-freebsd-ipfw@FreeBSD.ORG  Tue Mar 17 22:29:50 2009
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7DB8B106566C;
	Tue, 17 Mar 2009 22:29:50 +0000 (UTC)
	(envelope-from luigi@onelab2.iet.unipi.it)
Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.9.129])
	by mx1.freebsd.org (Postfix) with ESMTP id 32B658FC16;
	Tue, 17 Mar 2009 22:29:50 +0000 (UTC)
	(envelope-from luigi@onelab2.iet.unipi.it)
Received: by onelab2.iet.unipi.it (Postfix, from userid 275)
	id D6BD4730A1; Tue, 17 Mar 2009 23:35:11 +0100 (CET)
Date: Tue, 17 Mar 2009 23:35:11 +0100
From: Luigi Rizzo <rizzo@iet.unipi.it>
To: Paolo Pisati <p.pisati@oltrelinux.com>
Message-ID: <20090317223511.GB95451@onelab2.iet.unipi.it>
References: <200903132246.49159.dima_bsd@inbox.lv>
	<20090313214327.GA1675@onelab2.iet.unipi.it>
	<49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com>
	<20090317190123.GB89417@onelab2.iet.unipi.it>
	<49C01E08.9050709@oltrelinux.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <49C01E08.9050709@oltrelinux.com>
User-Agent: Mutt/1.4.2.3i
Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov <dima_bsd@inbox.lv>,
	Alex Dupre <ale@FreeBSD.org>
Subject: Re: keep-state rules inadequately handles big UDP packets
	or	fragmented IP packets?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2009 22:29:50 -0000

On Tue, Mar 17, 2009 at 11:02:48PM +0100, Paolo Pisati wrote:
> Luigi Rizzo wrote:
> >
> >Thinking more about it, i believe that calling reass as an explicit
> >firewall action is useless, because if ip_reass fails due to lack of
> >all fragments you are back to square one:
> >	what do I do with this fragment ?
> >  
> 
> AFAIK ip_reass() never fails: if it's the last fragment it reassembles 
> the packet and return it, else it queues the fragment for later
> reassembly.

Ok then we may have a plan:

you could do is implement REASS as an action (not as a microinstruction),
with the following behaviour:

- if the packet is a complete one, the rule behaves as a "count"
  (i.e. the firewall continues with the next rule);

- if the packet is a fragment and can be reassembled, the rule
  behaves as a "count" and the mbuf is replaced with the full packet;

- if the packet is a fragment and cannot be reassembled, the
  rule behaves as a "drop" (i.e. processing stops)
  and the packet is swallowed by ipfw.

This seems a useful behaviour, but it must be documented very
clearly because it is not completely intuitive. Perhaps we should
find a more descriptive name.

Good progress!

	cheers
	luigi