Date: Tue, 6 May 1997 20:09:42 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: archie@whistle.com, danny@panda.hilink.com.au, zbs@softec.sk, freebsd-hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <199705070309.UAA22388@bubba.whistle.com> In-Reply-To: <199705070239.TAA19745@gatekeeper.whistle.com> from Darren Reed at "May 7, 97 12:37:18 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > Ah, now I see.. remembering that FO is stored in bytes/8 (as you pointed > > out), it's not possible for a UDP header to be split across fragments > > in any way (since it's only 8 bytes long)... correct? > > Tell me, what does ipfw do with a packet that says "more fragments" but > the packet has no data (i.e. _no_ header at all), and is UDP ? > > Best thing, I think for ipfw to do, is drop any packets where the header(s) > are split across multiple packets (i.e. aren't all in the one you have). > > Aside from that, UDP isn't an issue. > > I don't recall ipfw doing any ICMP filtering to worry about that. What I'm going to do for TCP, UDP, and ICMP is drop any packet that is has offset zero but whose length is too small to contain all of the testable bits in the corresponding protocol header. In addition, I'll drop all TCP fragments with offset 1. That should do it, I hope... -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705070309.UAA22388>