From owner-svn-src-all@freebsd.org Fri Apr 14 05:12:02 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C84DCD3D2AA; Fri, 14 Apr 2017 05:12:02 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7ED091B0; Fri, 14 Apr 2017 05:12:02 +0000 (UTC) (envelope-from cy@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v3E5C1gX038999; Fri, 14 Apr 2017 05:12:01 GMT (envelope-from cy@FreeBSD.org) Received: (from cy@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v3E5C1Ug038997; Fri, 14 Apr 2017 05:12:01 GMT (envelope-from cy@FreeBSD.org) Message-Id: <201704140512.v3E5C1Ug038997@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cy set sender to cy@FreeBSD.org using -f From: Cy Schubert Date: Fri, 14 Apr 2017 05:12:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r316810 - head/sys/contrib/ipfilter/netinet X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Apr 2017 05:12:02 -0000 Author: cy Date: Fri Apr 14 05:12:01 2017 New Revision: 316810 URL: https://svnweb.freebsd.org/changeset/base/316810 Log: Keep state incorrectly assumes keep frags. This is counter to the ipfilter man pages. This also currently restricts keep frags to only when keep state is used, which is redundant because keep state currently assumes keep frags. This commit fixes this. To the user this change means that to maintain the current behaviour one must add keep frags to any ipfilter keep state rule (as documented in the man pages). This patch also allows the flexability to specify and use keep frags separate from keep state, as documented in an example in ipf.conf.5, instead of the currently broken behaviour. Relnotes: yes Modified: head/sys/contrib/ipfilter/netinet/fil.c head/sys/contrib/ipfilter/netinet/ip_state.c Modified: head/sys/contrib/ipfilter/netinet/fil.c ============================================================================== --- head/sys/contrib/ipfilter/netinet/fil.c Fri Apr 14 03:54:36 2017 (r316809) +++ head/sys/contrib/ipfilter/netinet/fil.c Fri Apr 14 05:12:01 2017 (r316810) @@ -2786,7 +2786,7 @@ ipf_firewall(fin, passp) * If the rule has "keep frag" and the packet is actually a fragment, * then create a fragment state entry. */ - if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { + if (pass & FR_KEEPFRAG) { if (fin->fin_flx & FI_FRAG) { if (ipf_frag_new(softc, fin, pass) == -1) { LBUMP(ipf_stats[out].fr_bnfr); Modified: head/sys/contrib/ipfilter/netinet/ip_state.c ============================================================================== --- head/sys/contrib/ipfilter/netinet/ip_state.c Fri Apr 14 03:54:36 2017 (r316809) +++ head/sys/contrib/ipfilter/netinet/ip_state.c Fri Apr 14 05:12:01 2017 (r316810) @@ -3414,7 +3414,8 @@ ipf_state_check(fin, passp) * If this packet is a fragment and the rule says to track fragments, * then create a new fragment cache entry. */ - if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) + if (((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) && + ((is->is_pass & FR_KEEPFRAG))) (void) ipf_frag_new(softc, fin, is->is_pass); /*