Luigi Rizzo wrote:
On Tue, Mar 17, 2009 at 11:02:48PM +0100, Paolo Pisati wrote:
Luigi Rizzo wrote:
Thinking more about it, i believe that calling reass as an explicit
firewall action is useless, because if ip_reass fails due to lack of
all fragments you are back to square one:
what do I do with this fragment ?
AFAIK ip_reass() never fails: if it's the last fragment it reassembles
the packet and return it, else it queues the fragment for later
reassembly.
Ok then we may have a plan:
you could do is implement REASS as an action (not as a microinstruction),
with the following behaviour:
- if the packet is a complete one, the rule behaves as a "count"
(i.e. the firewall continues with the next rule);
- if the packet is a fragment and can be reassembled, the rule
behaves as a "count" and the mbuf is replaced with the full packet;
- if the packet is a fragment and cannot be reassembled, the
rule behaves as a "drop" (i.e. processing stops)
and the packet is swallowed by ipfw.
This seems a useful behaviour, but it must be documented very
clearly because it is not completely intuitive. Perhaps we should
find a more descriptive name.
So what is the behaviour when you reassemble a 5K packet,
and then it has to be forwarded out another interface with 1500 MTU.
Good progress!
cheers
luigi
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"