Date: Wed, 18 Mar 2009 00:12:22 +0100 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Julian Elischer <julian@elischer.org> Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov <dima_bsd@inbox.lv>, Alex Dupre <ale@FreeBSD.org> Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <20090317231222.GD95451@onelab2.iet.unipi.it> In-Reply-To: <49C026B1.8010108@elischer.org> References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> <20090317190123.GB89417@onelab2.iet.unipi.it> <49C01E08.9050709@oltrelinux.com> <20090317223511.GB95451@onelab2.iet.unipi.it> <49C026B1.8010108@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 17, 2009 at 03:39:45PM -0700, Julian Elischer wrote: ... > >Ok then we may have a plan: > > > >you could do is implement REASS as an action (not as a microinstruction), > >with the following behaviour: > > > >- if the packet is a complete one, the rule behaves as a "count" > > (i.e. the firewall continues with the next rule); > > > >- if the packet is a fragment and can be reassembled, the rule > > behaves as a "count" and the mbuf is replaced with the full packet; > > > >- if the packet is a fragment and cannot be reassembled, the > > rule behaves as a "drop" (i.e. processing stops) > > and the packet is swallowed by ipfw. > > > >This seems a useful behaviour, but it must be documented very > >clearly because it is not completely intuitive. Perhaps we should > >find a more descriptive name. > > So what is the behaviour when you reassemble a 5K packet, > and then it has to be forwarded out another interface with 1500 MTU. Good point. One option would be that when REASS is called from the output path, it always act as "count" and never calls ip_reass() Would that work ? The firewall in the output path is called before fragment, locally generated packets are not fragmented, and if don't want stray fragment you should have already called "reass" in the inbound path through the firewall ? cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090317231222.GD95451>