From 7f39a7e4923647e7ef51d89d39a02ca3d7c7ba7b Mon Sep 17 00:00:00 2001 From: Cy Schubert Date: Wed, 26 Jun 2019 00:53:43 +0000 Subject: [PATCH] Prompted by r349366, ipfilter is also does not conform to RFC 3128 by dropping TCP fragments with offset = 1. In addition to dropping these fragments, add a DTrace probe to allow for more detailed monitoring and diagnosis if required. MFC after: 1 week --- sys/contrib/ipfilter/netinet/fil.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index a0d008dbd2d7..bbfb2287337b 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -1723,6 +1723,10 @@ ipf_pr_ipv4hdr(fin) * calculate the byte offset that it represents. */ off &= IP_MF|IP_OFFMASK; + if (off == 1 && p == IPPROTO_TCP) { + fin->fin_flx |= FI_SHORT; /* RFC 3128 */ + DT1(ipf_fi_tcp_frag_off_1, fr_info_t *, fin); + } if (off != 0) { int morefrag = off & IP_MF;