Page MenuHomeFreeBSD
Files F144688721

D26021.diff
No OneTemporary
Actions

D26021.diff
View Options

Index: head/sbin/ipfw/ipfw.8
===================================================================
--- head/sbin/ipfw/ipfw.8
+++ head/sbin/ipfw/ipfw.8
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd June 21, 2019
+.Dd August 10, 2020
.Dt IPFW 8
.Os
.Sh NAME
@@ -600,7 +600,7 @@
By name or address
.It Misc. IP header fields
Version, type of service, datagram length, identification,
-fragment flag (non-zero IP offset),
+fragmentation flags,
Time To Live
.It IP options
.It IPv6 Extension headers
@@ -1602,12 +1602,29 @@
.Ar labels .
.Ar labels
is a comma separated list of numeric flow labels.
-.It Cm frag
-Matches packets that are fragments and not the first
-fragment of an IP datagram.
-Note that these packets will not have
-the next protocol header (e.g.\& TCP, UDP) so options that look into
-these headers cannot match.
+.It Cm frag Ar spec
+Matches IPv4 packets whose
+.Cm ip_off
+field contains the comma separated list of IPv4 fragmentation
+options specified in
+.Ar spec .
+The recognized options are:
+.Cm df
+.Pq Dv don't fragment ,
+.Cm mf
+.Pq Dv more fragments ,
+.Cm rf
+.Pq Dv reserved fragment bit
+.Cm offset
+.Pq Dv non-zero fragment offset .
+The absence of a particular options may be denoted
+with a
+.Ql \&! .
+.Pp
+Empty list of options defaults to matching on non-zero fragment offset.
+Such rule would match all not the first fragment datagrams,
+both IPv4 and IPv6.
+This is a backward compatibility with older rulesets.
.It Cm gid Ar group
Matches all TCP or UDP packets sent by or received for a
.Ar group .
Index: head/sbin/ipfw/ipfw2.c
===================================================================
--- head/sbin/ipfw/ipfw2.c
+++ head/sbin/ipfw/ipfw2.c
@@ -168,6 +168,14 @@
{ NULL, 0 }
};
+static struct _s_x f_ipoff[] = {
+ { "rf", IP_RF >> 8 },
+ { "df", IP_DF >> 8 },
+ { "mf", IP_MF >> 8 },
+ { "offset", 0x1 },
+ { NULL, 0}
+};
+
struct _s_x f_ipdscp[] = {
{ "af11", IPTOS_DSCP_AF11 >> 2 }, /* 001010 */
{ "af12", IPTOS_DSCP_AF12 >> 2 }, /* 001100 */
@@ -1531,7 +1539,7 @@
IPPROTO_ETHERTYPE, cmd->opcode);
break;
case O_FRAG:
- bprintf(bp, " frag");
+ print_flags(bp, "frag", cmd, f_ipoff);
break;
case O_FIB:
bprintf(bp, " fib %u", cmd->arg1);
@@ -4553,7 +4561,15 @@
break;
case TOK_FRAG:
- fill_cmd(cmd, O_FRAG, 0, 0);
+ fill_flags_cmd(cmd, O_FRAG, f_ipoff, *av);
+ /*
+ * Compatibility: no argument after "frag"
+ * keyword equals to "frag offset".
+ */
+ if (cmd->arg1 == 0)
+ cmd->arg1 = 0x1;
+ else
+ av++;
break;
case TOK_LAYER2:
Index: head/sys/netpfil/ipfw/ip_fw2.c
===================================================================
--- head/sys/netpfil/ipfw/ip_fw2.c
+++ head/sys/netpfil/ipfw/ip_fw2.c
@@ -1944,7 +1944,23 @@
break;
case O_FRAG:
- match = (offset != 0);
+ if (is_ipv4) {
+ /*
+ * Since flags_match() works with
+ * uint8_t we pack ip_off into 8 bits.
+ * For this match offset is a boolean.
+ */
+ match = flags_match(cmd,
+ ((ntohs(ip->ip_off) & ~IP_OFFMASK)
+ >> 8) | (offset != 0));
+ } else {
+ /*
+ * Compatiblity: historically bare
+ * "frag" would match IPv6 fragments.
+ */
+ match = (cmd->arg1 == 0x1 &&
+ (offset != 0));
+ }
break;
case O_IN: /* "out" is "not in" */

File Metadata

Mime Type
text/plain
Expires
Thu, Feb 12, 4:12 AM (17 h, 25 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28663734
Default Alt Text
D26021.diff (3 KB)

Event Timeline