--- Comment #2 from Helge Oldach <> ---
(In reply to Mark Felder from comment #1)
Tested and works.

However the reass should come *before* the check-state as fragments (except the
first) don't include protocol and port numbers and thus cannot match
check-state anyway. We need to reassemble first, then check-state will do the
right thing. (It doesn't harm to implement as proposed, but we may save a few
cycles if we reass first.)

Furthermore, along the same line we should not only reassemble UDP but any IP
packet (including IPv6), which is also suggested by ipfw(8) manpage:

             Usually a simple rule like:

                   # reassemble incoming fragments
                   ipfw add reass all from any to any in

             is all you need at the beginning of your ruleset.

You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to