From owner-freebsd-hackers  Sat Jan 27 12:52:25 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from postfix2-2.free.fr (postfix2-2.free.fr [213.228.0.140])
	by hub.freebsd.org (Postfix) with ESMTP id E9D7637B69E
	for <hackers@FreeBSD.ORG>; Sat, 27 Jan 2001 12:51:58 -0800 (PST)
Received: from dades.chilali.net (paris11-nas3-45-84.dial.proxad.net [212.27.45.84])
	by postfix2-2.free.fr (Postfix) with SMTP
	id 711006B747; Sat, 27 Jan 2001 21:51:50 +0100 (CET)
From: mouss <usebsd@free.fr>
To: Peter Pentchev <roam@orbitel.bg>
Subject: Re: packet redirection design problem [Divert Sockets & Fragmentation revisited]
Date: Sat, 27 Jan 2001 22:36:37 +0100
X-Mailer: KMail [version 1.0.28]
Content-Type: text/plain
Cc: Archie Cobbs <archie@dellroad.org>,
	Alwyn Goodloe <agoodloe@gradient.cis.upenn.edu>, hackers@FreeBSD.ORG
References: <Pine.SOL.4.21.0101252258280.9067-100000@gradient.cis.upenn.edu> <4.3.0.20010126202555.06e24350@pop.free.fr> <20010127140602.B328@ringworld.oblivion.bg>
In-Reply-To: <20010127140602.B328@ringworld.oblivion.bg>
MIME-Version: 1.0
Message-Id: <01012722503600.00529@dades.chilali.net>
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

the "defrag all" feature of Linux solves the discussed problem, but can be
improved. We do not need to defrag the packets. We just need to queue them.
and, when the first frag has been received, we only need to save the
informations necessary for filtering (ip header stuff + ports for TCP/UDP and
other things for icmp or ....)

the algo might be something like:

- if packet is not frag, do as usual and skip the frag stuff
- find packet in fragments list
- if not found, create a new list
- if the list contains the infos on the ports (I am restricting myself to
tcp/udp for simplicity, but any kind of infos may be used), then the packet
is ready for filtering: the rule may be found and applied to the packet. 
we do not need to queue it.
  * if the packet is the last one, delete the list
  * if frag timeout, delete the list
- if not, then
  - if packet contains the infos (first frag), then store them and find the
filtering rule and apply it for all the packets queued in the list.
   - else, queue packet

So the code would be like the reassembly one, except that:
- packets are "delivered" (passed to filters and the rest of ip_input) when the
first frag is received (I am assuming that the first frag contains the infos
necessary for filtering).
- to handle next frags, the infos (ip header stuff and ports or so) are still
kept in the list. 

With this method, if fragments come in order, packets are never queued. 
(Note that linux is unfriendly here: it sends frags in reverse order...). 

cheers,
mouss


On Sat, 27 Jan 2001, Peter Pentchev wrote:
> 
> Hmm isn't this exactly the issue that's addressed in the Linux kernel
> by the 'always reassemble the whole packet before processing' config
> option?  Wouldn't this be good/desired behavior?
> 
> Or am I on crack - is FreeBSD already doing this?  From this discussion
> I gather it's not..
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message