From owner-freebsd-hackers  Sat Jan 27  4: 7:54 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from ringworld.nanolink.com (pool212-tch-1.Sofia.0rbitel.net [212.95.170.212])
	by hub.freebsd.org (Postfix) with SMTP id 863B537B400
	for <hackers@FreeBSD.ORG>; Sat, 27 Jan 2001 04:07:33 -0800 (PST)
Received: (qmail 2693 invoked by uid 1000); 27 Jan 2001 12:06:02 -0000
Date: Sat, 27 Jan 2001 14:06:02 +0200
From: Peter Pentchev <roam@orbitel.bg>
To: mouss <usebsd@free.fr>
Cc: Archie Cobbs <archie@dellroad.org>,
	Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu>, hackers@FreeBSD.ORG
Subject: Re: packet redirection design problem [Divert Sockets & Fragmentation revisited]
Message-ID: <20010127140602.B328@ringworld.oblivion.bg>
Mail-Followup-To: mouss <usebsd@free.fr>,
	Archie Cobbs <archie@dellroad.org>,
	Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu>,
	hackers@FreeBSD.ORG
References: <Pine.SOL.4.21.0101252258280.9067-100000@gradient.cis.upenn.edu> <200101261843.KAA09789@curve.dellroad.org> <4.3.0.20010126202555.06e24350@pop.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <4.3.0.20010126202555.06e24350@pop.free.fr>; from usebsd@free.fr on Fri, Jan 26, 2001 at 09:00:54PM +0100
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, Jan 26, 2001 at 09:00:54PM +0100, mouss wrote:
> "IP filtering engines" that do something to packet based on rule
> matching have a problem when fragmentation comes to play.
> 
> In the case of a "packet redirector' such as divert, the problem is that
> only the first fragment will match the rule, if the rule uses ports or
> whatever info contained in the payload.
> 
> The problem occurs if the packet (that should match) is subject to change
> by the engine (either redirection, nat, blocking, ...)
> 
> IP Filter handles such situation with specific code.
> 
> It would be a nice thing if this is added to standard code so that packet 
> filters
> writers do not need to add their own.
> 
> Any opinions?

Hmm isn't this exactly the issue that's addressed in the Linux kernel
by the 'always reassemble the whole packet before processing' config
option?  Wouldn't this be good/desired behavior?

Or am I on crack - is FreeBSD already doing this?  From this discussion
I gather it's not..

G'luck,
Peter

-- 
This sentence no verb.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message