Am Donnerstag, den 08.09.2011, 06:48 +0200 schrieb Otto Moerbeek: > On Wed, Sep 07, 2011 at 03:56:18PM +0200, Steffen Wendzel wrote: > > > Good idea, thx. > > > > @OpenBSD-tech: here is the new diff. > > Obviously not correct.
Sorry for that, you are right. Howevr, my original patch works fine. -Steffen > > -Otto > > > > > -Steffen > > > > cvs server: Diffing . > > Index: pf_norm.c > > =================================================================== > > RCS file: /cvs/src/sys/net/pf_norm.c,v > > retrieving revision 1.140 > > diff -u -p -r1.140 pf_norm.c > > --- pf_norm.c 18 Jul 2011 21:03:10 -0000 1.140 > > +++ pf_norm.c 7 Sep 2011 13:52:18 -0000 > > @@ -1454,4 +1454,7 @@ pf_scrub(struct mbuf *m, u_int16_t flags > > if (flags & PFSTATE_RANDOMID && af == AF_INET && > > !(h->ip_off & ~htons(IP_DF))) > > h->ip_id = htons(ip_randomid()); > > + > > + /* clear IP reserved flag */ > > + h->ip_off ^= htons(IP_RF); > > } > > > > > > On Wed, 7 Sep 2011 13:32:02 +0000, wrote: > > >Avoid the branch... Don't need the "if" > > > > > >h->off &= ~htons(IP_RF); > > > > > >--jason wright > > >------Original Message------ > > >From: Steffen Wendzel > > >Sender: [email protected] > > >To: [email protected] > > >Subject: [patch] pf_norm: clear IPv4 reserved flag > > >Sent: Sep 7, 2011 02:41 > > > > > >Hi list, > > > > > >it would be nice, if the reserved flag in the IP would be > > >cleared by pf_norm to eliminate covert channels using the > > >bit. Here is a small patch for that. > > > > > >regards, > > >Steffen > > > > > >Index: pf_norm.c > > >=================================================================== > > >RCS file: /cvs/src/sys/net/pf_norm.c,v > > >retrieving revision 1.140 > > >diff -u -p -r1.140 pf_norm.c > > >--- pf_norm.c 18 Jul 2011 21:03:10 -0000 1.140 > > >+++ pf_norm.c 6 Sep 2011 15:40:48 -0000 > > >@@ -1454,4 +1454,8 @@ pf_scrub(struct mbuf *m, u_int16_t flags > > > if (flags & PFSTATE_RANDOMID && af == AF_INET && > > > !(h->ip_off & ~htons(IP_DF))) > > > h->ip_id = htons(ip_randomid()); > > >+ > > >+ /* clear IP reserved flag */ > > >+ if (h->ip_off & htons(IP_RF)) > > >+ h->ip_off ^= htons(IP_RF); > > > } > > > > -- > > My Website: http://www.wendzel.de, Openbook: > > http://www.linux-openbook.de -- With best regards/ Mit freundlichen GrC<C en Steffen Wendzel Dipl.Inf.(FH) My website: http://www.wendzel.de My blog: http://steffen-wendzel.blogspot.com Our books: http://www.linux-openbook.de Das neue Linux-Handbuch gratis lesen: http://openbook.galileocomputing.de/linux/
