svn commit: r349399 - head/sys/contrib/ipfilter/netinet
Cy Schubert
cy at FreeBSD.org
Wed Jun 26 00:53:44 UTC 2019
Author: cy
Date: Wed Jun 26 00:53:43 2019
New Revision: 349399
URL: https://svnweb.freebsd.org/changeset/base/349399
Log:
Prompted by r349366, ipfilter is also does not conform to RFC 3128
by dropping TCP fragments with offset = 1.
In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.
MFC after: 1 week
Modified:
head/sys/contrib/ipfilter/netinet/fil.c
Modified: head/sys/contrib/ipfilter/netinet/fil.c
==============================================================================
--- head/sys/contrib/ipfilter/netinet/fil.c Wed Jun 26 00:06:41 2019 (r349398)
+++ head/sys/contrib/ipfilter/netinet/fil.c Wed Jun 26 00:53:43 2019 (r349399)
@@ -1723,6 +1723,10 @@ ipf_pr_ipv4hdr(fin)
* calculate the byte offset that it represents.
*/
off &= IP_MF|IP_OFFMASK;
+ if (off == 1 && p == IPPROTO_TCP) {
+ fin->fin_flx |= FI_SHORT; /* RFC 3128 */
+ DT1(ipf_fi_tcp_frag_off_1, fr_info_t *, fin);
+ }
if (off != 0) {
int morefrag = off & IP_MF;
More information about the svn-src-head
mailing list