Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 8 Feb 2012 15:38:36 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
Subject:   svn commit: r231207 - stable/7/sys/netinet
Message-ID:  <201202081538.q18FcaTu049138@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: bz
Date: Wed Feb  8 15:38:36 2012
New Revision: 231207
URL: http://svn.freebsd.org/changeset/base/231207

Log:
  MFC r225030:
  
   While not explicitly allowed by RFC 2460, in case there is no
   translation technology involved (and that section is suggested to
   be removed by Errata 2843), single packet fragments do not harm.
  
   There is another errata and further drafts under discussion to clarify
   on these kinds of packets.
   Meanwhile add a sysctl to allow disabling this behaviour again.
   We will treat single packet fragment (a fragment header added
   when not needed) as if there was no fragment header.
  
   Submitted by:	Matthew Luckie (mjl luckie.org.nz) (original version)
  PR:		kern/145733

Modified:
  stable/7/sys/netinet/ip_fw2.c
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/netinet/ip_fw2.c
==============================================================================
--- stable/7/sys/netinet/ip_fw2.c	Wed Feb  8 15:37:34 2012	(r231206)
+++ stable/7/sys/netinet/ip_fw2.c	Wed Feb  8 15:38:36 2012	(r231207)
@@ -110,6 +110,9 @@ static u_int32_t set_disable;
 static int fw_verbose;
 static struct callout ipfw_timeout;
 static int verbose_limit;
+#ifdef INET6
+static int fw_permit_single_frag6 = 1;
+#endif
 
 #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
 static int default_to_accept = 1;
@@ -2158,10 +2161,14 @@ ipfw_chk(struct ip_fw_args *args)
 	 *	we have a fragment at this offset of an IPv4 packet.
 	 *	offset == 0 means that (if this is an IPv4 packet)
 	 *	this is the first or only fragment.
-	 *	For IPv6 offset == 0 means there is no Fragment Header. 
+	 *	For IPv6 offset == 0 means there is no Fragment Header or there
+	 *	is a single packet fragement (fragement header added without
+	 *	needed).  We will treat a single packet fragment as if there
+	 *	was no fragment header (or log/block depending on the
+	 *	fw_permit_single_frag6 sysctl setting).
 	 *	If offset != 0 for IPv6 always use correct mask to
-	 *	get the correct offset because we add IP6F_MORE_FRAG
-	 *	to be able to dectect the first fragment which would
+	 *	get the correct offset because we add IP6F_MORE_FRAG to be able
+	 *	to dectect the first of multiple fragments which would
 	 *	otherwise have offset = 0.
 	 */
 	u_short offset = 0;
@@ -2318,10 +2325,11 @@ do {									\
 				offset = ((struct ip6_frag *)ulp)->ip6f_offlg &
 					IP6F_OFF_MASK;
 				/* Add IP6F_MORE_FRAG for offset of first
-				 * fragment to be != 0. */
+				 * fragment to be != 0 if there shall be more. */
 				offset |= ((struct ip6_frag *)ulp)->ip6f_offlg &
 					IP6F_MORE_FRAG;
-				if (offset == 0) {
+				if (fw_permit_single_frag6 == 0 &&
+				    offset == 0) {
 					printf("IPFW2: IPV6 - Invalid Fragment "
 					    "Header\n");
 					if (fw_deny_unknown_exthdrs)
@@ -4506,6 +4514,10 @@ ipfw_init(void)
 	    OID_AUTO, "deny_unknown_exthdrs", CTLFLAG_RW | CTLFLAG_SECURE,
 	    &fw_deny_unknown_exthdrs, 0,
 	    "Deny packets with unknown IPv6 Extension Headers");
+	SYSCTL_ADD_INT(&ip6_fw_sysctl_ctx, SYSCTL_CHILDREN(ip6_fw_sysctl_tree),
+	    OID_AUTO, "permit_single_frag6", CTLFLAG_RW | CTLFLAG_SECURE,
+	    &fw_permit_single_frag6, 0,
+	    "Permit single packet IPv6 fragments");
 #endif
 
 	layer3_chain.rules = NULL;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202081538.q18FcaTu049138>