kern/51341: ipfw rule 'deny icmp from any to any icmptype 5'
matches fragmented icmp packets (fwd)
Maxim Konovalov
maxim at macomnet.ru
Thu Apr 24 04:50:23 PDT 2003
The following reply was made to PR kern/51341; it has been noted by GNATS.
From: Maxim Konovalov <maxim at macomnet.ru>
To: bug-followup at freebsd.org
Cc:
Subject: Re: kern/51341: ipfw rule 'deny icmp from any to any icmptype 5'
matches fragmented icmp packets (fwd)
Date: Thu, 24 Apr 2003 15:43:12 +0400 (MSD)
Add to audit trail.
--
Maxim Konovalov, maxim at macomnet.ru, maxim at FreeBSD.org
---------- Forwarded message ----------
Date: Thu, 24 Apr 2003 14:35:58 +0300
From: Andrey Lakhno <land at dnepr.net>
To: Maxim Konovalov <maxim at macomnet.ru>
Subject: Re: kern/51341: ipfw rule 'deny icmp from any to any icmptype 5'
matches fragmented icmp packets
Hello,
On Thu, 24 Apr 2003, Maxim Konovalov wrote:
> Could you please test a patch below? Thanks.
It works.
Thank you !
> Index: sys/netinet/ip_fw.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
> retrieving revision 1.131.2.39
> diff -u -r1.131.2.39 ip_fw.c
> --- sys/netinet/ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39
> +++ sys/netinet/ip_fw.c 24 Apr 2003 11:12:02 -0000
> @@ -1434,7 +1434,7 @@
> struct icmp *icmp;
>
> if (offset != 0) /* Type isn't valid */
> - break;
> + continue;
> icmp = (struct icmp *) ((u_int32_t *)ip + ip->ip_hl);
> if (!icmptype_match(icmp, f))
> continue;
>
> %%%
--
Andrey Lakhno,
land-ripe
More information about the freebsd-bugs
mailing list