diff options
| author | alex <alex@FreeBSD.org> | 1996-06-25 00:22:20 +0000 |
|---|---|---|
| committer | alex <alex@FreeBSD.org> | 1996-06-25 00:22:20 +0000 |
| commit | 31ea3a3bd61ebe1950d42628e97c677bba342cd8 (patch) | |
| tree | 9d228a687997e18968a4ed4603a28547af166da7 /sys | |
| parent | 6bf480112a3aaf6552ffb103012528bdb0fc91eb (diff) | |
| download | FreeBSD-src-31ea3a3bd61ebe1950d42628e97c677bba342cd8.zip FreeBSD-src-31ea3a3bd61ebe1950d42628e97c677bba342cd8.tar.gz | |
Allow fragment checking to work with specific protocols.
Reviewed by: phk
Reject the addition of rules that will never match (for example,
1.2.3.4:255.255.255.0). User level utilities specify the policy by either
masking the IP address for the user (as ipfw(8) does) or rejecting the
entry with an error. In either case, the kernel should not modify chain
entries to make them work.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_fw.c | 42 |
1 files changed, 26 insertions, 16 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 5cff936..d18bd48 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -12,7 +12,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.c,v 1.40 1996/06/17 00:00:35 alex Exp $ + * $Id: ip_fw.c,v 1.41 1996/06/23 14:28:02 bde Exp $ */ /* @@ -413,23 +413,22 @@ ip_fw_chk(struct ip **pip, int hlen, struct ifnet *rif, int dir, struct mbuf **m goto got_match; } - /* Fragments can't match past this point */ - if (ip->ip_off & IP_OFFMASK) - continue; - - /* TCP, a little more checking */ - if (prt == IP_FW_F_TCP && - (f->fw_tcpf != f->fw_tcpnf) && - (!tcpflg_match(tcp, f))) - continue; + /* Check TCP flags and TCP/UDP ports only if packet is not fragment */ + if (!(ip->ip_off & IP_OFFMASK)) { + /* TCP, a little more checking */ + if (prt == IP_FW_F_TCP && + (f->fw_tcpf != f->fw_tcpnf) && + (!tcpflg_match(tcp, f))) + continue; - if (!port_match(&f->fw_pts[0], f->fw_nsp, - src_port, f->fw_flg & IP_FW_F_SRNG)) - continue; + if (!port_match(&f->fw_pts[0], f->fw_nsp, + src_port, f->fw_flg & IP_FW_F_SRNG)) + continue; - if (!port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp, - dst_port, f->fw_flg & IP_FW_F_DRNG)) - continue; + if (!port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp, + dst_port, f->fw_flg & IP_FW_F_DRNG)) + continue; + } got_match: f->fw_pcnt++; @@ -633,6 +632,17 @@ check_ipfw_struct(struct mbuf *m) frwl->fw_nsp, frwl->fw_ndp)); return (NULL); } + + /* + * Rather than modify the entry to make such entries work, + * we reject this rule and require user level utilities + * to enforce whatever policy they deem appropriate. + */ + if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) || + (frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) { + dprintf(("ip_fw_ctl: rule never matches\n")); + return(NULL); + } return frwl; } |
