Date: Wed, 26 Apr 2017 02:37:26 +0000 (UTC) From: Cy Schubert <cy@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r317434 - in stable: 10 10/sys/contrib/ipfilter/netinet 11 11/sys/contrib/ipfilter/netinet Message-ID: <201704260237.v3Q2bQVv013871@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cy Date: Wed Apr 26 02:37:25 2017 New Revision: 317434 URL: https://svnweb.freebsd.org/changeset/base/317434 Log: MFC r316810, r316814, r316816, r316991: Keep state incorrectly assumes keep frags. This is counter to the ipfilter man pages. This also currently restricts keep frags to only when keep state is used, which is redundant because keep state currently assumes keep frags. This commit fixes this. To the user this change means that to maintain the current behaviour one must add keep frags to any ipfilter keep state rule (as documented in the man pages). This patch also allows the flexability to specify and use keep frags separate from keep state, as documented in an example in ipf.conf.5, instead of the currently broken behaviour. MFC suggested by: rgrimes Relnotes: yes Modified: stable/10/UPDATING stable/10/sys/contrib/ipfilter/netinet/fil.c stable/10/sys/contrib/ipfilter/netinet/ip_state.c Directory Properties: stable/10/ (props changed) Changes in other areas also in this revision: Modified: stable/11/UPDATING stable/11/sys/contrib/ipfilter/netinet/fil.c stable/11/sys/contrib/ipfilter/netinet/ip_state.c Directory Properties: stable/11/ (props changed) Modified: stable/10/UPDATING ============================================================================== --- stable/10/UPDATING Wed Apr 26 01:08:25 2017 (r317433) +++ stable/10/UPDATING Wed Apr 26 02:37:25 2017 (r317434) @@ -16,6 +16,15 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20170413: + As of r316810 for ipfilter, keep frags is no longer assumed when + keep state is specified in a rule. r316810 aligns ipfilter with + documentation in man pages separating keep frags from keep state. + This allows keep state to specified without forcing keep frags + and allows keep frags to be specified independently of keep state. + To maintain previous behaviour, also specify keep frags with + keep state (as documented in ipf.conf.5). + 20170323: The code that provides support for ZFS .zfs/ directory functionality has been reimplemented. It's not possible now to create a snapshot Modified: stable/10/sys/contrib/ipfilter/netinet/fil.c ============================================================================== --- stable/10/sys/contrib/ipfilter/netinet/fil.c Wed Apr 26 01:08:25 2017 (r317433) +++ stable/10/sys/contrib/ipfilter/netinet/fil.c Wed Apr 26 02:37:25 2017 (r317434) @@ -2752,7 +2752,7 @@ ipf_firewall(fin, passp) * If the rule has "keep frag" and the packet is actually a fragment, * then create a fragment state entry. */ - if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { + if (pass & FR_KEEPFRAG) { if (fin->fin_flx & FI_FRAG) { if (ipf_frag_new(softc, fin, pass) == -1) { LBUMP(ipf_stats[out].fr_bnfr); Modified: stable/10/sys/contrib/ipfilter/netinet/ip_state.c ============================================================================== --- stable/10/sys/contrib/ipfilter/netinet/ip_state.c Wed Apr 26 01:08:25 2017 (r317433) +++ stable/10/sys/contrib/ipfilter/netinet/ip_state.c Wed Apr 26 02:37:25 2017 (r317434) @@ -3408,7 +3408,8 @@ ipf_state_check(fin, passp) * If this packet is a fragment and the rule says to track fragments, * then create a new fragment cache entry. */ - if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) + if (fin->fin_flx & FI_FRAG && FR_ISPASS(is->is_pass) && + is->is_pass & FR_KEEPFRAG) (void) ipf_frag_new(softc, fin, is->is_pass); /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704260237.v3Q2bQVv013871>