summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw/ipfw.c
diff options
context:
space:
mode:
authoralex <alex@FreeBSD.org>1998-02-12 00:57:06 +0000
committeralex <alex@FreeBSD.org>1998-02-12 00:57:06 +0000
commit0fbf800481760f576d51aee10eefe415ac56ad5b (patch)
tree797efc4ee0cffbe27100802e4ec9e06304f3a6ea /sbin/ipfw/ipfw.c
parent95821ff4bae98b78e9504de70097bd6da35b7322 (diff)
downloadFreeBSD-src-0fbf800481760f576d51aee10eefe415ac56ad5b.zip
FreeBSD-src-0fbf800481760f576d51aee10eefe415ac56ad5b.tar.gz
Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero: - Do not match fragmented packets if the rule specifies a port or TCP flags - Match fragmented packets if the rule does not specify a port and TCP flags Since ipfw cannot examine port numbers or TCP flags for such packets, it is now illegal to specify the 'frag' option with either ports or tcpflags. Both kernel and ipfw userland utility will reject rules containing a combination of these options. BEWARE: packets that were previously passed may now be rejected, and vice versa. Reviewed by: Archie Cobbs <archie@whistle.com>
Diffstat (limited to 'sbin/ipfw/ipfw.c')
-rw-r--r--sbin/ipfw/ipfw.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c
index 29300d1..5663ed7 100644
--- a/sbin/ipfw/ipfw.c
+++ b/sbin/ipfw/ipfw.c
@@ -16,7 +16,7 @@
*
* NEW command line interface for IP firewall facility
*
- * $Id: ipfw.c,v 1.52 1998/01/08 00:27:31 alex Exp $
+ * $Id: ipfw.c,v 1.53 1998/01/08 03:03:50 alex Exp $
*
*/
@@ -502,7 +502,7 @@ show_usage(const char *fmt, ...)
" src: from [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
" dst: to [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
" extras:\n"
-" fragment\n"
+" fragment (may not be used with ports or tcpflags)\n"
" in\n"
" out\n"
" {xmit|recv|via} {iface|ip|any}\n"
@@ -1108,6 +1108,15 @@ badviacombo:
} else if ((rule.fw_flg & IP_FW_F_OIFACE) && (rule.fw_flg & IP_FW_F_IN))
show_usage("can't check xmit interface of incoming packets");
+ /* frag may not be used in conjunction with ports or TCP flags */
+ if (rule.fw_flg & IP_FW_F_FRAG) {
+ if (rule.fw_tcpf || rule.fw_tcpnf)
+ show_usage(EX_USAGE, "can't mix 'frag' and tcpflags");
+
+ if (rule.fw_nports)
+ show_usage(EX_USAGE, "can't mix 'frag' and port specifications");
+ }
+
if (!do_quiet)
show_ipfw(&rule, 10, 10);
i = setsockopt(s, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule);
OpenPOWER on IntegriCloud