[ovs-dev] [PATCH v4 2/2] TCP flags matching support.
Jarno Rajahalme
jrajahalme at nicira.com
Wed Oct 9 21:57:55 UTC 2013
On Oct 8, 2013, at 5:13 PM, Ben Pfaff <blp at nicira.com> wrote:
> The issue is not the minimum Ethernet frame size but the minimum IP
> fragment size. IP fragments are 8-byte aligned and a multiple of 8
> bytes in length. One way to implement a simple firewall that handles
> fragments properly is to pass all "later" fragments (those with an
> offset greater than 0) and drop "first" fragments (those with an
> offset of 0) for disallowed IP/port combinations. Then one cannot
> usefully evade the firewall: the "later" fragments pass the firewall,
> but the destination host cannot reassemble them into full IP datagrams
> and will eventually drop them because it never gets the first
> fragment.
>
> One might naturally want to include TCP flags in such a check, but
> those would not necessarily be in the first fragment.
It seems the current kernel code will parse the port numbers only if the
whole TCP header is in the first fragment. For this to be safe in the above
scenario, the first fragments filter should always filter out zero ports, as
they are indistinguishable from missing ports.
Assuming we keep this behavior, the TCP flags will be there as well.
And since all-zero TCP flags seem illegal, the TCP flags field would help
in distinguishing missing TCP header from one with zero,zero port pair.
Jarno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20131009/23bcd265/attachment-0003.html>
More information about the dev
mailing list