Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disconnect maintaining fragment state from keeping session state. The user 

now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)
This commit is contained in:
christos 2017-04-23 20:47:22 +00:00
parent f5c70f34c6
commit 5a6dcaa81f
2 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/external/bsd/ipf/netinet/fil.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: fil.c,v 1.19 2016/08/05 09:06:52 christos Exp $ */
/* $NetBSD: fil.c,v 1.20 2017/04/23 20:47:22 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
@ -138,7 +138,7 @@ extern struct timeout ipf_slowtimer_ch;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.19 2016/08/05 09:06:52 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.20 2017/04/23 20:47:22 christos Exp $");
#else
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: fil.c,v 1.1.1.2 2012/07/22 13:45:07 darrenr Exp $";
@ -2723,7 +2723,7 @@ ipf_firewall(fr_info_t *fin, u_32_t *passp)
* If the rule has "keep frag" and the packet is actually a fragment,
* then create a fragment state entry.
*/
if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
if (pass & FR_KEEPFRAG) {
if (fin->fin_flx & FI_FRAG) {
if (ipf_frag_new(softc, fin, pass) == -1) {
LBUMP(ipf_stats[out].fr_bnfr);

7
sys/external/bsd/ipf/netinet/ip_state.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_state.c,v 1.6 2013/09/14 12:16:11 martin Exp $ */
/* $NetBSD: ip_state.c,v 1.7 2017/04/23 20:47:22 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
@ -100,7 +100,7 @@ struct file;
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.6 2013/09/14 12:16:11 martin Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.7 2017/04/23 20:47:22 christos Exp $");
#else
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_state.c,v 1.1.1.2 2012/07/22 13:45:37 darrenr Exp";
@ -3341,7 +3341,8 @@ ipf_state_check(fr_info_t *fin, u_32_t *passp)
* If this packet is a fragment and the rule says to track fragments,
* then create a new fragment cache entry.
*/
if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass))
if (fin->fin_flx & FI_FRAG && FR_ISPASS(is->is_pass) &&
is->is_pass & FR_KEEPFRAG)
(void) ipf_frag_new(softc, fin, is->is_pass);
/*