From owner-freebsd-net@FreeBSD.ORG  Tue Apr 13 02:26:52 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 566691065670
	for <freebsd-net@freebsd.org>; Tue, 13 Apr 2010 02:26:52 +0000 (UTC)
	(envelope-from mjl@luckie.org.nz)
Received: from mailfilter45.ihug.co.nz (mailfilter45.ihug.co.nz
	[203.109.136.45])
	by mx1.freebsd.org (Postfix) with ESMTP id EC3998FC13
	for <freebsd-net@freebsd.org>; Tue, 13 Apr 2010 02:26:51 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AisFAJZrw0t2XRqM/2dsb2JhbACPaotZcrwfhQwEi0Y
X-IronPort-AV: E=Sophos;i="4.52,193,1270382400"; d="scan'208";a="26247524"
Received: from 118-93-26-140.dsl.dyn.ihug.co.nz (HELO spandex.luckie.org.nz)
	([118.93.26.140])
	by cust.filter1.content.vf.net.nz with ESMTP/TLS/DHE-RSA-AES256-SHA;
	13 Apr 2010 13:57:03 +1200
Received: from mjl by spandex.luckie.org.nz with local (Exim 4.71 (FreeBSD))
	(envelope-from <mjl@luckie.org.nz>) id 1O1VN7-000GFX-OY
	for freebsd-net@freebsd.org; Tue, 13 Apr 2010 13:57:01 +1200
Date: Tue, 13 Apr 2010 13:57:01 +1200
From: Matthew Luckie <mjl@luckie.org.nz>
To: freebsd-net@freebsd.org
Message-ID: <20100413015701.GA62420@spandex.luckie.org.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
Subject: reassembled packets and pfil
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2010 02:26:52 -0000

Hi

Reassembled packets are not passed to the packet filter interface for
both IPv4 and IPv6, so a firewall has no effect if the packets arrive
in fragments.  Here is a patch to fix this for IPv6.  The patch for
IPv4 is similarly trivial, but I have not written / tested it yet.

Is there any particular reason why reassembled packets were not
checked?  If the answer is no, I'll send in a PR.

I've tested the patch below.

Matthew

--- sys/netinet6/frag6.c.orig   2008-11-25 15:59:29.000000000 +1300
+++ sys/netinet6/frag6.c        2010-04-13 13:21:02.000000000 +1200
@@ -46,6 +46,7 @@ __FBSDID("$FreeBSD: src/sys/netinet6/fra
 
 #include <net/if.h>
 #include <net/route.h>
+#include <net/pfil.h>
 
 #include <netinet/in.h>
 #include <netinet/in_var.h>
@@ -568,6 +569,13 @@ insert:
        *offp = offset;
 
        IP6Q_UNLOCK();
+
+       if (PFIL_HOOKED(&inet6_pfil_hook) &&
+               (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL) ||
+               m == NULL)) {
+               return IPPROTO_DONE;
+       }
+
        return nxt;
 
  dropfrag: