From 019c8c9330b6659624793c5ba066daffabdb02d4 Mon Sep 17 00:00:00 2001
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Tue, 25 Jun 2019 11:40:37 +0000
Subject: [PATCH] Follow the RFC 3128 and drop short TCP fragments with offset
 = 1.

Reported by:	emaste
MFC after:	1 week
---
 sys/netpfil/ipfw/ip_fw2.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index f8bd4dea1d61..535be037b6cc 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -1719,6 +1719,11 @@ do {								\
 			default:
 				break;
 			}
+		} else {
+			if (offset == 1 && proto == IPPROTO_TCP) {
+				/* RFC 3128 */
+				goto pullup_failed;
+			}
 		}
 
 		UPDATE_POINTERS();