Re: svn commit: r349366 - head/sys/netpfil/ipfw
-- Start of PGP signed section. [ Charset UTF-8 unsupported, converting... ] > On 25.06.2019 16:28, Rodney W. Grimes wrote: > >> Author: ae > >> Date: Tue Jun 25 11:40:37 2019 > >> New Revision: 349366 > >> URL: https://svnweb.freebsd.org/changeset/base/349366 > >> > >> Log: > >> Follow the RFC 3128 and drop short TCP fragments with offset = 1. > >> > >> Reported by: emaste > >> MFC after: 1 week > > > > Can we get a counter or something so that the dropping of these > > is not totally silent and invisible? > > They are logged as all short packets with "Pullup failed" message when > net.inet.ip.fw.verbose is enabled. Thats over kill for what I was asking about. Also are there not other casses that pullup failed is counted? I was asking for a counter specifically on the rfc3128 packets which one use to be able to do with a ipfw rule, but since the kernel started to deal with these I lost that visibility. -- Rod Grimes rgri...@freebsd.org ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r349366 - head/sys/netpfil/ipfw
On 25.06.2019 16:28, Rodney W. Grimes wrote: >> Author: ae >> Date: Tue Jun 25 11:40:37 2019 >> New Revision: 349366 >> URL: https://svnweb.freebsd.org/changeset/base/349366 >> >> Log: >> Follow the RFC 3128 and drop short TCP fragments with offset = 1. >> >> Reported by: emaste >> MFC after: 1 week > > Can we get a counter or something so that the dropping of these > is not totally silent and invisible? They are logged as all short packets with "Pullup failed" message when net.inet.ip.fw.verbose is enabled. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r349366 - head/sys/netpfil/ipfw
> Author: ae
> Date: Tue Jun 25 11:40:37 2019
> New Revision: 349366
> URL: https://svnweb.freebsd.org/changeset/base/349366
>
> Log:
> Follow the RFC 3128 and drop short TCP fragments with offset = 1.
>
> Reported by:emaste
> MFC after: 1 week
Can we get a counter or something so that the dropping of these
is not totally silent and invisible?
Thanks,
Rod
> Modified:
> head/sys/netpfil/ipfw/ip_fw2.c
>
> Modified: head/sys/netpfil/ipfw/ip_fw2.c
> ==
> --- head/sys/netpfil/ipfw/ip_fw2.cTue Jun 25 09:11:22 2019
> (r349365)
> +++ head/sys/netpfil/ipfw/ip_fw2.cTue Jun 25 11:40:37 2019
> (r349366)
> @@ -1719,6 +1719,11 @@ do {
> \
> default:
> break;
> }
> + } else {
> + if (offset == 1 && proto == IPPROTO_TCP) {
> + /* RFC 3128 */
> + goto pullup_failed;
> + }
> }
>
> UPDATE_POINTERS();
>
>
--
Rod Grimes rgri...@freebsd.org
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r349366 - head/sys/netpfil/ipfw
Author: ae
Date: Tue Jun 25 11:40:37 2019
New Revision: 349366
URL: https://svnweb.freebsd.org/changeset/base/349366
Log:
Follow the RFC 3128 and drop short TCP fragments with offset = 1.
Reported by: emaste
MFC after:1 week
Modified:
head/sys/netpfil/ipfw/ip_fw2.c
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==
--- head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 09:11:22 2019
(r349365)
+++ head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 11:40:37 2019
(r349366)
@@ -1719,6 +1719,11 @@ do {
\
default:
break;
}
+ } else {
+ if (offset == 1 && proto == IPPROTO_TCP) {
+ /* RFC 3128 */
+ goto pullup_failed;
+ }
}
UPDATE_POINTERS();
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
