Date: Wed, 7 May 1997 09:13:29 +1000 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Archie Cobbs <archie@whistle.com> Cc: Darren Reed <avalon@coombs.anu.edu.au>, zbs@softec.sk, freebsd-hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <Pine.BSF.3.91.970507091049.4479u-100000@panda.hilink.com.au> In-Reply-To: <199705062214.PAA20349@bubba.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 6 May 1997, Archie Cobbs wrote: > > > So long as the packet is a fragment, is at offset 0, then for UDP, it is > > either not going to have any header data (ip_len == ip_hl << 2) or it > > will have at least both ports (first 4 bytes of the header) - well it > > should as fragmenting of data is done on 8 byte boundaries. > > Should the firewall then always & automatically reject any packet > that doesn't have length a multiple of eight? Not applicable, see below. > Is fragmentation *required* to be on multiples of eight? Yes. Because the fragment offset is store in the packet as bytes/8. In other words, FO=1 means 'starting at byte 8'. Reject all packets with FO=1. Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970507091049.4479u-100000>