Date: Wed, 26 Jun 2019 00:53:43 +0000 (UTC) From: Cy Schubert <cy@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r349399 - head/sys/contrib/ipfilter/netinet Message-ID: <201906260053.x5Q0rhZs058600@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cy Date: Wed Jun 26 00:53:43 2019 New Revision: 349399 URL: https://svnweb.freebsd.org/changeset/base/349399 Log: Prompted by r349366, ipfilter is also does not conform to RFC 3128 by dropping TCP fragments with offset = 1. In addition to dropping these fragments, add a DTrace probe to allow for more detailed monitoring and diagnosis if required. MFC after: 1 week Modified: head/sys/contrib/ipfilter/netinet/fil.c Modified: head/sys/contrib/ipfilter/netinet/fil.c ============================================================================== --- head/sys/contrib/ipfilter/netinet/fil.c Wed Jun 26 00:06:41 2019 (r349398) +++ head/sys/contrib/ipfilter/netinet/fil.c Wed Jun 26 00:53:43 2019 (r349399) @@ -1723,6 +1723,10 @@ ipf_pr_ipv4hdr(fin) * calculate the byte offset that it represents. */ off &= IP_MF|IP_OFFMASK; + if (off == 1 && p == IPPROTO_TCP) { + fin->fin_flx |= FI_SHORT; /* RFC 3128 */ + DT1(ipf_fi_tcp_frag_off_1, fr_info_t *, fin); + } if (off != 0) { int morefrag = off & IP_MF;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906260053.x5Q0rhZs058600>