From owner-freebsd-hackers  Wed Sep 13 17:10:04 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id RAA01385
          for hackers-outgoing; Wed, 13 Sep 1995 17:10:04 -0700
Received: from iaehv.IAEhv.nl (root@iaehv.IAEhv.nl [192.87.208.2])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id RAA01367
          for <hackers@freebsd.org>; Wed, 13 Sep 1995 17:09:55 -0700
Received: from adv.iaehv.nl by iaehv.IAEhv.nl (8.6.12/1.63)
    id CAA24475; Thu, 14 Sep 1995 02:09:46 +0200
X-Disclaimer: iaehv.nl is a public access UNIX system and cannot be held
      	      responsible for the opinions of its individual users.
Received: by adv.iaehv.nl (8.6.11/1.63)
    id CAA02805; Thu, 14 Sep 1995 02:06:16 +0200
From: devet@adv.IAEhv.nl (Arjan de Vet)
Message-Id: <199509140006.CAA02805@adv.iaehv.nl>
Subject: ppp-iij filter and IP-fragments
To: hackers@freebsd.org
Date: Thu, 14 Sep 1995 02:06:16 +0200 (MET DST)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1690      
Sender: hackers-owner@freebsd.org
Precedence: bulk

Hi,

I've been experimenting with the filter in ppp-iij and noticed that some
connections would hang with the following input filter:

# allow reply packets
 set ifilter 0 permit tcp dst gt 1023 estab
# allow ftp-data connections
 set ifilter 1 permit tcp src eq 20 dst gt 1023
# allow rlogin connections
 set ifilter 2 permit tcp src eq 513 estab
# allow identd lookups (to avoid long waits with IAE)
 set ifilter 3 permit tcp dst eq 113
# allow DNS replies
 set ifilter 4 permit udp src eq 53
# allow ping
 set ifilter 5 permit icmp
# allow traceroute > 33433
 set ifilter 6 permit udp dst gt 33433
# deny everything else
 set ifilter 7 deny 0/0 0/0

The problem was with the `estab' keyword in rule 0 which checks for
ACK-bits on incoming packets. I found out that all fragments (except the
first one) of a fragmented packet were dropped because the sport, dport and
estab variables contained bogus information in that case. So I added the
following code to /usr/src/usr.sbin/ppp/ip.c:

--- ip.c.orig	Tue May 30 05:50:37 1995
+++ ip.c	Thu Sep 14 01:45:23 1995
@@ -131,6 +131,11 @@
     sport = dport = 0;
     for (n = 0; n < MAXFILTERS; n++) {
       if (fp->action) {
+	/* permit fragments on in and out filter */
+	if ((direction == FL_IN || direction == FL_OUT) &&
+	    (pip->ip_off & IP_OFFMASK) != 0) {
+	  return(A_PERMIT);
+	}
 #ifdef DEBUG
 logprintf("rule = %d\n", n);
 #endif

I hope the fix is correct, I just started using FreeBSD at my own machine
4 days ago...

Arjan

--
Arjan de Vet                                           <devet@IAEhv.nl> (IAE)
Internet Access Eindhoven (IAE)                   <devet@adv.IAEhv.nl> (home)
URL: http://www.IAEhv.nl/iae/people/devet/