Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Apr 2017 05:12:01 +0000 (UTC)
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r316810 - head/sys/contrib/ipfilter/netinet
Message-ID:  <201704140512.v3E5C1Ug038997@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: cy
Date: Fri Apr 14 05:12:01 2017
New Revision: 316810
URL: https://svnweb.freebsd.org/changeset/base/316810

Log:
  Keep state incorrectly assumes keep frags. This is counter to the
  ipfilter man pages. This also currently restricts keep frags to only when
  keep state is used, which is redundant because keep state currently
  assumes keep frags. This commit fixes this.
  
  To the user this change means that to maintain the current behaviour
  one must add keep frags to any ipfilter keep state rule (as documented
  in the man pages).
  
  This patch also allows the flexability to specify and use keep frags
  separate from keep state, as documented in an example in ipf.conf.5,
  instead of the currently broken behaviour.
  
  Relnotes:	yes

Modified:
  head/sys/contrib/ipfilter/netinet/fil.c
  head/sys/contrib/ipfilter/netinet/ip_state.c

Modified: head/sys/contrib/ipfilter/netinet/fil.c
==============================================================================
--- head/sys/contrib/ipfilter/netinet/fil.c	Fri Apr 14 03:54:36 2017	(r316809)
+++ head/sys/contrib/ipfilter/netinet/fil.c	Fri Apr 14 05:12:01 2017	(r316810)
@@ -2786,7 +2786,7 @@ ipf_firewall(fin, passp)
 	 * If the rule has "keep frag" and the packet is actually a fragment,
 	 * then create a fragment state entry.
 	 */
-	if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
+	if (pass & FR_KEEPFRAG) {
 		if (fin->fin_flx & FI_FRAG) {
 			if (ipf_frag_new(softc, fin, pass) == -1) {
 				LBUMP(ipf_stats[out].fr_bnfr);

Modified: head/sys/contrib/ipfilter/netinet/ip_state.c
==============================================================================
--- head/sys/contrib/ipfilter/netinet/ip_state.c	Fri Apr 14 03:54:36 2017	(r316809)
+++ head/sys/contrib/ipfilter/netinet/ip_state.c	Fri Apr 14 05:12:01 2017	(r316810)
@@ -3414,7 +3414,8 @@ ipf_state_check(fin, passp)
 	 * If this packet is a fragment and the rule says to track fragments,
 	 * then create a new fragment cache entry.
 	 */
-	if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass))
+	if (((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) &&
+	   ((is->is_pass & FR_KEEPFRAG)))
 		(void) ipf_frag_new(softc, fin, is->is_pass);
 
 	/*

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704140512.v3E5C1Ug038997>