[dpdk-dev] ip_pipeline firewall : fragmented ipv4 packets handling
Shyam Shrivastav
shrivastav.shyam at gmail.com
Fri Mar 17 06:52:54 CET 2017
Again sending this issue as no response on original post. As per my
understanding if we are supporting ACL on tcp/usp port ranges then ipv4
packets must be reassembled before checking against ACL, then fragmented
if required during forwarding. So there are three cases
1) My understanding is wrong then please correct me.
2) We correct this in examples wherever we are supporting access control on
udp/tcp ports.
3) We document this clearly.
-------------------------------------------------
Below is my original post
-------------------------------------------------
Hi All
Filtering based on TCP/UDP fields like src/dest port range works correctly
only on non-fragmented packets , that means reassembly must be done before
packets hit firewall rules table. Also packets must be fragmented before
transmission if larger than port mtu. This is unsupported currently, any
plans for this in near future?
Regards
More information about the dev
mailing list