diff options
author | garga <garga@FreeBSD.org> | 2015-07-28 10:31:34 +0000 |
---|---|---|
committer | garga <garga@FreeBSD.org> | 2015-07-28 10:31:34 +0000 |
commit | e348ebeae9c4d64e7b54ea17ae7468cc91a3af71 (patch) | |
tree | e4f3e61d99232fd19cd2c05e27824d8721296ed4 /sys/netpfil/pf/pf.c | |
parent | 90f99cb0991cfa4a276b211eda75788855eea1dd (diff) | |
download | FreeBSD-src-e348ebeae9c4d64e7b54ea17ae7468cc91a3af71.zip FreeBSD-src-e348ebeae9c4d64e7b54ea17ae7468cc91a3af71.tar.gz |
Respect pf rule log option before log dropped packets with IP options or
dangerous v6 headers
Reviewed by: gnn, eri
Approved by: gnn
Obtained from: pfSense
MFC after: 3 days
Sponsored by: Netgate
Differential Revision: https://reviews.freebsd.org/D3222
Diffstat (limited to 'sys/netpfil/pf/pf.c')
-rw-r--r-- | sys/netpfil/pf/pf.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 122f026..49781a8 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5895,7 +5895,8 @@ done: !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log = 1; + if (r->log) + log = 1; DPFPRINTF(PF_DEBUG_MISC, ("pf: dropping packet with ip options\n")); } @@ -6329,7 +6330,8 @@ done: !((s && s->state_flags & PFSTATE_ALLOWOPTS) || r->allow_opts)) { action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); - log = 1; + if (r->log) + log = 1; DPFPRINTF(PF_DEBUG_MISC, ("pf: dropping packet with dangerous v6 headers\n")); } |