d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prompted by r349366, ipfilter is also does not conform to RFC 3128

Browse Source 
by dropping TCP fragments with offset = 1.

In addition to dropping these fragments, add a DTrace probe to allow
for more detailed monitoring and diagnosis if required.

MFC after:	1 week
This commit is contained in:
Cy Schubert 2019-06-26 00:53:43 +00:00
parent 519346ce8c
commit 7f39a7e492
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/contrib/ipfilter/netinet/fil.c
View File

@ -1723,6 +1723,10 @@ ipf_pr_ipv4hdr(fin)
* calculate the byte offset that it represents. * calculate the byte offset that it represents.
*/ */
off &= IP_MF|IP_OFFMASK; off &= IP_MF|IP_OFFMASK;
if (off == 1 && p == IPPROTO_TCP) {
fin->fin_flx |= FI_SHORT; /* RFC 3128 */
DT1(ipf_fi_tcp_frag_off_1, fr_info_t *, fin);
}
if (off != 0) { if (off != 0) {
int morefrag = off & IP_MF; int morefrag = off & IP_MF;