tcp match silently drops packets
Herbert Xu
herbert at gondor.apana.org.au
Mon Oct 17 23:27:32 CEST 2005
On Mon, Oct 17, 2005 at 09:30:21PM +0200, Henrik Nordstrom wrote:
>
> >The latter is possible because the minimum fragment payload length is
> >8 bytes.
>
> Yes, but not if the minimum allowed MTU of the available transports (not
> including ATM) is accounted for. If you account for the minimum allowed
> MTU on these transports then the smallest possible fragment is a bit
> larger and these very small fragments is only seen if explicitly created
> by "hacker" or similar trying to avoid packet filters (and quite
> succesfully so in many simpler implementations).
This is not true if tunnels are involved.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the netfilter-devel
mailing list