Fragmented Packet Handling
Two keywords are used to support fragmentation in ACLs:
- fragments—FO field = 0 (FO means the
fragment offset field in the IP header). This will match first fragment also
(packets with FO = 0).
- first-fragments—FO == 0.
Policy file syntax checker
The fragments keyword cannot be used in a rule
with L4 information. The syntax checker will reject such policy files.
The following rules are used to evaluate fragmented packets or
rules that use the fragments or first-fragments
keywords.
With no keyword specified, processing proceeds as follows:
- An L3-only rule that does not contain either the fragments
or first-fragments keyword matches any IP packets.
- An L4 rule that does not contain either the fragments or
first-fragments keyword matches non-fragmented or initial-fragment
packets.
With the
fragments keyword specified:
- An L3-only rule with the fragments keyword only matches
fragmented packets.
- An L4 rule with the fragments keyword is not valid (see
above).
With the
first-fragments keyword specified:
- An L3-only rule with the first-fragments keyword matches
initial fragment packets.
- An L4 rule with the first-fragments keyword matches
initial fragment packets.
