[dpdk-dev] ip_pipeline firewall : fragmented ipv4 packets handling

Shyam Shrivastav shrivastav.shyam at gmail.com
Fri Mar 17 06:52:54 CET 2017


Again sending this issue as no response on original post. As per my
understanding if we are supporting ACL on tcp/usp port ranges then ipv4
packets must be reassembled before  checking against ACL, then fragmented
if required during forwarding. So there are three cases

1) My understanding is wrong then please correct me.
2) We correct this in examples wherever we are supporting access control on
udp/tcp ports.
3) We document this clearly.


-------------------------------------------------
Below is my original post

-------------------------------------------------
Hi All

Filtering based on TCP/UDP fields like src/dest port range works correctly
only on non-fragmented packets , that means reassembly must be done before
packets hit firewall rules table. Also  packets must be fragmented before
transmission if larger than port mtu. This is unsupported currently, any
plans for this in near future?

Regards


More information about the dev mailing list