Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bug fix: make pf_route() set M_CSUM_IPV4 before calling ip_fragment().

Browse Source 
If you use a route-to rule such as 'pass out quick on ath0 route-to
gre2 all', and the MTU on gre2 is smaller than the MTU on ath0,
then pf_route() will fragment your packet by calling ip_fragment().
Because pf_route() did not set M_CSUM_IPv4, ip_fragment() would
not compute the checksum on the fragments, and PF would send IP
fragments with bad checksums out of gre2.
This commit is contained in:
dyoung 2007-11-28 04:23:33 +00:00
parent 79d53b3100
commit b6995d1653
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sys/dist/pf/net/pf.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: pf.c,v 1.40 2007/08/07 10:08:21 yamt Exp $ */
/* $NetBSD: pf.c,v 1.41 2007/11/28 04:23:33 dyoung Exp $ */
/* $OpenBSD: pf.c,v 1.487 2005/04/22 09:53:18 dhartmei Exp $ */
/*
@ -63,6 +63,7 @@
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_offload.h>
#include <netinet/in_var.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
@ -5558,6 +5559,10 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
goto bad;
}
/* Make ip_fragment re-compute checksums. */
if (IN_NEED_CHECKSUM(ifp, M_CSUM_IPv4)) {
m0->m_pkthdr.csum_flags |= M_CSUM_IPv4;
}
m1 = m0;
error = ip_fragment(m0, ifp, ifp->if_mtu);
if (error) {