On Wed, Sep 07, 2011 at 03:56:18PM +0200, Steffen Wendzel wrote:
> Good idea, thx.
>
> @OpenBSD-tech: here is the new diff.
Obviously not correct.
-Otto
>
> -Steffen
>
> cvs server: Diffing .
> Index: pf_norm.c
> ===================================================================
> RCS file: /cvs/src/sys/net/pf_norm.c,v
> retrieving revision 1.140
> diff -u -p -r1.140 pf_norm.c
> --- pf_norm.c 18 Jul 2011 21:03:10 -0000 1.140
> +++ pf_norm.c 7 Sep 2011 13:52:18 -0000
> @@ -1454,4 +1454,7 @@ pf_scrub(struct mbuf *m, u_int16_t flags
> if (flags & PFSTATE_RANDOMID && af == AF_INET &&
> !(h->ip_off & ~htons(IP_DF)))
> h->ip_id = htons(ip_randomid());
> +
> + /* clear IP reserved flag */
> + h->ip_off ^= htons(IP_RF);
> }
>
>
> On Wed, 7 Sep 2011 13:32:02 +0000, wrote:
> >Avoid the branch... Don't need the "if"
> >
> >h->off &= ~htons(IP_RF);
> >
> >--jason wright
> >------Original Message------
> >From: Steffen Wendzel
> >Sender: [email protected]
> >To: [email protected]
> >Subject: [patch] pf_norm: clear IPv4 reserved flag
> >Sent: Sep 7, 2011 02:41
> >
> >Hi list,
> >
> >it would be nice, if the reserved flag in the IP would be
> >cleared by pf_norm to eliminate covert channels using the
> >bit. Here is a small patch for that.
> >
> >regards,
> >Steffen
> >
> >Index: pf_norm.c
> >===================================================================
> >RCS file: /cvs/src/sys/net/pf_norm.c,v
> >retrieving revision 1.140
> >diff -u -p -r1.140 pf_norm.c
> >--- pf_norm.c 18 Jul 2011 21:03:10 -0000 1.140
> >+++ pf_norm.c 6 Sep 2011 15:40:48 -0000
> >@@ -1454,4 +1454,8 @@ pf_scrub(struct mbuf *m, u_int16_t flags
> > if (flags & PFSTATE_RANDOMID && af == AF_INET &&
> > !(h->ip_off & ~htons(IP_DF)))
> > h->ip_id = htons(ip_randomid());
> >+
> >+ /* clear IP reserved flag */
> >+ if (h->ip_off & htons(IP_RF))
> >+ h->ip_off ^= htons(IP_RF);
> > }
>
> --
> My Website: http://www.wendzel.de, Openbook:
> http://www.linux-openbook.de
