From owner-cvs-sys Wed Feb 11 17:07:31 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA28132 for cvs-sys-outgoing; Wed, 11 Feb 1998 17:07:31 -0800 (PST) (envelope-from owner-cvs-sys) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA27656; Wed, 11 Feb 1998 17:05:06 -0800 (PST) (envelope-from alex@FreeBSD.org) From: Alex Nash Received: (from alex@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id QAA26177; Wed, 11 Feb 1998 16:57:07 -0800 (PST) Date: Wed, 11 Feb 1998 16:57:07 -0800 (PST) Message-Id: <199802120057.QAA26177@freefall.freebsd.org> To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-sys@FreeBSD.ORG, cvs-sbin@FreeBSD.ORG Subject: cvs commit: src/sys/netinet ip_fw.c src/sbin/ipfw ipfw.8 ipfw.c Sender: owner-cvs-sys@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk alex 1998/02/11 16:57:06 PST Modified files: sys/netinet ip_fw.c sbin/ipfw ipfw.8 ipfw.c Log: Alter ipfw's behavior with respect to fragmented packets when the packet offset is non-zero: - Do not match fragmented packets if the rule specifies a port or TCP flags - Match fragmented packets if the rule does not specify a port and TCP flags Since ipfw cannot examine port numbers or TCP flags for such packets, it is now illegal to specify the 'frag' option with either ports or tcpflags. Both kernel and ipfw userland utility will reject rules containing a combination of these options. BEWARE: packets that were previously passed may now be rejected, and vice versa. Reviewed by: Archie Cobbs Revision Changes Path 1.78 +35 -3 src/sys/netinet/ip_fw.c 1.38 +16 -0 src/sbin/ipfw/ipfw.8 1.54 +11 -2 src/sbin/ipfw/ipfw.c