Date: Thu, 14 Sep 1995 02:06:16 +0200 (MET DST) From: devet@adv.IAEhv.nl (Arjan de Vet) To: hackers@freebsd.org Subject: ppp-iij filter and IP-fragments Message-ID: <199509140006.CAA02805@adv.iaehv.nl>
next in thread | raw e-mail | index | archive | help
Hi,
I've been experimenting with the filter in ppp-iij and noticed that some
connections would hang with the following input filter:
# allow reply packets
set ifilter 0 permit tcp dst gt 1023 estab
# allow ftp-data connections
set ifilter 1 permit tcp src eq 20 dst gt 1023
# allow rlogin connections
set ifilter 2 permit tcp src eq 513 estab
# allow identd lookups (to avoid long waits with IAE)
set ifilter 3 permit tcp dst eq 113
# allow DNS replies
set ifilter 4 permit udp src eq 53
# allow ping
set ifilter 5 permit icmp
# allow traceroute > 33433
set ifilter 6 permit udp dst gt 33433
# deny everything else
set ifilter 7 deny 0/0 0/0
The problem was with the `estab' keyword in rule 0 which checks for
ACK-bits on incoming packets. I found out that all fragments (except the
first one) of a fragmented packet were dropped because the sport, dport and
estab variables contained bogus information in that case. So I added the
following code to /usr/src/usr.sbin/ppp/ip.c:
--- ip.c.orig Tue May 30 05:50:37 1995
+++ ip.c Thu Sep 14 01:45:23 1995
@@ -131,6 +131,11 @@
sport = dport = 0;
for (n = 0; n < MAXFILTERS; n++) {
if (fp->action) {
+ /* permit fragments on in and out filter */
+ if ((direction == FL_IN || direction == FL_OUT) &&
+ (pip->ip_off & IP_OFFMASK) != 0) {
+ return(A_PERMIT);
+ }
#ifdef DEBUG
logprintf("rule = %d\n", n);
#endif
I hope the fix is correct, I just started using FreeBSD at my own machine
4 days ago...
Arjan
--
Arjan de Vet <devet@IAEhv.nl> (IAE)
Internet Access Eindhoven (IAE) <devet@adv.IAEhv.nl> (home)
URL: http://www.IAEhv.nl/iae/people/devet/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199509140006.CAA02805>