diff options
author | sjg <sjg@FreeBSD.org> | 2013-09-05 20:18:59 +0000 |
---|---|---|
committer | sjg <sjg@FreeBSD.org> | 2013-09-05 20:18:59 +0000 |
commit | 62bb1062226d3ce6a2350808256a25508978352d (patch) | |
tree | 22b131dceb13c3df96da594fbaadb693504797c7 /sbin/ipfw | |
parent | 72ab90509b3a51ab361bf710338f2ef44a4e360d (diff) | |
parent | 04932445481c2cb89ff69a83b961bdef3d64757e (diff) | |
download | FreeBSD-src-62bb1062226d3ce6a2350808256a25508978352d.zip FreeBSD-src-62bb1062226d3ce6a2350808256a25508978352d.tar.gz |
Merge from head
Diffstat (limited to 'sbin/ipfw')
-rw-r--r-- | sbin/ipfw/ipfw.8 | 10 | ||||
-rw-r--r-- | sbin/ipfw/ipfw2.c | 38 |
2 files changed, 24 insertions, 24 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 2047385..65fa334 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -3049,16 +3049,6 @@ option could be used to (re)mark user traffic, by adding the following to the appropriate place in ruleset: .Pp .Dl "ipfw add setdscp be ip from any to any dscp af11,af21" -.Pp -This rule drops all incoming packets that appear to be coming from another -directly connected system but on the wrong interface. -For example, a packet with a source address of -.Li 192.168.0.0/24 , -configured on -.Li fxp0 , -but coming in on -.Li fxp1 -would be dropped. .Ss DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 5b37995..577d644 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -2779,13 +2779,19 @@ static ipfw_insn * add_src(ipfw_insn *cmd, char *av, u_char proto, int cblen) { struct in6_addr a; - char *host, *ch; + char *host, *ch, buf[INET6_ADDRSTRLEN]; ipfw_insn *ret = NULL; - - if ((host = strdup(av)) == NULL) - return NULL; - if ((ch = strrchr(host, '/')) != NULL) - *ch = '\0'; + int len; + + /* Copy first address in set if needed */ + if ((ch = strpbrk(av, "/,")) != NULL) { + len = ch - av; + strlcpy(buf, av, sizeof(buf)); + if (len < sizeof(buf)) + buf[len] = '\0'; + host = buf; + } else + host = av; if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || inet_pton(AF_INET6, host, &a) == 1) @@ -2797,7 +2803,6 @@ add_src(ipfw_insn *cmd, char *av, u_char proto, int cblen) if (ret == NULL && strcmp(av, "any") != 0) ret = cmd; - free(host); return ret; } @@ -2805,13 +2810,19 @@ static ipfw_insn * add_dst(ipfw_insn *cmd, char *av, u_char proto, int cblen) { struct in6_addr a; - char *host, *ch; + char *host, *ch, buf[INET6_ADDRSTRLEN]; ipfw_insn *ret = NULL; - - if ((host = strdup(av)) == NULL) - return NULL; - if ((ch = strrchr(host, '/')) != NULL) - *ch = '\0'; + int len; + + /* Copy first address in set if needed */ + if ((ch = strpbrk(av, "/,")) != NULL) { + len = ch - av; + strlcpy(buf, av, sizeof(buf)); + if (len < sizeof(buf)) + buf[len] = '\0'; + host = buf; + } else + host = av; if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 || inet_pton(AF_INET6, host, &a) == 1) @@ -2823,7 +2834,6 @@ add_dst(ipfw_insn *cmd, char *av, u_char proto, int cblen) if (ret == NULL && strcmp(av, "any") != 0) ret = cmd; - free(host); return ret; } |