Date: Wed, 11 Feb 1998 16:57:07 -0800 (PST) From: Alex Nash <alex@FreeBSD.ORG> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-sys@FreeBSD.ORG, cvs-sbin@FreeBSD.ORG Subject: cvs commit: src/sys/netinet ip_fw.c src/sbin/ipfw ipfw.8 ipfw.c Message-ID: <199802120057.QAA26177@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
alex 1998/02/11 16:57:06 PST
Modified files:
sys/netinet ip_fw.c
sbin/ipfw ipfw.8 ipfw.c
Log:
Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:
- Do not match fragmented packets if the rule specifies a port or
TCP flags
- Match fragmented packets if the rule does not specify a port and
TCP flags
Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags. Both kernel and ipfw userland utility will reject rules
containing a combination of these options.
BEWARE: packets that were previously passed may now be rejected, and
vice versa.
Reviewed by: Archie Cobbs <archie@whistle.com>
Revision Changes Path
1.78 +35 -3 src/sys/netinet/ip_fw.c
1.38 +16 -0 src/sbin/ipfw/ipfw.8
1.54 +11 -2 src/sbin/ipfw/ipfw.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199802120057.QAA26177>