From owner-svn-src-all@freebsd.org Mon Mar 19 09:52:17 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C0613F60D35; Mon, 19 Mar 2018 09:52:17 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7368F86AEA; Mon, 19 Mar 2018 09:52:17 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6E55A5243; Mon, 19 Mar 2018 09:52:17 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2J9qHHd092638; Mon, 19 Mar 2018 09:52:17 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2J9qH2B092636; Mon, 19 Mar 2018 09:52:17 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201803190952.w2J9qH2B092636@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Mon, 19 Mar 2018 09:52:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r331201 - in stable/11: sbin/ipfw sys/netpfil/ipfw X-SVN-Group: stable-11 X-SVN-Commit-Author: ae X-SVN-Commit-Paths: in stable/11: sbin/ipfw sys/netpfil/ipfw X-SVN-Commit-Revision: 331201 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2018 09:52:17 -0000 Author: ae Date: Mon Mar 19 09:52:16 2018 New Revision: 331201 URL: https://svnweb.freebsd.org/changeset/base/331201 Log: MFC r330792: Do not try to reassemble IPv6 fragments in "reass" rule. ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets that it gets. Until proper IPv6 fragments handling function will be implemented, pass IPv6 packets to next rule. PR: 170604 Modified: stable/11/sbin/ipfw/ipfw.8 stable/11/sys/netpfil/ipfw/ip_fw2.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/ipfw/ipfw.8 ============================================================================== --- stable/11/sbin/ipfw/ipfw.8 Mon Mar 19 08:28:25 2018 (r331200) +++ stable/11/sbin/ipfw/ipfw.8 Mon Mar 19 09:52:16 2018 (r331201) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 3, 2017 +.Dd March 12, 2018 .Dt IPFW 8 .Os .Sh NAME @@ -1135,7 +1135,7 @@ Regardless of matched a packet or not by the .Cm tcp-setmss rule, the search continues with the next rule. .It Cm reass -Queue and reassemble IP fragments. +Queue and reassemble IPv4 fragments. If the packet is not fragmented, counters are updated and processing continues with the next rule. If the packet is the last logical fragment, the packet is reassembled and, if Modified: stable/11/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- stable/11/sys/netpfil/ipfw/ip_fw2.c Mon Mar 19 08:28:25 2018 (r331200) +++ stable/11/sys/netpfil/ipfw/ip_fw2.c Mon Mar 19 09:52:16 2018 (r331201) @@ -2779,8 +2779,10 @@ do { \ case O_REASS: { int ip_off; - IPFW_INC_RULE_COUNTER(f, pktlen); l = 0; /* in any case exit inner loop */ + if (is_ipv6) /* IPv6 is not supported yet */ + break; + IPFW_INC_RULE_COUNTER(f, pktlen); ip_off = ntohs(ip->ip_off); /* if not fragmented, go to next rule */