Re: [patch] pf_norm: clear IPv4 reserved flag

[Steffen Wendzel]

Final patch:

Index: pf_norm.c
===================================================================
RCS file: /cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.140
diff -u -p -r1.140 pf_norm.c
--- pf_norm.c   18 Jul 2011 21:03:10 -0000      1.140
+++ pf_norm.c   8 Sep 2011 10:02:37 -0000
@@ -1454,4 +1454,7 @@ pf_scrub(struct mbuf *m, u_int16_t flags
        if (flags & PFSTATE_RANDOMID && af == AF_INET &&
            !(h->ip_off & ~htons(IP_DF)))
                h->ip_id = htons(ip_randomid());
+
+       /* clear IP reserved flag */
+       h->off &= ~htons(IP_RF);
 }
-Steffen



On Thu, 8 Sep 2011 06:48:01 +0200, Otto Moerbeek wrote:
On Wed, Sep 07, 2011 at 03:56:18PM +0200, Steffen Wendzel wrote:

Good idea, thx.

@OpenBSD-tech: here is the new diff.

Obviously not correct.

        -Otto


-Steffen

cvs server: Diffing .
Index: pf_norm.c
===================================================================
RCS file: /cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.140
diff -u -p -r1.140 pf_norm.c
--- pf_norm.c   18 Jul 2011 21:03:10 -0000      1.140
+++ pf_norm.c   7 Sep 2011 13:52:18 -0000
@@ -1454,4 +1454,7 @@ pf_scrub(struct mbuf *m, u_int16_t flags
        if (flags & PFSTATE_RANDOMID && af == AF_INET &&
            !(h->ip_off & ~htons(IP_DF)))
                h->ip_id = htons(ip_randomid());
+
+       /* clear IP reserved flag */
+       h->ip_off ^= htons(IP_RF);
 }


On Wed, 7 Sep 2011 13:32:02 +0000,  wrote:
>Avoid the branch... Don't need the "if"
>
>h->off &= ~htons(IP_RF);
>
>--jason wright
>------Original Message------
>From: Steffen Wendzel
>Sender: owner-t...@openbsd.org
>To: tech@openbsd.org
>Subject: [patch] pf_norm: clear IPv4 reserved flag
>Sent: Sep 7, 2011 02:41
>
>Hi list,
>
>it would be nice, if the reserved flag in the IP would be
>cleared by pf_norm to eliminate covert channels using the
>bit. Here is a small patch for that.
>
>regards,
>Steffen
>
>Index: pf_norm.c
>===================================================================
>RCS file: /cvs/src/sys/net/pf_norm.c,v
>retrieving revision 1.140
>diff -u -p -r1.140 pf_norm.c
>--- pf_norm.c       18 Jul 2011 21:03:10 -0000      1.140
>+++ pf_norm.c       6 Sep 2011 15:40:48 -0000
>@@ -1454,4 +1454,8 @@ pf_scrub(struct mbuf *m, u_int16_t flags
>    if (flags & PFSTATE_RANDOMID && af == AF_INET &&
>        !(h->ip_off & ~htons(IP_DF)))
>            h->ip_id = htons(ip_randomid());
>+
>+   /* clear IP reserved flag */
>+   if (h->ip_off & htons(IP_RF))
>+           h->ip_off ^= htons(IP_RF);
> }

--
My Website: http://www.wendzel.de, Openbook:
http://www.linux-openbook.de

--
My Website: http://www.wendzel.de, Openbook: 
http://www.linux-openbook.de

--
My Website: http://www.wendzel.de, Openbook: 
http://www.linux-openbook.de