Re: ipfilter 4.1.31 automatically drops fragments

Darren Reed Sun, 28 Dec 2008 07:11:46 -0800

Oren K. wrote:
> Hi,
> The 'current version' source downloadable from
> http://coombs.anu.edu.au/~avalon/ gives a version of ipfilter in which
> by default any packet fragments beyond the first are dropped with BAD-IN
> status. I understand this is a result of a fix made due to kernel panic
> that was reported here:
> http://marc.info/?l=ipfilter&m=121267676118062&w=2
>
> The kernel panic is patched into 4.1.31. However the patch that was to
> solve dropping subsequent fragments was only posted in the mailing list
> (same post as above, as 'mypatch.txt') but not patched into the trunk. I
> applied this patch manually and it solved the problem. My question is,
> shouldn't this patch be in the main trunk? It seems to me that having
> ipfilter drop packet fragments by default is an undesirable behavior.
>


So I think you're arguing for something like this...which I'll add now.

Darren

Index: ip_nat.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_nat.c,v
retrieving revision 2.195.2.121
diff -c -r2.195.2.121 ip_nat.c
*** ip_nat.c    6 Nov 2008 21:18:34 -0000       2.195.2.121
--- ip_nat.c    28 Dec 2008 15:06:41 -0000
***************
*** 3811,3826 ****
        } else {
                u_32_t hv, msk, nmsk;
  
                /*
                 * If there is no current entry in the nat table for this IP#,
                 * create one for it (if there is a matching rule).
                 */
-               if ((fin->fin_off != 0) && (fin->fin_flx & FI_TCPUDP)) {
-                       natfailed = -1;
-                       goto nonatfrag;
-               }
-               msk = 0xffffffff;
-               nmsk = nat_masks;
  maskloop:
                iph = ipa & htonl(msk);
                hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz);
--- 3811,3825 ----
        } else {
                u_32_t hv, msk, nmsk;
  
+               if ((fin->fin_off != 0) && (fin->fin_flx & FI_TCPUDP))
+                       goto nonatfrag;
+ 
+               msk = 0xffffffff;
+               nmsk = nat_masks;
                /*
                 * If there is no current entry in the nat table for this IP#,
                 * create one for it (if there is a matching rule).
                 */
  maskloop:
                iph = ipa & htonl(msk);
                hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz);
***************
*** 4107,4116 ****
        } else {
                u_32_t hv, msk, rmsk;
  
!               if ((fin->fin_off != 0) && (fin->fin_flx & FI_TCPUDP)) {
!                       natfailed = -1;
                        goto nonatfrag;
!               }
                rmsk = rdr_masks;
                msk = 0xffffffff;
                /*
--- 4106,4114 ----
        } else {
                u_32_t hv, msk, rmsk;
  
!               if ((fin->fin_off != 0) && (fin->fin_flx & FI_TCPUDP))
                        goto nonatfrag;
! 
                rmsk = rdr_masks;
                msk = 0xffffffff;
                /*

Re: ipfilter 4.1.31 automatically drops fragments

Reply via email to