Hi list,
it would be nice, if the reserved flag in the IP would be
cleared by pf_norm to eliminate covert channels using the
bit. Here is a small patch for that.
regards,
Steffen
Index: pf_norm.c
===================================================================
RCS file: /cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.140
diff -u -p -r1.140 pf_norm.c
--- pf_norm.c 18 Jul 2011 21:03:10 -0000 1.140
+++ pf_norm.c 6 Sep 2011 15:40:48 -0000
@@ -1454,4 +1454,8 @@ pf_scrub(struct mbuf *m, u_int16_t flags
if (flags & PFSTATE_RANDOMID && af == AF_INET &&
!(h->ip_off & ~htons(IP_DF)))
h->ip_id = htons(ip_randomid());
+
+ /* clear IP reserved flag */
+ if (h->ip_off & htons(IP_RF))
+ h->ip_off ^= htons(IP_RF);
}
--
With best regards/
Mit freundlichen GrC<C�en
Steffen Wendzel
My website: http://www.wendzel.de
My blog: http://steffen-wendzel.blogspot.com
Our books: http://www.linux-openbook.de
Das neue Linux-Handbuch gratis lesen:
http://openbook.galileocomputing.de/linux/
