mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-10-18 02:19:39 +00:00
Code Issues Releases Activity

pf: deduplicate IPv4 and IPv6 code that handles fragments

Browse Source 
Deduplicate IPv4 and IPv6 code that handles fragments that have not
been reassembled by normalization.
ok henning claudio

Obtained from:	OpenBSD, bluhm <bluhm@openbsd.org>, ddd2494207
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D46934
This commit is contained in:
Kristof Provost 2024-10-02 08:47:52 +02:00
parent 6562157dfa
commit abc8996e7f
1 changed files with 16 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
sys/netpfil/pf/pf.c
View File

@ -8697,21 +8697,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
if (h->ip_hl > 5) /* has options */
pd->badopts++;
if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
/*
* handle fragments that aren't reassembled by
* normalization
*/
if (h->ip_off & htons(IP_MF | IP_OFFMASK))
pd->virtual_proto = PF_VPROTO_FRAGMENT;
if (kif == NULL || r == NULL) /* pflog */
*action = PF_DROP;
else
*action = pf_test_rule(r, s, kif, m, *off,
pd, a, ruleset, inp, *hdrlen);
if (*action != PF_PASS)
REASON_SET(reason, PFRES_FRAG);
return (-1);
}
break;
}
@ -8798,21 +8785,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
return (-1);
}
if (fragoff != 0) {
/*
* handle fragments that aren't reassembled by
* normalization
*/
if (fragoff != 0)
pd->virtual_proto = PF_VPROTO_FRAGMENT;
if (kif == NULL || r == NULL) /* pflog */
*action = PF_DROP;
else
*action = pf_test_rule(r, s, kif, m, *off,
pd, a, ruleset, NULL /* XXX TODO */, *hdrlen);
if (*action != PF_PASS)
REASON_SET(reason, PFRES_FRAG);
return (-1);
}
break;
}
@ -8821,7 +8795,20 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
panic("pf_setup_pdesc called with illegal af %u", af);
}
switch (pd->proto) {
switch (pd->virtual_proto) {
case PF_VPROTO_FRAGMENT:
/*
* handle fragments that aren't reassembled by
* normalization
*/
if (kif == NULL || r == NULL) /* pflog */
*action = PF_DROP;
else
*action = pf_test_rule(r, s, kif, m, *off, pd, a,
ruleset, inp, *hdrlen);
if (*action != PF_PASS)
REASON_SET(reason, PFRES_FRAG);
return (-1);
case IPPROTO_TCP: {
struct tcphdr *th = &pd->hdr.tcp;