From owner-freebsd-hackers  Fri Jan 26 11:49:18 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from smtp.nettoll.com (matrix.nettoll.net [212.155.143.61])
	by hub.freebsd.org (Postfix) with ESMTP id 8BA0837B402
	for <hackers@FreeBSD.ORG>; Fri, 26 Jan 2001 11:49:01 -0800 (PST)
Received: by smtp.nettoll.com; Fri, 26 Jan 2001 20:47:34 +0100 (MET)
Message-Id: <4.3.0.20010126202555.06e24350@pop.free.fr>
X-Sender: usebsd@pop.free.fr
X-Mailer: QUALCOMM Windows Eudora Version 4.3
Date: Fri, 26 Jan 2001 21:00:54 +0100
To: Archie Cobbs <archie@dellroad.org>,
	Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu>
From: mouss <usebsd@free.fr>
Subject: packet redirection design problem [Divert Sockets &
  Fragmentation revisited]
Cc: hackers@FreeBSD.ORG
In-Reply-To: <200101261843.KAA09789@curve.dellroad.org>
References: <Pine.SOL.4.21.0101252258280.9067-100000@gradient.cis.upenn.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

"IP filtering engines" that do something to packet based on rule
matching have a problem when fragmentation comes to play.

In the case of a "packet redirector' such as divert, the problem is that
only the first fragment will match the rule, if the rule uses ports or
whatever info contained in the payload.

The problem occurs if the packet (that should match) is subject to change
by the engine (either redirection, nat, blocking, ...)

IP Filter handles such situation with specific code.

It would be a nice thing if this is added to standard code so that packet 
filters
writers do not need to add their own.

Any opinions?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message