Author: ae
Date: Mon Mar 12 09:40:46 2018
New Revision: 330792
URL: https://svnweb.freebsd.org/changeset/base/330792
Log:
Do not try to reassemble IPv6 fragments in "reass" rule.
ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets
that it gets. Until proper IPv6 fragments handling function will be
implemented, pass IPv6 packets to next rule.
PR: 170604
MFC after: 1 week
Modified:
head/sbin/ipfw/ipfw.8
head/sys/netpfil/ipfw/ip_fw2.c
Modified: head/sbin/ipfw/ipfw.8
==============================================================================
--- head/sbin/ipfw/ipfw.8 Mon Mar 12 05:41:27 2018 (r330791)
+++ head/sbin/ipfw/ipfw.8 Mon Mar 12 09:40:46 2018 (r330792)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd November 26, 2017
+.Dd March 12, 2018
.Dt IPFW 8
.Os
.Sh NAME
@@ -1135,7 +1135,7 @@ Regardless of matched a packet or not by the
.Cm tcp-setmss
rule, the search continues with the next rule.
.It Cm reass
-Queue and reassemble IP fragments.
+Queue and reassemble IPv4 fragments.
If the packet is not fragmented, counters are updated and
processing continues with the next rule.
If the packet is the last logical fragment, the packet is reassembled and, if
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw2.c Mon Mar 12 05:41:27 2018
(r330791)
+++ head/sys/netpfil/ipfw/ip_fw2.c Mon Mar 12 09:40:46 2018
(r330792)
@@ -3018,8 +3018,10 @@ do {
\
case O_REASS: {
int ip_off;
- IPFW_INC_RULE_COUNTER(f, pktlen);
l = 0; /* in any case exit inner loop */
+ if (is_ipv6) /* IPv6 is not supported yet */
+ break;
+ IPFW_INC_RULE_COUNTER(f, pktlen);
ip_off = ntohs(ip->ip_off);
/* if not fragmented, go to next rule */
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
