> >I think that a patch like the one you propose is very useful (for
> >ipv4 as well) but it requires a sysctl or other mechanism to make
> >sure that when it is enabled we don't pass fragments through the
> >firewall.
>
> i've looked further into this and I now wonder if is a byproduct of my
> u
Is there any particular reason why reassembled packets were not
checked? If the answer is no, I'll send in a PR.
I think it was just a random decision -- either pass packets to
the firewall before reassembly as we do, or after reassembly, as
linux does. Both have pros and cons.
Going through th
On Tue, Apr 13, 2010 at 01:57:01PM +1200, Matthew Luckie wrote:
> Hi
>
> Reassembled packets are not passed to the packet filter interface for
> both IPv4 and IPv6, so a firewall has no effect if the packets arrive
> in fragments. Here is a patch to fix this for IPv6. The patch for
> IPv4 is sim
Hi
Reassembled packets are not passed to the packet filter interface for
both IPv4 and IPv6, so a firewall has no effect if the packets arrive
in fragments. Here is a patch to fix this for IPv6. The patch for
IPv4 is similarly trivial, but I have not written / tested it yet.
Is there any partic
