diff options
author | Kristof Provost <kp@FreeBSD.org> | 2024-10-02 06:47:52 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2024-10-10 12:10:40 +0000 |
commit | abc8996e7fa6c3755306021bffbf58c707e33d18 (patch) | |
tree | 5dff7c27fac46df28b20d61cfab2142fe41c0e11 | |
parent | 6562157dfad0d18447cfcac08435f7ffdb8fa46c (diff) | |
download | src-abc8996e7fa6.tar.gz src-abc8996e7fa6.zip |
pf: deduplicate IPv4 and IPv6 code that handles fragments
Deduplicate IPv4 and IPv6 code that handles fragments that have not
been reassembled by normalization.
ok henning claudio
Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, ddd2494207
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46934
-rw-r--r-- | sys/netpfil/pf/pf.c | 45 |
1 files changed, 16 insertions, 29 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index cd90cc1c85c4..653365d42059 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8697,21 +8697,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, if (h->ip_hl > 5) /* has options */ pd->badopts++; - if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { - /* - * handle fragments that aren't reassembled by - * normalization - */ + if (h->ip_off & htons(IP_MF | IP_OFFMASK)) pd->virtual_proto = PF_VPROTO_FRAGMENT; - if (kif == NULL || r == NULL) /* pflog */ - *action = PF_DROP; - else - *action = pf_test_rule(r, s, kif, m, *off, - pd, a, ruleset, inp, *hdrlen); - if (*action != PF_PASS) - REASON_SET(reason, PFRES_FRAG); - return (-1); - } break; } @@ -8798,21 +8785,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, return (-1); } - if (fragoff != 0) { - /* - * handle fragments that aren't reassembled by - * normalization - */ + if (fragoff != 0) pd->virtual_proto = PF_VPROTO_FRAGMENT; - if (kif == NULL || r == NULL) /* pflog */ - *action = PF_DROP; - else - *action = pf_test_rule(r, s, kif, m, *off, - pd, a, ruleset, NULL /* XXX TODO */, *hdrlen); - if (*action != PF_PASS) - REASON_SET(reason, PFRES_FRAG); - return (-1); - } break; } @@ -8821,7 +8795,20 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, panic("pf_setup_pdesc called with illegal af %u", af); } - switch (pd->proto) { + switch (pd->virtual_proto) { + case PF_VPROTO_FRAGMENT: + /* + * handle fragments that aren't reassembled by + * normalization + */ + if (kif == NULL || r == NULL) /* pflog */ + *action = PF_DROP; + else + *action = pf_test_rule(r, s, kif, m, *off, pd, a, + ruleset, inp, *hdrlen); + if (*action != PF_PASS) + REASON_SET(reason, PFRES_FRAG); + return (-1); case IPPROTO_TCP: { struct tcphdr *th = &pd->hdr.tcp; |