diff options
Diffstat (limited to 'sbin/ipfw')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 16 | ||||
| -rw-r--r-- | sbin/ipfw/ipfw.c | 13 |
2 files changed, 27 insertions, 2 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index b3eec6c..c070b2a 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -289,6 +289,12 @@ and the length of the port list is limited to .Pa /usr/src/sys/netinet/ip_fw.h ) ports. .Pp +Fragmented packets which have a non-zero offset (i.e. not the first +fragment) will never match a rule which has one or more port +specifications. See the +.Ar frag +option for details on matching fragmented packets. +.Pp Rules can apply to packets when they are incoming, or outgoing, or both. The .Ar in @@ -360,6 +366,10 @@ Additional .It frag Matches if the packet is a fragment and this is not the first fragment of the datagram. +.Ar frag +may not be used in conjunction with either +.Ar tcpflags +or TCP/UDP port specifications. .It in Matches if this packet was on the way in. .It out @@ -399,6 +409,12 @@ and .Ar urg . The absence of a particular flag may be denoted with a ``!''. +A rule which contains a +.Ar tcpflags +specification can never match a fragmented packet which has +a non-zero offset. See the +.Ar frag +option for details on matching fragmented packets. .It icmptypes Ar types Matches if the ICMP type is in the list .Ar types . diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c index 29300d1..5663ed7 100644 --- a/sbin/ipfw/ipfw.c +++ b/sbin/ipfw/ipfw.c @@ -16,7 +16,7 @@ * * NEW command line interface for IP firewall facility * - * $Id: ipfw.c,v 1.52 1998/01/08 00:27:31 alex Exp $ + * $Id: ipfw.c,v 1.53 1998/01/08 03:03:50 alex Exp $ * */ @@ -502,7 +502,7 @@ show_usage(const char *fmt, ...) " src: from [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n" " dst: to [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n" " extras:\n" -" fragment\n" +" fragment (may not be used with ports or tcpflags)\n" " in\n" " out\n" " {xmit|recv|via} {iface|ip|any}\n" @@ -1108,6 +1108,15 @@ badviacombo: } else if ((rule.fw_flg & IP_FW_F_OIFACE) && (rule.fw_flg & IP_FW_F_IN)) show_usage("can't check xmit interface of incoming packets"); + /* frag may not be used in conjunction with ports or TCP flags */ + if (rule.fw_flg & IP_FW_F_FRAG) { + if (rule.fw_tcpf || rule.fw_tcpnf) + show_usage(EX_USAGE, "can't mix 'frag' and tcpflags"); + + if (rule.fw_nports) + show_usage(EX_USAGE, "can't mix 'frag' and port specifications"); + } + if (!do_quiet) show_ipfw(&rule, 10, 10); i = setsockopt(s, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule); |
