From owner-freebsd-net@FreeBSD.ORG Tue Apr 13 06:47:09 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22FA81065670 for ; Tue, 13 Apr 2010 06:47:09 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id C8A1B8FC1E for ; Tue, 13 Apr 2010 06:47:08 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 64A8473098; Tue, 13 Apr 2010 08:57:32 +0200 (CEST) Date: Tue, 13 Apr 2010 08:57:32 +0200 From: Luigi Rizzo To: Matthew Luckie Message-ID: <20100413065732.GB3063@onelab2.iet.unipi.it> References: <20100413015701.GA62420@spandex.luckie.org.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100413015701.GA62420@spandex.luckie.org.nz> User-Agent: Mutt/1.4.2.3i Cc: freebsd-net@freebsd.org Subject: Re: reassembled packets and pfil X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2010 06:47:09 -0000 On Tue, Apr 13, 2010 at 01:57:01PM +1200, Matthew Luckie wrote: > Hi > > Reassembled packets are not passed to the packet filter interface for > both IPv4 and IPv6, so a firewall has no effect if the packets arrive > in fragments. Here is a patch to fix this for IPv6. The patch for > IPv4 is similarly trivial, but I have not written / tested it yet. > > Is there any particular reason why reassembled packets were not > checked? If the answer is no, I'll send in a PR. I think it was just a random decision -- either pass packets to the firewall before reassembly as we do, or after reassembly, as linux does. Both have pros and cons. Going through the firewall twice, however, is problematic because far too many things (counters, dummynet, etc.) expect to see each packet only once. I think that a patch like the one you propose is very useful (for ipv4 as well) but it requires a sysctl or other mechanism to make sure that when it is enabled we don't pass fragments through the firewall. cheers luigi > I've tested the patch below. > > Matthew > > --- sys/netinet6/frag6.c.orig 2008-11-25 15:59:29.000000000 +1300 > +++ sys/netinet6/frag6.c 2010-04-13 13:21:02.000000000 +1200 > @@ -46,6 +46,7 @@ __FBSDID("$FreeBSD: src/sys/netinet6/fra > > #include > #include > +#include > > #include > #include > @@ -568,6 +569,13 @@ insert: > *offp = offset; > > IP6Q_UNLOCK(); > + > + if (PFIL_HOOKED(&inet6_pfil_hook) && > + (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL) || > + m == NULL)) { > + return IPPROTO_DONE; > + } > + > return nxt; > > dropfrag: > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"