From owner-freebsd-ipfw  Fri Jun 21  7:38:28 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from iguana.icir.org (iguana.icir.org [192.150.187.36])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4506E37B406; Fri, 21 Jun 2002 07:38:04 -0700 (PDT)
Received: (from rizzo@localhost)
	by iguana.icir.org (8.11.6/8.11.3) id g5LEc4V80244;
	Fri, 21 Jun 2002 07:38:04 -0700 (PDT)
	(envelope-from rizzo)
Date: Fri, 21 Jun 2002 07:38:04 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: ipfw@freebsd.org
Subject: a bug in divert handling of fragments
Message-ID: <20020621073804.B79754@iguana.icir.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

Hi, there is a case with divert/tee of fragmented packets on
which I would like clarifications:

in ip_input.c::ip_reass(), a comment says:

    #ifdef IPDIVERT
        /*
         * Transfer firewall instructions to the fragment structure.
         * Any fragment diverting causes the whole packet to divert.
         */
        fp->ipq_div_info = *divinfo;
        fp->ipq_div_cookie = *divert_rule;
        *divinfo = 0;
        *divert_rule = 0;
    #endif

However, the code as you see above does not check for existing
divert info, and just overrides whatever state  was there with info
from the latest incoming fragment.

This is in disagreement with the comment, and almost certainly
not what one wants, so I believe this has to be fixed.
I see two possible alternatives:

  #1:   only trust divert info for the fragment with offset 0
        (i.e. the one which should have headers etc.)

  #2:   keep as good the info from the first incoming fragment with
        a non-zero *divinfo (i.e. one which matched a divert rule).

I would prefer #1 because it is less prone to attacks and easier to
implement, and also because there is a lot more information that
the firewall can use to select the packet.

Comments anyone ?

	cheers
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message