Allow fragment checking to work with specific protocols.
Reviewed by: phk Reject the addition of rules that will never match (for example, 1.2.3.4:255.255.255.0). User level utilities specify the policy by either masking the IP address for the user (as ipfw(8) does) or rejecting the entry with an error. In either case, the kernel should not modify chain entries to make them work.
This commit is contained in:
Alexander Langer
parent
545f9f440b
commit
830b0d3039
@ -12,7 +12,7 @@
|
||||
*
|
||||
* This software is provided ``AS IS'' without any warranties of any kind.
|
||||
*
|
||||
* $Id: ip_fw.c,v 1.40 1996/06/17 00:00:35 alex Exp $
|
||||
* $Id: ip_fw.c,v 1.41 1996/06/23 14:28:02 bde Exp $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -413,23 +413,22 @@ ip_fw_chk(struct ip **pip, int hlen, struct ifnet *rif, int dir, struct mbuf **m
|
||||
goto got_match;
|
||||
}
|
||||
|
||||
/* Fragments can't match past this point */
|
||||
if (ip->ip_off & IP_OFFMASK)
|
||||
continue;
|
||||
/* Check TCP flags and TCP/UDP ports only if packet is not fragment */
|
||||
if (!(ip->ip_off & IP_OFFMASK)) {
|
||||
/* TCP, a little more checking */
|
||||
if (prt == IP_FW_F_TCP &&
|
||||
(f->fw_tcpf != f->fw_tcpnf) &&
|
||||
(!tcpflg_match(tcp, f)))
|
||||
continue;
|
||||
|
||||
/* TCP, a little more checking */
|
||||
if (prt == IP_FW_F_TCP &&
|
||||
(f->fw_tcpf != f->fw_tcpnf) &&
|
||||
(!tcpflg_match(tcp, f)))
|
||||
continue;
|
||||
if (!port_match(&f->fw_pts[0], f->fw_nsp,
|
||||
src_port, f->fw_flg & IP_FW_F_SRNG))
|
||||
continue;
|
||||
|
||||
if (!port_match(&f->fw_pts[0], f->fw_nsp,
|
||||
src_port, f->fw_flg & IP_FW_F_SRNG))
|
||||
continue;
|
||||
|
||||
if (!port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp,
|
||||
dst_port, f->fw_flg & IP_FW_F_DRNG))
|
||||
continue;
|
||||
if (!port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp,
|
||||
dst_port, f->fw_flg & IP_FW_F_DRNG))
|
||||
continue;
|
||||
}
|
||||
|
||||
got_match:
|
||||
f->fw_pcnt++;
|
||||
@ -633,6 +632,17 @@ check_ipfw_struct(struct mbuf *m)
|
||||
frwl->fw_nsp, frwl->fw_ndp));
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
/*
|
||||
* Rather than modify the entry to make such entries work,
|
||||
* we reject this rule and require user level utilities
|
||||
* to enforce whatever policy they deem appropriate.
|
||||
*/
|
||||
if ((frwl->fw_src.s_addr & (~frwl->fw_smsk.s_addr)) ||
|
||||
(frwl->fw_dst.s_addr & (~frwl->fw_dmsk.s_addr))) {
|
||||
dprintf(("ip_fw_ctl: rule never matches\n"));
|
||||
return(NULL);
|
||||
}
|
||||
return frwl;
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user