Again sending this issue as no response on original post. As per my understanding if we are supporting ACL on tcp/usp port ranges then ipv4 packets must be reassembled before checking against ACL, then fragmented if required during forwarding. So there are three cases
1) My understanding is wrong then please correct me. 2) We correct this in examples wherever we are supporting access control on udp/tcp ports. 3) We document this clearly. ------------------------------------------------- Below is my original post ------------------------------------------------- Hi All Filtering based on TCP/UDP fields like src/dest port range works correctly only on non-fragmented packets , that means reassembly must be done before packets hit firewall rules table. Also packets must be fragmented before transmission if larger than port mtu. This is unsupported currently, any plans for this in near future? Regards
