diff options
| author | alex <alex@FreeBSD.org> | 1998-02-12 00:57:06 +0000 |
|---|---|---|
| committer | alex <alex@FreeBSD.org> | 1998-02-12 00:57:06 +0000 |
| commit | 0fbf800481760f576d51aee10eefe415ac56ad5b (patch) | |
| tree | 797efc4ee0cffbe27100802e4ec9e06304f3a6ea /sbin | |
| parent | 95821ff4bae98b78e9504de70097bd6da35b7322 (diff) | |
| download | FreeBSD-src-0fbf800481760f576d51aee10eefe415ac56ad5b.zip FreeBSD-src-0fbf800481760f576d51aee10eefe415ac56ad5b.tar.gz | |
Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:
- Do not match fragmented packets if the rule specifies a port or
TCP flags
- Match fragmented packets if the rule does not specify a port and
TCP flags
Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags. Both kernel and ipfw userland utility will reject rules
containing a combination of these options.
BEWARE: packets that were previously passed may now be rejected, and
vice versa.
Reviewed by: Archie Cobbs <archie@whistle.com>
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 16 | ||||
| -rw-r--r-- | sbin/ipfw/ipfw.c | 13 |
2 files changed, 27 insertions, 2 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index b3eec6c..c070b2a 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -289,6 +289,12 @@ and the length of the port list is limited to .Pa /usr/src/sys/netinet/ip_fw.h ) ports. .Pp +Fragmented packets which have a non-zero offset (i.e. not the first +fragment) will never match a rule which has one or more port +specifications. See the +.Ar frag +option for details on matching fragmented packets. +.Pp Rules can apply to packets when they are incoming, or outgoing, or both. The .Ar in @@ -360,6 +366,10 @@ Additional .It frag Matches if the packet is a fragment and this is not the first fragment of the datagram. +.Ar frag +may not be used in conjunction with either +.Ar tcpflags +or TCP/UDP port specifications. .It in Matches if this packet was on the way in. .It out @@ -399,6 +409,12 @@ and .Ar urg . The absence of a particular flag may be denoted with a ``!''. +A rule which contains a +.Ar tcpflags +specification can never match a fragmented packet which has +a non-zero offset. See the +.Ar frag +option for details on matching fragmented packets. .It icmptypes Ar types Matches if the ICMP type is in the list .Ar types . diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c index 29300d1..5663ed7 100644 --- a/sbin/ipfw/ipfw.c +++ b/sbin/ipfw/ipfw.c @@ -16,7 +16,7 @@ * * NEW command line interface for IP firewall facility * - * $Id: ipfw.c,v 1.52 1998/01/08 00:27:31 alex Exp $ + * $Id: ipfw.c,v 1.53 1998/01/08 03:03:50 alex Exp $ * */ @@ -502,7 +502,7 @@ show_usage(const char *fmt, ...) " src: from [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n" " dst: to [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n" " extras:\n" -" fragment\n" +" fragment (may not be used with ports or tcpflags)\n" " in\n" " out\n" " {xmit|recv|via} {iface|ip|any}\n" @@ -1108,6 +1108,15 @@ badviacombo: } else if ((rule.fw_flg & IP_FW_F_OIFACE) && (rule.fw_flg & IP_FW_F_IN)) show_usage("can't check xmit interface of incoming packets"); + /* frag may not be used in conjunction with ports or TCP flags */ + if (rule.fw_flg & IP_FW_F_FRAG) { + if (rule.fw_tcpf || rule.fw_tcpnf) + show_usage(EX_USAGE, "can't mix 'frag' and tcpflags"); + + if (rule.fw_nports) + show_usage(EX_USAGE, "can't mix 'frag' and port specifications"); + } + if (!do_quiet) show_ipfw(&rule, 10, 10); i = setsockopt(s, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); |
