On Fri, Jan 26, 2001 at 09:00:54PM +0100, mouss wrote:
"IP filtering engines" that do something to packet based on rule
matching have a problem when fragmentation comes to play.
In the case of a "packet redirector' such as divert, the problem is that
only the first fragment will match the
the "defrag all" feature of Linux solves the discussed problem, but can be
improved. We do not need to defrag the packets. We just need to queue them.
and, when the first frag has been received, we only need to save the
informations necessary for filtering (ip header stuff + ports for TCP/UDP and
"IP filtering engines" that do something to packet based on rule
matching have a problem when fragmentation comes to play.
In the case of a "packet redirector' such as divert, the problem is that
only the first fragment will match the rule, if the rule uses ports or
whatever info contained in
3 matches
Mail list logo