[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dpdk-users
Subject:    [dpdk-users] ip_pipeline firewall : fragmented ipv4 packets handling
From:       Shyam Shrivastav <shrivastav.shyam () gmail ! com>
Date:       2017-03-17 5:53:15
Message-ID: CAGSp03kNzs_oiaQ4faqEyMAh=iWZx+9U+Bfzg6jUyS9YRO_koA () mail ! gmail ! com
[Download RAW message or body]

Again sending this issue as no response on original post. As per my
understanding if we are supporting ACL on tcp/usp port ranges then ipv4
packets must be reassembled before  checking against ACL, then fragmented
if required during forwarding. So there are three cases

1) My understanding is wrong then please correct me.
2) We correct this in examples wherever we are supporting access control on
udp/tcp ports.
3) We document this clearly.


-------------------------------------------------
Below is my original post

-------------------------------------------------
Hi All

Filtering based on TCP/UDP fields like src/dest port range works correctly
only on non-fragmented packets , that means reassembly must be done before
packets hit firewall rules table. Also  packets must be fragmented before
transmission if larger than port mtu. This is unsupported currently, any
plans for this in near future?

Regards
[prev in list] [next in list] [prev in thread] [next in thread]