diff options
author | kp <kp@FreeBSD.org> | 2015-08-27 21:27:47 +0000 |
---|---|---|
committer | kp <kp@FreeBSD.org> | 2015-08-27 21:27:47 +0000 |
commit | 2a1a59d8e1c46cc8561f02b5a184abab46e3b7d4 (patch) | |
tree | 9ba100542f23930b13f3b6387f6c00d2bd5f2016 /sbin | |
parent | c7248d07606bf4db17d97f155ab15f66110f0fda (diff) | |
download | FreeBSD-src-2a1a59d8e1c46cc8561f02b5a184abab46e3b7d4.zip FreeBSD-src-2a1a59d8e1c46cc8561f02b5a184abab46e3b7d4.tar.gz |
pf: Remove support for 'scrub fragment crop|drop-ovl'
The crop/drop-ovl fragment scrub modes are not very useful and likely to confuse
users into making poor choices.
It's also a fairly large amount of complex code, so just remove the support
altogether.
Users who have 'scrub fragment crop|drop-ovl' in their pf configuration will be
implicitly converted to 'scrub fragment reassemble'.
Reviewed by: gnn, eri
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D3466
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/pfctl/parse.y | 4 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.c | 7 |
2 files changed, 3 insertions, 8 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 676d768..9b22a6b 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1197,8 +1197,8 @@ scrub_opt : NODF { ; fragcache : FRAGMENT REASSEMBLE { $$ = 0; /* default */ } - | FRAGMENT FRAGCROP { $$ = PFRULE_FRAGCROP; } - | FRAGMENT FRAGDROP { $$ = PFRULE_FRAGDROP; } + | FRAGMENT FRAGCROP { $$ = 0; } + | FRAGMENT FRAGDROP { $$ = 0; } ; antispoof : ANTISPOOF logquick antispoof_ifspc af antispoof_opts { diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 1f4375a..2b553ce 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -990,12 +990,7 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose, int numeric) if (r->rule_flag & PFRULE_REASSEMBLE_TCP) printf(" reassemble tcp"); - if (r->rule_flag & PFRULE_FRAGDROP) - printf(" fragment drop-ovl"); - else if (r->rule_flag & PFRULE_FRAGCROP) - printf(" fragment crop"); - else - printf(" fragment reassemble"); + printf(" fragment reassemble"); } if (r->label[0]) printf(" label \"%s\"", r->label); |