CVS commit: src/sys/external/bsd/ipf/netinet

Sun, 23 Apr 2017 13:48:06 -0700 

Module Name:    src
Committed By:   christos
Date:           Sun Apr 23 20:47:22 UTC 2017

Modified Files:
        src/sys/external/bsd/ipf/netinet: fil.c ip_state.c

Log Message:
Disconnect maintaining fragment state from keeping session state. The user
now must specify keep frags along with keep state to have ipfilter do what
it did before, as documented in ipf.conf.5. (Cy Schubert @ FreeBSD)


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/sys/external/bsd/ipf/netinet/fil.c
cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/ipf/netinet/ip_state.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/external/bsd/ipf/netinet/fil.c
diff -u src/sys/external/bsd/ipf/netinet/fil.c:1.19 src/sys/external/bsd/ipf/netinet/fil.c:1.20
--- src/sys/external/bsd/ipf/netinet/fil.c:1.19	Fri Aug  5 05:06:52 2016
+++ src/sys/external/bsd/ipf/netinet/fil.c	Sun Apr 23 16:47:22 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: fil.c,v 1.19 2016/08/05 09:06:52 christos Exp $	*/
+/*	$NetBSD: fil.c,v 1.20 2017/04/23 20:47:22 christos Exp $	*/
 
 /*
  * Copyright (C) 2012 by Darren Reed.
@@ -138,7 +138,7 @@ extern struct timeout ipf_slowtimer_ch;
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.19 2016/08/05 09:06:52 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.20 2017/04/23 20:47:22 christos Exp $");
 #else
 static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-2000 Darren Reed";
 static const char rcsid[] = "@(#)Id: fil.c,v 1.1.1.2 2012/07/22 13:45:07 darrenr Exp $";
@@ -2723,7 +2723,7 @@ ipf_firewall(fr_info_t *fin, u_32_t *pas
 	 * If the rule has "keep frag" and the packet is actually a fragment,
 	 * then create a fragment state entry.
 	 */
-	if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
+	if (pass & FR_KEEPFRAG) {
 		if (fin->fin_flx & FI_FRAG) {
 			if (ipf_frag_new(softc, fin, pass) == -1) {
 				LBUMP(ipf_stats[out].fr_bnfr);

Index: src/sys/external/bsd/ipf/netinet/ip_state.c
diff -u src/sys/external/bsd/ipf/netinet/ip_state.c:1.6 src/sys/external/bsd/ipf/netinet/ip_state.c:1.7
--- src/sys/external/bsd/ipf/netinet/ip_state.c:1.6	Sat Sep 14 08:16:11 2013
+++ src/sys/external/bsd/ipf/netinet/ip_state.c	Sun Apr 23 16:47:22 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_state.c,v 1.6 2013/09/14 12:16:11 martin Exp $	*/
+/*	$NetBSD: ip_state.c,v 1.7 2017/04/23 20:47:22 christos Exp $	*/
 
 /*
  * Copyright (C) 2012 by Darren Reed.
@@ -100,7 +100,7 @@ struct file;
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.6 2013/09/14 12:16:11 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_state.c,v 1.7 2017/04/23 20:47:22 christos Exp $");
 #else
 static const char sccsid[] = "@(#)ip_state.c	1.8 6/5/96 (C) 1993-2000 Darren Reed";
 static const char rcsid[] = "@(#)Id: ip_state.c,v 1.1.1.2 2012/07/22 13:45:37 darrenr Exp";
@@ -3341,7 +3341,8 @@ ipf_state_check(fr_info_t *fin, u_32_t *
 	 * If this packet is a fragment and the rule says to track fragments,
 	 * then create a new fragment cache entry.
 	 */
-	if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass))
+	if (fin->fin_flx & FI_FRAG && FR_ISPASS(is->is_pass) &&
+	   is->is_pass & FR_KEEPFRAG)
 		(void) ipf_frag_new(softc, fin, is->is_pass);
 
 	/*

Reply via email to