Hi
Reassembled packets are not passed to the packet filter interface for
both IPv4 and IPv6, so a firewall has no effect if the packets arrive
in fragments. Here is a patch to fix this for IPv6. The patch for
IPv4 is similarly trivial, but I have not written / tested it yet.
Is there any particular reason why reassembled packets were not
checked? If the answer is no, I'll send in a PR.
I've tested the patch below.
Matthew
--- sys/netinet6/frag6.c.orig 2008-11-25 15:59:29.000000000 +1300
+++ sys/netinet6/frag6.c 2010-04-13 13:21:02.000000000 +1200
@@ -46,6 +46,7 @@ __FBSDID("$FreeBSD: src/sys/netinet6/fra
#include <net/if.h>
#include <net/route.h>
+#include <net/pfil.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
@@ -568,6 +569,13 @@ insert:
*offp = offset;
IP6Q_UNLOCK();
+
+ if (PFIL_HOOKED(&inet6_pfil_hook) &&
+ (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif,
PFIL_IN, NULL) ||
+ m == NULL)) {
+ return IPPROTO_DONE;
+ }
+
return nxt;
dropfrag:
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
