git: abc8996e7fa6 - main - pf: deduplicate IPv4 and IPv6 code that handles fragments
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 10 Oct 2024 12:37:23 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=abc8996e7fa6c3755306021bffbf58c707e33d18
commit abc8996e7fa6c3755306021bffbf58c707e33d18
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-10-02 06:47:52 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-10-10 12:10:40 +0000
pf: deduplicate IPv4 and IPv6 code that handles fragments
Deduplicate IPv4 and IPv6 code that handles fragments that have not
been reassembled by normalization.
ok henning claudio
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, ddd2494207
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46934
---
sys/netpfil/pf/pf.c | 45 ++++++++++++++++-----------------------------
1 file changed, 16 insertions(+), 29 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index cd90cc1c85c4..653365d42059 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -8697,21 +8697,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
if (h->ip_hl > 5) /* has options */
pd->badopts++;
- if (h->ip_off & htons(IP_MF | IP_OFFMASK)) {
- /*
- * handle fragments that aren't reassembled by
- * normalization
- */
+ if (h->ip_off & htons(IP_MF | IP_OFFMASK))
pd->virtual_proto = PF_VPROTO_FRAGMENT;
- if (kif == NULL || r == NULL) /* pflog */
- *action = PF_DROP;
- else
- *action = pf_test_rule(r, s, kif, m, *off,
- pd, a, ruleset, inp, *hdrlen);
- if (*action != PF_PASS)
- REASON_SET(reason, PFRES_FRAG);
- return (-1);
- }
break;
}
@@ -8798,21 +8785,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
return (-1);
}
- if (fragoff != 0) {
- /*
- * handle fragments that aren't reassembled by
- * normalization
- */
+ if (fragoff != 0)
pd->virtual_proto = PF_VPROTO_FRAGMENT;
- if (kif == NULL || r == NULL) /* pflog */
- *action = PF_DROP;
- else
- *action = pf_test_rule(r, s, kif, m, *off,
- pd, a, ruleset, NULL /* XXX TODO */, *hdrlen);
- if (*action != PF_PASS)
- REASON_SET(reason, PFRES_FRAG);
- return (-1);
- }
break;
}
@@ -8821,7 +8795,20 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
panic("pf_setup_pdesc called with illegal af %u", af);
}
- switch (pd->proto) {
+ switch (pd->virtual_proto) {
+ case PF_VPROTO_FRAGMENT:
+ /*
+ * handle fragments that aren't reassembled by
+ * normalization
+ */
+ if (kif == NULL || r == NULL) /* pflog */
+ *action = PF_DROP;
+ else
+ *action = pf_test_rule(r, s, kif, m, *off, pd, a,
+ ruleset, inp, *hdrlen);
+ if (*action != PF_PASS)
+ REASON_SET(reason, PFRES_FRAG);
+ return (-1);
case IPPROTO_TCP: {
struct tcphdr *th = &pd->hdr.tcp;