On Wed, Apr 05, 2006 at 02:41:09PM +0200, Max Laier wrote:
> The other big problem that just crossed my mind: Reassembly in the bridge
> path!? It doesn't look like the current bridge code on either OS is ready to
> deal with packets > MTU coming out of the filter. The question here is
> probably how much IP processing we want to do in the bridge code?
OpenBSD's bridge does, see bridge_fragment(). IIRC, we slightly adjusted
ip_fragment() so it could be called from there, and not too much code
had to be duplicated.
if ((len - ETHER_HDR_LEN) > dst_if->if_mtu)
bridge_fragment(sc, dst_if, &eh, m);
else {
...
bridge_ifenqueue(sc, dst_if, m);
...
}
bridge_fragment()
error = ip_fragment(m, ifp, ifp->if_mtu);
if (error) {
m = NULL;
goto dropit;
}
for (; m; m = m0) {
m0 = m->m_nextpkt;
m->m_nextpkt = NULL;
...
error = bridge_ifenqueue(sc, ifp, m);
...
}
That's one more layer violation in bridge, but stateful filtering
basically requires fragment reassembly, at least in general.
Daniel
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
