diff options
| author | rwatson <rwatson@FreeBSD.org> | 2001-01-09 03:10:30 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2001-01-09 03:10:30 +0000 |
| commit | c4fb1f7419a715bf4407f248c373b9526e1e746f (patch) | |
| tree | d19eec25f1660a1ba339672a49a0ae347602778c /sys/netinet/ip_fw.c | |
| parent | 7825fe8202cfc1f9cce34390693bcdbd7d9882b9 (diff) | |
| download | FreeBSD-src-c4fb1f7419a715bf4407f248c373b9526e1e746f.zip FreeBSD-src-c4fb1f7419a715bf4407f248c373b9526e1e746f.tar.gz | |
o IPFW incorrectly handled filtering in the presence of previously
reserved and now allocated TCP flags in incoming packets. This patch
stops overloading those bits in the IP firewall rules, and moves
colliding flags to a seperate field, ipflg. The IPFW userland
management tool, ipfw(8), is updated to reflect this change. New TCP
flags related to ECN are now included in tcp.h for reference, although
we don't currently implement TCP+ECN.
o To use this fix without completely rebuilding, it is sufficient to copy
ip_fw.h and tcp.h into your appropriate include directory, then rebuild
the ipfw kernel module, and ipfw tool, and install both. Note that a
mismatch between module and userland tool will result in incorrect
installation of firewall rules that may have unexpected effects. This
is an MFC candidate, following shakedown. This bug does not appear
to affect ipfilter.
Reviewed by: security-officer, billf
Reported by: Aragon Gouveia <aragon@phat.za.net>
Diffstat (limited to 'sys/netinet/ip_fw.c')
| -rw-r--r-- | sys/netinet/ip_fw.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 7e69223..3f3d325 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -244,10 +244,16 @@ static int tcpflg_match(struct tcphdr *tcp, struct ip_fw *f) { u_char flg_set, flg_clr; - - if ((f->fw_tcpf & IP_FW_TCPF_ESTAB) && - (tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK))) - return 1; + + /* + * If an established connection is required, reject packets that + * have only SYN of RST|ACK|SYN set. Otherwise, fall through to + * other flag requirements. + */ + if ((f->fw_ipflg & IP_FW_IF_TCPEST) && + ((tcp->th_flags & (IP_FW_TCPF_RST | IP_FW_TCPF_ACK | + IP_FW_TCPF_SYN)) == IP_FW_TCPF_SYN)) + return 0; flg_set = tcp->th_flags & f->fw_tcpf; flg_clr = tcp->th_flags & f->fw_tcpnf; @@ -1243,7 +1249,9 @@ again: if (f->fw_ipflg & IP_FW_IF_TCPOPT && !tcpopts_match(tcp, f)) continue; - if (f->fw_ipflg & IP_FW_IF_TCPFLG && !tcpflg_match(tcp, f)) + if (((f->fw_ipflg & IP_FW_IF_TCPFLG) || + (f->fw_ipflg & IP_FW_IF_TCPEST)) && + !tcpflg_match(tcp, f)) continue; if (f->fw_ipflg & IP_FW_IF_TCPSEQ && tcp->th_seq != f->fw_tcpseq) continue; |
