--On Wednesday, December 22, 2004 21:24:01 +1100 Darren Reed <[EMAIL PROTECTED]> wrote:
There isn't. The problem is with Linux (2.4?) & fragmentation of IP packets.
No, it isn't. The problem is that ipfilter cannot handle out-of-order fragments. It happens that Linux always emits fragments out-of-order, but there are _many_ things that can cause fragment re-ordering. So Linux always fails, other systems only sometimes fail.
Whether you consider this a bug or a RFE is up to you, but it's ipfilter's problem. That doesn't mean that emitting fragments backward wasn't a monumentally stupid idea on the part of the Linux developers.
There are at least 2 ways to fix this:
- Pass all non-initial IP fragments with an offset > x (where x is sufficiently large to not overwrite the header). Optionally, verify that it is _possible_ for the fragment to be valid (without the protocol/port info, all you have to go on is src IP / dst IP). I believe that Darren already posted a patch that does something like this.
- Buffer fragments until enough information exists to make a pass/drop decision. This is much harder to do correctly, but is worth it in some environments.
-- Carson
