On Mon, Jan 29, 2001 at 09:44:07AM -0800, Archie Cobbs wrote:
> Ruslan Ermilov writes:
> > I think I have found a bug here. When the ``divert foo ... udp ...'' rule
> > has no destination port specification, everything works as documented, i.e.
> > all fragments are reassembled and get diverted to the divert(4) to port
> > ``foo''. If I add the destination port specification, only the first
> > (offset zero) fragment gets diverted:
>
> Yep.. diversion happens before reassembly, but diverted packets
> are only delivered after reassembly.
>
> So if not all of the fragments are diverted, the packet is lost
> because only an incomplete portion of it gets diverted.
>
> To "fix" this bug would require reassembling *all* (or a large
> portion of the) packets passing through the kernel, which is probably
> not a win. A workaround is to match conservatively (i.e., match
> all udp packets) and have the userland code just reinject any
> false positives.
>
Or add ``divert same-port udp from any to any frag''...
Cheers,
--
Ruslan Ermilov Oracle Developer/DBA,
[EMAIL PROTECTED] Sunbay Software AG,
[EMAIL PROTECTED] FreeBSD committer,
+380.652.512.251 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
