Ruslan Ermilov writes:
> I think I have found a bug here. When the ``divert foo ... udp ...'' rule
> has no destination port specification, everything works as documented, i.e.
> all fragments are reassembled and get diverted to the divert(4) to port
> ``foo''. If I add the destination port specification, only the first
> (offset zero) fragment gets diverted:
Yep.. diversion happens before reassembly, but diverted packets
are only delivered after reassembly.
So if not all of the fragments are diverted, the packet is lost
because only an incomplete portion of it gets diverted.
To "fix" this bug would require reassembling *all* (or a large
portion of the) packets passing through the kernel, which is probably
not a win. A workaround is to match conservatively (i.e., match
all udp packets) and have the userland code just reinject any
false positives.
-Archie
__________________________________________________________________________
Archie Cobbs * Packet Design * http://www.packetdesign.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
