reassembled packets and pfil
Matthew Luckie
mjl at luckie.org.nz
Tue Apr 13 02:26:52 UTC 2010
Hi
Reassembled packets are not passed to the packet filter interface for
both IPv4 and IPv6, so a firewall has no effect if the packets arrive
in fragments. Here is a patch to fix this for IPv6. The patch for
IPv4 is similarly trivial, but I have not written / tested it yet.
Is there any particular reason why reassembled packets were not
checked? If the answer is no, I'll send in a PR.
I've tested the patch below.
Matthew
--- sys/netinet6/frag6.c.orig 2008-11-25 15:59:29.000000000 +1300
+++ sys/netinet6/frag6.c 2010-04-13 13:21:02.000000000 +1200
@@ -46,6 +46,7 @@ __FBSDID("$FreeBSD: src/sys/netinet6/fra
#include <net/if.h>
#include <net/route.h>
+#include <net/pfil.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
@@ -568,6 +569,13 @@ insert:
*offp = offset;
IP6Q_UNLOCK();
+
+ if (PFIL_HOOKED(&inet6_pfil_hook) &&
+ (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL) ||
+ m == NULL)) {
+ return IPPROTO_DONE;
+ }
+
return nxt;
dropfrag:
More information about the freebsd-net
mailing list