[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: ipfilter dropping udp fragments
From:       Hans Werner Strube <strube () physik3 ! gwdg ! de>
Date:       2005-12-02 8:06:28
Message-ID: 200512020806.JAA04782 () r2d2 ! physik3 ! gwdg ! de
[Download RAW message or body]

Erik Huizing wrote:
>     I'm having trouble getting ipfilter to allow udp fragments. One of 
> our services uses rather large udp packets ( > 16 K), parts of which are 
> being blocked with our rule set. I've got
> 
>     pass in quick proto udp from any to any port = 3939 keep state keep 
> frags
> 
> but when a transaction happens, I still end up seeing blocked udp traffic:
> 
> Dec  1 08:12:56 mg5.et ipmon[112]: [ID 702911 local0.warning] 
> 08:12:55.602065 bge0 @0:17 b a.b.c.d -> x.y.z.w PR udp len 20 (820) 
> (frag 39533:800@7400) IN

AfaIk ipfilter can handle UDP packets by "keep frags" only if the fragments
arrive in their natural sequence. For instance, with some older Linux NFS
servers, the NFS fragments are sent in reverse sequence.
[prev in list] [next in list] [prev in thread] [next in thread]