Do not try to reassemble IPv6 fragments in "reass" rule.
ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets that it gets. Until proper IPv6 fragments handling function will be implemented, pass IPv6 packets to next rule. PR: 170604 MFC after: 1 week
This commit is contained in:
Andrey V. Elsukov
parent
0a646b9715
commit
12c080e613
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=330792
@ -1,7 +1,7 @@
|
|||||||
.\"
|
.\"
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd November 26, 2017
|
.Dd March 12, 2018
|
||||||
.Dt IPFW 8
|
.Dt IPFW 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@ -1135,7 +1135,7 @@ Regardless of matched a packet or not by the
|
|||||||
.Cm tcp-setmss
|
.Cm tcp-setmss
|
||||||
rule, the search continues with the next rule.
|
rule, the search continues with the next rule.
|
||||||
.It Cm reass
|
.It Cm reass
|
||||||
Queue and reassemble IP fragments.
|
Queue and reassemble IPv4 fragments.
|
||||||
If the packet is not fragmented, counters are updated and
|
If the packet is not fragmented, counters are updated and
|
||||||
processing continues with the next rule.
|
processing continues with the next rule.
|
||||||
If the packet is the last logical fragment, the packet is reassembled and, if
|
If the packet is the last logical fragment, the packet is reassembled and, if
|
||||||
|
|||||||
@ -3018,8 +3018,10 @@ do { \
|
|||||||
case O_REASS: {
|
case O_REASS: {
|
||||||
int ip_off;
|
int ip_off;
|
||||||
|
|
||||||
IPFW_INC_RULE_COUNTER(f, pktlen);
|
|
||||||
l = 0; /* in any case exit inner loop */
|
l = 0; /* in any case exit inner loop */
|
||||||
|
if (is_ipv6) /* IPv6 is not supported yet */
|
||||||
|
break;
|
||||||
|
IPFW_INC_RULE_COUNTER(f, pktlen);
|
||||||
ip_off = ntohs(ip->ip_off);
|
ip_off = ntohs(ip->ip_off);
|
||||||
|
|
||||||
/* if not fragmented, go to next rule */
|
/* if not fragmented, go to next rule */
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user