Date: Tue, 5 Nov 1996 12:30:08 +0300 (MVW) From: Viacheslav Andreev <cliff@st.simbirsk.su> To: freebsd-hackers@FreeBSD.ORG Subject: ip_fw.c - bug or feature ? Message-ID: <199611050930.AA26920@mpool.st.simbirsk.su>
next in thread | raw e-mail | index | archive | help
Hi!
I am not shure, this is a bug or feature.
While trying to disable tcp traffic for some port, f.e.
ipfw add 1070 deny log tcp from any to 192.168.0.1 80
, there are false dropping of fragmented (i.e. 2-nd and next-s without
tcp port info) packets of ftp traffic. IMHO, it is a result of
matching fragments over firewall rules with tcp port specs :
-----------/sys/netinet/ip_fw.c-----------------------------
/* Check TCP flags and TCP/UDP ports only if packet is not fragment */
if (!(ip->ip_off & IP_OFFMASK)) {
/* TCP, a little more checking */
if (prt == IP_FW_F_TCP &&
(f->fw_tcpf != f->fw_tcpnf) &&
(!tcpflg_match(tcp, f)))
continue;
if (!port_match(&f->fw_pts[0], f->fw_nsp,
src_port, f->fw_flg & IP_FW_F_SRNG))
continue;
if (!port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp,
dst_port, f->fw_flg & IP_FW_F_DRNG))
continue;
}
!!! fragmented packets matches here with rules with tcp port spec.
got_match:
f->fw_pcnt++;
f->fw_bcnt+=ip->ip_len;
f->timestamp = time.tv_sec;
if (f->fw_flg & IP_FW_F_PRN) {
IMHO, to sovle this porblem, source should look like this :
/* Check TCP flags and TCP/UDP ports only if packet is not fragment */
if (!(ip->ip_off & IP_OFFMASK)) {
/* TCP, a little more checking */
if (prt == IP_FW_F_TCP &&
(f->fw_tcpf != f->fw_tcpnf) &&
(!tcpflg_match(tcp, f)))
continue;
if (!port_match(&f->fw_pts[0], f->fw_nsp,
src_port, f->fw_flg & IP_FW_F_SRNG))
continue;
if (!port_match(&f->fw_pts[f->fw_nsp], f->fw_ndp,
dst_port, f->fw_flg & IP_FW_F_DRNG))
continue;
} else { /* fragment here */
if (f->fw_ndp > 0 || f->fw_nsp > 0) {
continue; /* don't match fragment with "precize" rule */
}
}
--
Viacheslav Andreev
Dimitrovgrad town, Middle Volga, Russia.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611050930.AA26920>