Re: pflog shows 0.0.0.0.0 > 0.0.0.0.0

Wed, 31 Aug 2011 12:01:32 -0700 

On Wed, Aug 31, 2011 at 05:02:01PM +0200, Henning Brauer wrote:
> @@ -5679,6 +5665,13 @@ pf_setup_pdesc(sa_family_t af, int dir, 
>                                   m, *off, pd, a, ruleset, *hdrlen);
>                       if (*action != PF_PASS)
>                               REASON_SET(reason, PFRES_FRAG);
> +
> +                     PF_ACPY(&pd->nsaddr, pd->src, pd->af);
> +                     PF_ACPY(&pd->ndaddr, pd->dst, pd->af);

You should set this a few lines above before calling pf_test_rule().

> +                     if (pd->sport)
> +                             pd->nsport = *pd->sport;
> +                     if (pd->dport)
> +                             pd->ndport = *pd->dport;

They are always NULL here.

>                       return (-1);
>               }
>               break;

You have forgotten IPv6.  What do you think about deduplicating
this code?

bluhm


Index: net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.771
diff -u -p -r1.771 pf.c
--- net/pf.c    30 Aug 2011 00:40:47 -0000      1.771
+++ net/pf.c    31 Aug 2011 18:55:13 -0000
@@ -5666,21 +5697,9 @@ pf_setup_pdesc(sa_family_t af, int dir, 
                if (h->ip_hl > 5)       /* has options */
                        pd->badopts++;
 
-               if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
-                       /*
-                        * handle fragments that aren't reassembled by
-                        * normalization
-                        */
+               if (h->ip_off & htons(IP_MF | IP_OFFMASK))
                        pd->virtual_proto = PF_VPROTO_FRAGMENT;
-                       if (kif == NULL || r == NULL)   /* pflog */
-                               *action = PF_DROP;
-                       else
-                               *action = pf_test_rule(r, s, dir, kif,
-                                   m, *off, pd, a, ruleset, *hdrlen);
-                       if (*action != PF_PASS)
-                               REASON_SET(reason, PFRES_FRAG);
-                       return (-1);
-               }
+
                break;
        }
 #endif
@@ -5763,21 +5782,9 @@ pf_setup_pdesc(sa_family_t af, int dir, 
                pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
                pd->virtual_proto = pd->proto = nxt;
 
-               if (fragoff != 0) {
-                       /*
-                        * handle fragments that aren't reassembled by
-                        * normalization
-                        */
+               if (fragoff != 0)
                        pd->virtual_proto = PF_VPROTO_FRAGMENT;
-                       if (kif == NULL || r == NULL)   /* pflog */
-                               *action = PF_DROP;
-                       else
-                               *action = pf_test_rule(r, s, dir, kif,
-                                   m, *off, pd, a, ruleset, *hdrlen);
-                       if (*action != PF_PASS)
-                               REASON_SET(reason, PFRES_FRAG);
-                       return (-1);
-               }
+
                break;
        }
 #endif
@@ -5786,7 +5793,20 @@ pf_setup_pdesc(sa_family_t af, int dir, 
 
        }
 
-       switch (pd->proto) {
+       switch (pd->virtual_proto) {
+       case PF_VPROTO_FRAGMENT:
+               /*
+                * handle fragments that aren't reassembled by
+                * normalization
+                */
+               if (kif == NULL || r == NULL)   /* pflog */
+                       *action = PF_DROP;
+               else
+                       *action = pf_test_rule(r, s, dir, kif,
+                           m, *off, pd, a, ruleset, *hdrlen);
+               if (*action != PF_PASS)
+                       REASON_SET(reason, PFRES_FRAG);
+               return (-1);
        case IPPROTO_TCP: {
                struct tcphdr   *th = pd->hdr.tcp;

Reply via email to