Hi, The 'current version' source downloadable from http://coombs.anu.edu.au/~avalon/ gives a version of ipfilter in which by default any packet fragments beyond the first are dropped with BAD-IN status. I understand this is a result of a fix made due to kernel panic that was reported here: http://marc.info/?l=ipfilter&m=121267676118062&w=2
The kernel panic is patched into 4.1.31. However the patch that was to solve dropping subsequent fragments was only posted in the mailing list (same post as above, as 'mypatch.txt') but not patched into the trunk. I applied this patch manually and it solved the problem. My question is, shouldn't this patch be in the main trunk? It seems to me that having ipfilter drop packet fragments by default is an undesirable behavior. Regards, Oren K.
