diff options
| author | piso <piso@FreeBSD.org> | 2009-04-01 20:23:47 +0000 |
|---|---|---|
| committer | piso <piso@FreeBSD.org> | 2009-04-01 20:23:47 +0000 |
| commit | c9b4c109954a4dd9052f62f379febea366d11a07 (patch) | |
| tree | 12380d32edc71a17a6bfe18bb48510a54c10f4f3 /sbin/ipfw | |
| parent | e965f0a26dd194aa82e93f27e2493e7c4d0afea2 (diff) | |
| download | FreeBSD-src-c9b4c109954a4dd9052f62f379febea366d11a07.zip FreeBSD-src-c9b4c109954a4dd9052f62f379febea366d11a07.tar.gz | |
Implement an ipfw action to reassemble ip packets: reass.
Diffstat (limited to 'sbin/ipfw')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 7 | ||||
| -rw-r--r-- | sbin/ipfw/ipfw2.c | 9 | ||||
| -rw-r--r-- | sbin/ipfw/ipfw2.h | 1 | ||||
| -rw-r--r-- | sbin/ipfw/main.c | 2 |
4 files changed, 18 insertions, 1 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index d163106..4cc2f9e 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -866,6 +866,13 @@ in any subsequent forwarding decisions. Initially this is limited to the values 0 through 15, see .Xr setfib 8 . Processing continues at the next rule. +.It Cm reass +Queue and reassemble ip fragments. +If the packet is not fragmented, counters are updated and processing continues with the next rule. +If the packet is the last logical fragment, the packet is reassembled and, if +.Va net.inet.ip.fw.one_pass +is set to 0, processing continues with the next rule, else packet is allowed to pass and search terminates. +If the packet is a fragment in the middle, it is consumed and processing stops immediately. .El .Ss RULE BODY The body of a rule contains zero or more patterns (such as diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index c0dfac3..9d95ec4 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -211,6 +211,7 @@ static struct _s_x rule_actions[] = { { "check-state", TOK_CHECKSTATE }, { "//", TOK_COMMENT }, { "nat", TOK_NAT }, + { "reass", TOK_REASS }, { "setfib", TOK_SETFIB }, { NULL, 0 } /* terminator */ }; @@ -1089,6 +1090,10 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth) case O_SETFIB: PRINT_UINT_ARG("setfib ", cmd->arg1); break; + + case O_REASS: + printf("reass"); + break; default: printf("** unrecognized action %d len %d ", @@ -2781,6 +2786,10 @@ chkarg: ac--; av++; break; } + + case TOK_REASS: + action->opcode = O_REASS; + break; default: errx(EX_DATAERR, "invalid action %s\n", av[-1]); diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h index 442e7b6..508bb6c 100644 --- a/sbin/ipfw/ipfw2.h +++ b/sbin/ipfw/ipfw2.h @@ -95,6 +95,7 @@ enum tokens { TOK_UNREACH, TOK_CHECKSTATE, TOK_NAT, + TOK_REASS, TOK_ALTQ, TOK_LOG, diff --git a/sbin/ipfw/main.c b/sbin/ipfw/main.c index a83dd5f..3916057 100644 --- a/sbin/ipfw/main.c +++ b/sbin/ipfw/main.c @@ -54,7 +54,7 @@ help(void) "RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n" "ACTION: check-state | allow | count | deny | unreach{,6} CODE |\n" " skipto N | {divert|tee} PORT | forward ADDR |\n" -" pipe N | queue N | nat N | setfib FIB\n" +" pipe N | queue N | nat N | setfib FIB | reass\n" "PARAMS: [log [logamount LOGLIMIT]] [altq QUEUE_NAME]\n" "ADDR: [ MAC dst src ether_type ] \n" " [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n" |
