ports/59548: [Maintainer-update:] security/pf - fix build for __FreeBSD_version > 501114
Max Laier
max at love2party.net
Fri Nov 21 13:50:20 UTC 2003
>Number: 59548
>Category: ports
>Synopsis: [Maintainer-update:] security/pf - fix build for __FreeBSD_version > 501114
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Fri Nov 21 05:50:17 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Max Laier
>Release: FreeBSD 5.1-RELEASE-p10 i386
>Organization:
>Environment:
System: FreeBSD router.laiers.local 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #1: Sun Oct 5 17:38:55 CEST 2003 root at router.laiers.local:/usr/obj/usr/src/sys/ALTQ i386
>Description:
Supersedes ports/59442 and fixes the following:
- Build with __FreeBSD_version > 501114 (see bms commit)
- Build with new route.h (no RTF_PRCLONING)
- Don't use hardware assistance on framentation when DF is set.
- Allow pftcpdump -w to be used with pfsync.
Found-by: bento / Pyun YongHyeon
>How-To-Repeat:
>Fix:
Please remove intermediate patch!!! i.e. back-out bms' commit!
--- pf-port.diff begins here ---
diff -ruN pf.orig/Makefile pf/Makefile
--- pf.orig/Makefile Fri Nov 21 14:31:34 2003
+++ pf/Makefile Fri Nov 21 14:42:15 2003
@@ -7,6 +7,7 @@
PORTNAME= pf_freebsd
PORTVERSION= 2.00
+PORTREVISION= 1
CATEGORIES= security ipv6
MASTER_SITES= http://pf4freebsd.love2party.net/
.if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes")
diff -ruN pf.orig/files/patch-ac pf/files/patch-ac
--- pf.orig/files/patch-ac Thu Jan 1 01:00:00 1970
+++ pf/files/patch-ac Fri Nov 21 14:34:24 2003
@@ -0,0 +1,98 @@
+--- pf/pf.c.orig Fri Nov 21 14:32:14 2003
++++ pf/pf.c Fri Nov 21 14:32:33 2003
+@@ -1250,8 +1250,10 @@
+ struct tcphdr *th;
+ #if defined(__FreeBSD__)
+ struct ip *ip;
++#if (__FreeBSD_version < 501114)
+ struct route ro;
+ #endif
++#endif
+ char *opt;
+
+ /* maximum segment size tcp option */
+@@ -1366,7 +1368,6 @@
+ h->ip_ttl = ttl ? ttl : ip_defttl;
+ h->ip_sum = 0;
+ #if defined(__FreeBSD__)
+- bzero(&ro, sizeof(ro));
+ ip = mtod(m, struct ip *);
+ /*
+ * XXX
+@@ -1376,6 +1377,8 @@
+ */
+ NTOHS(ip->ip_len);
+ NTOHS(ip->ip_off);
++#if (__FreeBSD_version < 501114)
++ bzero(&ro, sizeof(ro));
+ ip_rtaddr(ip->ip_dst, &ro);
+ PF_UNLOCK();
+ ip_output(m, (void *)NULL, &ro, 0, (void *)NULL,
+@@ -1384,7 +1387,13 @@
+ if(ro.ro_rt) {
+ RTFREE(ro.ro_rt);
+ }
+-#else
++#else /* __FreeBSD_version >= 501114 */
++ PF_UNLOCK();
++ ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
++ (void *)NULL);
++ PF_LOCK();
++#endif
++#else /* ! __FreeBSD__ */
+ ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL,
+ (void *)NULL);
+ #endif
+@@ -2354,8 +2363,12 @@
+ dst->sin_len = sizeof(*dst);
+ dst->sin_addr = addr->v4;
+ #if defined(__FreeBSD__)
++#ifdef RTF_PRCLONING
+ rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING));
+-#else
++#else /* !RTF_PRCLONING */
++ rtalloc_ign(&ro, RTF_CLONING);
++#endif
++#else /* ! __FreeBSD__ */
+ rtalloc_noclone(&ro, NO_CLONING);
+ #endif
+ rt = ro.ro_rt;
+@@ -2370,9 +2383,13 @@
+ dst6->sin6_len = sizeof(*dst6);
+ dst6->sin6_addr = addr->v6;
+ #if defined(__FreeBSD__)
++#ifdef RTF_PRCLONING
+ rtalloc_ign((struct route *)&ro6,
+ (RTF_CLONING | RTF_PRCLONING));
+-#else
++#else /* !RTF_PRCLONING */
++ rtalloc_ign((struct route *)&ro6, RTF_CLONING);
++#endif
++#else /* ! __FreeBSD__ */
+ rtalloc_noclone((struct route *)&ro6, NO_CLONING);
+ #endif
+ rt = ro6.ro_rt;
+@@ -4731,8 +4748,12 @@
+ dst->sin_len = sizeof(*dst);
+ dst->sin_addr = addr->v4;
+ #if defined(__FreeBSD__)
++#ifdef RTF_PRCLONING
+ rtalloc_ign(&ro, (RTF_CLONING|RTF_PRCLONING));
+-#else
++#else /* !RTF_PRCLONING */
++ rtalloc_ign(&ro, RTF_CLONING);
++#endif
++#else /* ! __FreeBSD__ */
+ rtalloc_noclone(&ro, NO_CLONING);
+ #endif
+
+@@ -5044,7 +5065,8 @@
+ m0->m_pkthdr.csum_flags &= ifp->if_hwassist;
+
+ if (ntohs(ip->ip_len) <= ifp->if_mtu ||
+- ifp->if_hwassist & CSUM_FRAGMENT) {
++ (ifp->if_hwassist & CSUM_FRAGMENT &&
++ ((ip->ip_off & htons(IP_DF)) == 0))) {
+ /*
+ * ip->ip_len = htons(ip->ip_len);
+ * ip->ip_off = htons(ip->ip_off);
diff -ruN pf.orig/files/patch-ad pf/files/patch-ad
--- pf.orig/files/patch-ad Thu Jan 1 01:00:00 1970
+++ pf/files/patch-ad Fri Nov 21 14:36:15 2003
@@ -0,0 +1,23 @@
+--- freebsd_libpcap/savefile.c.orig Fri Nov 21 14:35:34 2003
++++ freebsd_libpcap/savefile.c Fri Nov 21 14:35:46 2003
+@@ -178,6 +178,9 @@
+ #define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */
+ #define LINKTYPE_IPFILTER 116 /* IP Filter capture files */
+ #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */
++#if defined(DLT_PFSYNC)
++#define LINKTYPE_PFSYNC DLT_PFSYNC
++#endif
+
+ static struct linktype_map {
+ int dlt;
+@@ -271,6 +274,10 @@
+ * defining DLT_* values that collide with those
+ * LINKTYPE_* values, either).
+ */
++ { DLT_PFLOG, LINKTYPE_PFLOG },
++#if defined(DLT_PFSYNC)
++ { DLT_PFSYNC, LINKTYPE_PFSYNC },
++#endif
+ { -1, -1 }
+ };
+
--- pf-port.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list