From owner-freebsd-hackers  Tue May  6 16:10:22 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id QAA12067
          for hackers-outgoing; Tue, 6 May 1997 16:10:22 -0700 (PDT)
Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA12057
          for <freebsd-hackers@FreeBSD.ORG>; Tue, 6 May 1997 16:10:12 -0700 (PDT)
Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.7.3) id JAA27081; Wed, 7 May 1997 09:13:30 +1000 (EST)
Date: Wed, 7 May 1997 09:13:29 +1000 (EST)
From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: Archie Cobbs <archie@whistle.com>
cc: Darren Reed <avalon@coombs.anu.edu.au>, zbs@softec.sk,
        freebsd-hackers@FreeBSD.ORG
Subject: Re: divert still broken?
In-Reply-To: <199705062214.PAA20349@bubba.whistle.com>
Message-ID: <Pine.BSF.3.91.970507091049.4479u-100000@panda.hilink.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk



On Tue, 6 May 1997, Archie Cobbs wrote:

> 
> > So long as the packet is a fragment, is at offset 0, then for UDP, it is
> > either not going to have any header data (ip_len == ip_hl << 2) or it
> > will have at least both ports (first 4 bytes of the header) - well it
> > should as fragmenting of data is done on 8 byte boundaries.
> 
> Should the firewall then always & automatically reject any packet
> that doesn't have length a multiple of eight?

Not applicable, see below.

> Is fragmentation *required* to be on multiples of eight?

Yes.  Because the fragment offset is store in the packet as bytes/8.
In other words, FO=1 means 'starting at byte 8'.  Reject all packets with 
FO=1.

Danny