> Author: ae > Date: Mon Mar 12 09:40:46 2018 > New Revision: 330792 > URL: https://svnweb.freebsd.org/changeset/base/330792 > > Log: > Do not try to reassemble IPv6 fragments in "reass" rule. > > ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets > that it gets. Until proper IPv6 fragments handling function will be > implemented, pass IPv6 packets to next rule.
Thank you! This should simplify some discussion occuring about /etc/rc.firewall in workstation mode and the fact it does not handly fragmentation correctly, part of fixing that invovled be sure to only pass ipv4 to a reass rule, with this fix that shall no longer be necessary. https://reviews.freebsd.org/D9920 > PR: 170604 > MFC after: 1 week > > Modified: > head/sbin/ipfw/ipfw.8 > head/sys/netpfil/ipfw/ip_fw2.c > > Modified: head/sbin/ipfw/ipfw.8 > ============================================================================== > --- head/sbin/ipfw/ipfw.8 Mon Mar 12 05:41:27 2018 (r330791) > +++ head/sbin/ipfw/ipfw.8 Mon Mar 12 09:40:46 2018 (r330792) > @@ -1,7 +1,7 @@ > .\" > .\" $FreeBSD$ > .\" > -.Dd November 26, 2017 > +.Dd March 12, 2018 > .Dt IPFW 8 > .Os > .Sh NAME > @@ -1135,7 +1135,7 @@ Regardless of matched a packet or not by the > .Cm tcp-setmss > rule, the search continues with the next rule. > .It Cm reass > -Queue and reassemble IP fragments. > +Queue and reassemble IPv4 fragments. > If the packet is not fragmented, counters are updated and > processing continues with the next rule. > If the packet is the last logical fragment, the packet is reassembled and, if > > Modified: head/sys/netpfil/ipfw/ip_fw2.c > ============================================================================== > --- head/sys/netpfil/ipfw/ip_fw2.c Mon Mar 12 05:41:27 2018 > (r330791) > +++ head/sys/netpfil/ipfw/ip_fw2.c Mon Mar 12 09:40:46 2018 > (r330792) > @@ -3018,8 +3018,10 @@ do { > \ > case O_REASS: { > int ip_off; > > - IPFW_INC_RULE_COUNTER(f, pktlen); > l = 0; /* in any case exit inner loop */ > + if (is_ipv6) /* IPv6 is not supported yet */ > + break; > + IPFW_INC_RULE_COUNTER(f, pktlen); > ip_off = ntohs(ip->ip_off); > > /* if not fragmented, go to next rule */ > > -- Rod Grimes rgri...@freebsd.org _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
