Author: cy Date: Wed Jun 26 00:53:43 2019 New Revision: 349399 URL: https://svnweb.freebsd.org/changeset/base/349399
Log: Prompted by r349366, ipfilter is also does not conform to RFC 3128 by dropping TCP fragments with offset = 1. In addition to dropping these fragments, add a DTrace probe to allow for more detailed monitoring and diagnosis if required. MFC after: 1 week Modified: head/sys/contrib/ipfilter/netinet/fil.c Modified: head/sys/contrib/ipfilter/netinet/fil.c ============================================================================== --- head/sys/contrib/ipfilter/netinet/fil.c Wed Jun 26 00:06:41 2019 (r349398) +++ head/sys/contrib/ipfilter/netinet/fil.c Wed Jun 26 00:53:43 2019 (r349399) @@ -1723,6 +1723,10 @@ ipf_pr_ipv4hdr(fin) * calculate the byte offset that it represents. */ off &= IP_MF|IP_OFFMASK; + if (off == 1 && p == IPPROTO_TCP) { + fin->fin_flx |= FI_SHORT; /* RFC 3128 */ + DT1(ipf_fi_tcp_frag_off_1, fr_info_t *, fin); + } if (off != 0) { int morefrag = off & IP_MF; _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"