svn commit: r332209 - in stable/11: sbin/ipfw sys/netpfil/ipfw

Michael Tuexen tuexen at FreeBSD.org
Sat Apr 7 19:38:56 UTC 2018 

Author: tuexen
Date: Sat Apr  7 19:38:55 2018
New Revision: 332209
URL: https://svnweb.freebsd.org/changeset/base/332209

Log:
  MFC r324216:
  
  Fix a bug which avoided that rules for matching port numbers for SCTP
  packets where actually matched.
  While there, make clean in the man-page that SCTP port numbers are
  supported in rules.

Modified:
  stable/11/sbin/ipfw/ipfw.8
  stable/11/sys/netpfil/ipfw/ip_fw2.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sbin/ipfw/ipfw.8
==============================================================================
--- stable/11/sbin/ipfw/ipfw.8	Sat Apr  7 19:29:19 2018	(r332208)
+++ stable/11/sbin/ipfw/ipfw.8	Sat Apr  7 19:38:55 2018	(r332209)
@@ -537,7 +537,7 @@ for filtering packets, among the following:
 .It Layer-2 header fields
 When available
 .It IPv4 and IPv6 Protocol
-TCP, UDP, ICMP, etc.
+SCTP, TCP, UDP, ICMP, etc.
 .It Source and dest. addresses and ports
 .It Direction
 See Section
@@ -1396,7 +1396,7 @@ error-prone.
 No support for sets of IPv6 addresses is provided because IPv6 addresses
 are typically random past the initial prefix.
 .It Ar ports : Bro Ar port | port Ns \&- Ns Ar port Ns Brc Ns Op , Ns Ar ports
-For protocols which support port numbers (such as TCP and UDP), optional
+For protocols which support port numbers (such as SCTP, TCP and UDP), optional
 .Cm ports
 may be specified as one or more ports or port ranges, separated
 by commas but no spaces, and an optional

Modified: stable/11/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- stable/11/sys/netpfil/ipfw/ip_fw2.c	Sat Apr  7 19:29:19 2018	(r332208)
+++ stable/11/sys/netpfil/ipfw/ip_fw2.c	Sat Apr  7 19:38:55 2018	(r332209)
@@ -1847,7 +1847,8 @@ do {								\
 				 */
 				if ((proto == IPPROTO_UDP ||
 				    proto == IPPROTO_UDPLITE ||
-				    proto == IPPROTO_TCP) && offset == 0) {
+				    proto == IPPROTO_TCP ||
+				    proto==IPPROTO_SCTP) && offset == 0) {
 					u_int16_t x =
 					    (cmd->opcode == O_IP_SRCPORT) ?
 						src_port : dst_port ;

More information about the svn-src-stable-11 mailing list