Date: Tue, 13 Apr 2010 13:57:01 +1200 From: Matthew Luckie <mjl@luckie.org.nz> To: freebsd-net@freebsd.org Subject: reassembled packets and pfil Message-ID: <20100413015701.GA62420@spandex.luckie.org.nz>
next in thread | raw e-mail | index | archive | help
Hi
Reassembled packets are not passed to the packet filter interface for
both IPv4 and IPv6, so a firewall has no effect if the packets arrive
in fragments. Here is a patch to fix this for IPv6. The patch for
IPv4 is similarly trivial, but I have not written / tested it yet.
Is there any particular reason why reassembled packets were not
checked? If the answer is no, I'll send in a PR.
I've tested the patch below.
Matthew
--- sys/netinet6/frag6.c.orig 2008-11-25 15:59:29.000000000 +1300
+++ sys/netinet6/frag6.c 2010-04-13 13:21:02.000000000 +1200
@@ -46,6 +46,7 @@ __FBSDID("$FreeBSD: src/sys/netinet6/fra
#include <net/if.h>
#include <net/route.h>
+#include <net/pfil.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
@@ -568,6 +569,13 @@ insert:
*offp = offset;
IP6Q_UNLOCK();
+
+ if (PFIL_HOOKED(&inet6_pfil_hook) &&
+ (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL) ||
+ m == NULL)) {
+ return IPPROTO_DONE;
+ }
+
return nxt;
dropfrag:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100413015701.GA62420>