Re: firewall hooks and fragmentation in 2.0.3x

Philip Gladstone (philip@raptor.com)
Thu, 12 Jun 1997 09:28:15 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Bob Lorenzini: "pre-43 odd problem"
Maybe in reply to: Philip Gladstone: "firewall hooks and fragmentation in 2.0.3x"

Alan Cox wrote:
>
> > Each IP datagram goes through the output INET firewall code
> > exactly once. Fragmentation happens *after* the output code has
> > said 'YES'. Further, the whole output datagram will be provided
>
> Doesnt work like that and it wont work like that. We don't gain anything
> by such a rule but we lose performance. The kernel doesnt build a complete
> packet for many code paths, its building bits and sending some before its even
> thought about the rest of the packet.

You are entirely right -- it doesn't work like that. I claim that for
any
security 'feature' it is important to be able to specify how it works.
In this
case, I suspect that there is no specification for when and how often
which
bits of IP datagrams are filtered. Further, I suspect that it changes
from
OS revision to OS revision.

Is it possible to fix on how it *ought* to work, and then document it?
Then
any code alignment can be done.

Philip

-- 
Philip Gladstone                           +1 617 487 7700
Raptor Systems, Waltham, MA         http://www.raptor.com/

Previous message: Bob Lorenzini: "pre-43 odd problem"
Maybe in reply to: Philip Gladstone: "firewall hooks and fragmentation in 2.0.3x"