Date: Sat, 27 Jan 2001 14:06:02 +0200 From: Peter Pentchev <roam@orbitel.bg> To: mouss <usebsd@free.fr> Cc: Archie Cobbs <archie@dellroad.org>, Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu>, hackers@FreeBSD.ORG Subject: Re: packet redirection design problem [Divert Sockets & Fragmentation revisited] Message-ID: <20010127140602.B328@ringworld.oblivion.bg> In-Reply-To: <4.3.0.20010126202555.06e24350@pop.free.fr>; from usebsd@free.fr on Fri, Jan 26, 2001 at 09:00:54PM %2B0100 References: <Pine.SOL.4.21.0101252258280.9067-100000@gradient.cis.upenn.edu> <200101261843.KAA09789@curve.dellroad.org> <4.3.0.20010126202555.06e24350@pop.free.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 26, 2001 at 09:00:54PM +0100, mouss wrote: > "IP filtering engines" that do something to packet based on rule > matching have a problem when fragmentation comes to play. > > In the case of a "packet redirector' such as divert, the problem is that > only the first fragment will match the rule, if the rule uses ports or > whatever info contained in the payload. > > The problem occurs if the packet (that should match) is subject to change > by the engine (either redirection, nat, blocking, ...) > > IP Filter handles such situation with specific code. > > It would be a nice thing if this is added to standard code so that packet > filters > writers do not need to add their own. > > Any opinions? Hmm isn't this exactly the issue that's addressed in the Linux kernel by the 'always reassemble the whole packet before processing' config option? Wouldn't this be good/desired behavior? Or am I on crack - is FreeBSD already doing this? From this discussion I gather it's not.. G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010127140602.B328>