On Fri, Jan 26, 2001 at 09:00:54PM +0100, mouss wrote:
> "IP filtering engines" that do something to packet based on rule
> matching have a problem when fragmentation comes to play.
>
> In the case of a "packet redirector' such as divert, the problem is that
> only the first fragment will match the rule, if the rule uses ports or
> whatever info contained in the payload.
>
> The problem occurs if the packet (that should match) is subject to change
> by the engine (either redirection, nat, blocking, ...)
>
> IP Filter handles such situation with specific code.
>
> It would be a nice thing if this is added to standard code so that packet
> filters
> writers do not need to add their own.
>
> Any opinions?
Hmm isn't this exactly the issue that's addressed in the Linux kernel
by the 'always reassemble the whole packet before processing' config
option? Wouldn't this be good/desired behavior?
Or am I on crack - is FreeBSD already doing this? From this discussion
I gather it's not..
G'luck,
Peter
--
This sentence no verb.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
