Re: firewall hooks and fragmentation in 2.0.3x

Philip Gladstone (
Thu, 12 Jun 1997 09:28:15 -0400

Alan Cox wrote:
> > Each IP datagram goes through the output INET firewall code
> > exactly once. Fragmentation happens *after* the output code has
> > said 'YES'. Further, the whole output datagram will be provided
> Doesnt work like that and it wont work like that. We don't gain anything
> by such a rule but we lose performance. The kernel doesnt build a complete
> packet for many code paths, its building bits and sending some before its even
> thought about the rest of the packet.

You are entirely right -- it doesn't work like that. I claim that for
security 'feature' it is important to be able to specify how it works.
In this
case, I suspect that there is no specification for when and how often
bits of IP datagrams are filtered. Further, I suspect that it changes
OS revision to OS revision.

Is it possible to fix on how it *ought* to work, and then document it?
any code alignment can be done.


Philip Gladstone                           +1 617 487 7700
Raptor Systems, Waltham, MA