"IP filtering engines" that do something to packet based on rule
matching have a problem when fragmentation comes to play.
In the case of a "packet redirector' such as divert, the problem is that
only the first fragment will match the rule, if the rule uses ports or
whatever info contained in the payload.
The problem occurs if the packet (that should match) is subject to change
by the engine (either redirection, nat, blocking, ...)
IP Filter handles such situation with specific code.
It would be a nice thing if this is added to standard code so that packet
filters
writers do not need to add their own.
Any opinions?
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
