Prompted by r349366, ipfilter is also does not conform to RFC 3128

by dropping TCP fragments with offset = 1. In addition to dropping these fragments, add a DTrace probe to allow for more detailed monitoring and diagnosis if required. MFC after: 1 week
2019-06-26 00:53:43 +00:00 · 2019-06-26 00:53:43 +00:00 · 7f39a7e492
commit 7f39a7e492
parent 519346ce8c
1 changed files with 4 additions and 0 deletions
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@ -1723,6 +1723,10 @@ ipf_pr_ipv4hdr(fin)
 	 * calculate the byte offset that it represents.
 	 */
 	off &= IP_MF|IP_OFFMASK;
+	if (off == 1 && p == IPPROTO_TCP) {
+		fin->fin_flx |= FI_SHORT;	/* RFC 3128 */
+		DT1(ipf_fi_tcp_frag_off_1, fr_info_t *, fin);
+	}
 	if (off != 0) {
 		int morefrag = off & IP_MF;