Good idea, thx.
@OpenBSD-tech: here is the new diff.
-Steffen
cvs server: Diffing .
Index: pf_norm.c
===================================================================
RCS file: /cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.140
diff -u -p -r1.140 pf_norm.c
--- pf_norm.c 18 Jul 2011 21:03:10 -0000 1.140
+++ pf_norm.c 7 Sep 2011 13:52:18 -0000
@@ -1454,4 +1454,7 @@ pf_scrub(struct mbuf *m, u_int16_t flags
if (flags & PFSTATE_RANDOMID && af == AF_INET &&
!(h->ip_off & ~htons(IP_DF)))
h->ip_id = htons(ip_randomid());
+
+ /* clear IP reserved flag */
+ h->ip_off ^= htons(IP_RF);
}
On Wed, 7 Sep 2011 13:32:02 +0000, wrote:
Avoid the branch... Don't need the "if"
h->off &= ~htons(IP_RF);
--jason wright
------Original Message------
From: Steffen Wendzel
Sender: [email protected]
To: [email protected]
Subject: [patch] pf_norm: clear IPv4 reserved flag
Sent: Sep 7, 2011 02:41
Hi list,
it would be nice, if the reserved flag in the IP would be
cleared by pf_norm to eliminate covert channels using the
bit. Here is a small patch for that.
regards,
Steffen
Index: pf_norm.c
===================================================================
RCS file: /cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.140
diff -u -p -r1.140 pf_norm.c
--- pf_norm.c 18 Jul 2011 21:03:10 -0000 1.140
+++ pf_norm.c 6 Sep 2011 15:40:48 -0000
@@ -1454,4 +1454,8 @@ pf_scrub(struct mbuf *m, u_int16_t flags
if (flags & PFSTATE_RANDOMID && af == AF_INET &&
!(h->ip_off & ~htons(IP_DF)))
h->ip_id = htons(ip_randomid());
+
+ /* clear IP reserved flag */
+ if (h->ip_off & htons(IP_RF))
+ h->ip_off ^= htons(IP_RF);
}
--
My Website: http://www.wendzel.de, Openbook:
http://www.linux-openbook.de
