From owner-freebsd-hackers Tue May 6 20:10:44 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA26804 for hackers-outgoing; Tue, 6 May 1997 20:10:44 -0700 (PDT) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA26787 for ; Tue, 6 May 1997 20:10:38 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id UAA28941; Tue, 6 May 1997 20:10:04 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma028936; Tue May 6 20:09:42 1997 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id UAA22388; Tue, 6 May 1997 20:09:42 -0700 (PDT) From: Archie Cobbs Message-Id: <199705070309.UAA22388@bubba.whistle.com> Subject: Re: divert still broken? In-Reply-To: <199705070239.TAA19745@gatekeeper.whistle.com> from Darren Reed at "May 7, 97 12:37:18 pm" To: avalon@coombs.anu.edu.au (Darren Reed) Date: Tue, 6 May 1997 20:09:42 -0700 (PDT) Cc: archie@whistle.com, danny@panda.hilink.com.au, zbs@softec.sk, freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Ah, now I see.. remembering that FO is stored in bytes/8 (as you pointed > > out), it's not possible for a UDP header to be split across fragments > > in any way (since it's only 8 bytes long)... correct? > > Tell me, what does ipfw do with a packet that says "more fragments" but > the packet has no data (i.e. _no_ header at all), and is UDP ? > > Best thing, I think for ipfw to do, is drop any packets where the header(s) > are split across multiple packets (i.e. aren't all in the one you have). > > Aside from that, UDP isn't an issue. > > I don't recall ipfw doing any ICMP filtering to worry about that. What I'm going to do for TCP, UDP, and ICMP is drop any packet that is has offset zero but whose length is too small to contain all of the testable bits in the corresponding protocol header. In addition, I'll drop all TCP fragments with offset 1. That should do it, I hope... -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com