Treat packet according to its size

[mpastor]

Hi, is it possible to pass/block packet according to its size? I need to block outgoing UDP/123 (NTP) packets bigger than 128B to disable DDoS amplification. There is nothing about it in doc. Thanks.

[rmind]

@mpastor: NPF already supports this using the pcap-filter i.e. the tcpdump syntax, e.g.:

block in final pcap-filter "greater 128"

See npf.conf(5) and pcap-filter(7) man pages. However, I think I will add more options to filter based on some IP header values using the native syntax.