Thats not a good idea. We send UDP datagrams in reverse fragment order.
The cisco pix does broken filtering by waiting for the misnamed "first"
fragment now days and several folk have a choice of running
old versions or changing product.
It also doesn't work on dual entry point networks where fragments may
pass down different paths and firewalls. Something required for a serious
ISP set up where even a hardware failure of a firewall host taking out
the network is unacceptable.
I assume the "first fragment first" is at least configurable so everyone
can turn it off again
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/