svn commit: r330792 - in head: sbin/ipfw sys/netpfil/ipfw

Rodney W. Grimes freebsd at pdx.rh.CN85.dnsmgr.net
Mon Mar 12 16:58:57 UTC 2018 

> Author: ae
> Date: Mon Mar 12 09:40:46 2018
> New Revision: 330792
> URL: https://svnweb.freebsd.org/changeset/base/330792
> 
> Log:
>   Do not try to reassemble IPv6 fragments in "reass" rule.
>   
>   ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets
>   that it gets. Until proper IPv6 fragments handling function will be
>   implemented, pass IPv6 packets to next rule.

Thank you!  This should simplify some discussion occuring about
/etc/rc.firewall in workstation mode and the fact it does not
handly fragmentation correctly, part of fixing that invovled 
be sure to only pass ipv4 to a reass rule, with this fix that
shall no longer be necessary.  

https://reviews.freebsd.org/D9920


>   PR:		170604
>   MFC after:	1 week
> 
> Modified:
>   head/sbin/ipfw/ipfw.8
>   head/sys/netpfil/ipfw/ip_fw2.c
> 
> Modified: head/sbin/ipfw/ipfw.8
> ==============================================================================
> --- head/sbin/ipfw/ipfw.8	Mon Mar 12 05:41:27 2018	(r330791)
> +++ head/sbin/ipfw/ipfw.8	Mon Mar 12 09:40:46 2018	(r330792)
> @@ -1,7 +1,7 @@
>  .\"
>  .\" $FreeBSD$
>  .\"
> -.Dd November 26, 2017
> +.Dd March 12, 2018
>  .Dt IPFW 8
>  .Os
>  .Sh NAME
> @@ -1135,7 +1135,7 @@ Regardless of matched a packet or not by the
>  .Cm tcp-setmss
>  rule, the search continues with the next rule.
>  .It Cm reass
> -Queue and reassemble IP fragments.
> +Queue and reassemble IPv4 fragments.
>  If the packet is not fragmented, counters are updated and
>  processing continues with the next rule.
>  If the packet is the last logical fragment, the packet is reassembled and, if
> 
> Modified: head/sys/netpfil/ipfw/ip_fw2.c
> ==============================================================================
> --- head/sys/netpfil/ipfw/ip_fw2.c	Mon Mar 12 05:41:27 2018	(r330791)
> +++ head/sys/netpfil/ipfw/ip_fw2.c	Mon Mar 12 09:40:46 2018	(r330792)
> @@ -3018,8 +3018,10 @@ do {								\
>  			case O_REASS: {
>  				int ip_off;
>  
> -				IPFW_INC_RULE_COUNTER(f, pktlen);
>  				l = 0;	/* in any case exit inner loop */
> +				if (is_ipv6) /* IPv6 is not supported yet */
> +					break;
> +				IPFW_INC_RULE_COUNTER(f, pktlen);
>  				ip_off = ntohs(ip->ip_off);
>  
>  				/* if not fragmented, go to next rule */
> 
> 

-- 
Rod Grimes                                                 rgrimes at freebsd.org

More information about the svn-src-head mailing list