Subject: Re: kern/7368: ipnat not rewriting PORT command 100% of time
To: Andrew Brown <>
From: Olaf Seibert <>
List: netbsd-bugs
Date: 04/18/1999 00:46:36
On Sat, 17 Apr 1999, Andrew Brown wrote:

>  what the hack does (from my point of view) is not care
> if the crlf is there or not.  so if it arrives in a separate packet,
> it doesn't care.

What a *proper* proxy should do is of course gobble up a complete
command (even if it arrives with only one character per packet) and only
then look at it. Just like a real ftp server would, actually. I haven't
looked at the complete code for ipfilter, but it does not appear to do
that.  The fact that the current code, assuming commands neatly aligned
on packet boundaries, works so well in practice is mere luck. The same
assumptions would not work so well with many other protocols.

___ Olaf 'Rhialto' Seibert - rhialto@polder.ubc. ---- Unauthorized duplication,
\X/ ---- while sometimes necessary, is never as good as the real thing.