From 18d49fe1a85c0ff7a5e024b3e6f4b326b5d1936b Mon Sep 17 00:00:00 2001 From: ae Date: Mon, 19 Mar 2018 09:54:16 +0000 Subject: [PATCH] MFC r330792: Do not try to reassemble IPv6 fragments in "reass" rule. ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets that it gets. Until proper IPv6 fragments handling function will be implemented, pass IPv6 packets to next rule. PR: 170604 git-svn-id: svn://svn.freebsd.org/base/stable/10@331202 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sbin/ipfw/ipfw.8 | 4 ++-- sys/netpfil/ipfw/ip_fw2.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index ba79c8c58..809f211c6 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 26, 2016 +.Dd March 12, 2018 .Dt IPFW 8 .Os .Sh NAME @@ -1016,7 +1016,7 @@ keyword with setdscp. If the tablearg value is not within the 0..64 range, lower 6 bits of supplied value are used. .It Cm reass -Queue and reassemble IP fragments. +Queue and reassemble IPv4 fragments. If the packet is not fragmented, counters are updated and processing continues with the next rule. If the packet is the last logical fragment, the packet is reassembled and, if diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index 76cdf92cd..fb66003e2 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -2461,8 +2461,10 @@ do { \ case O_REASS: { int ip_off; - IPFW_INC_RULE_COUNTER(f, pktlen); l = 0; /* in any case exit inner loop */ + if (is_ipv6) /* IPv6 is not supported yet */ + break; + IPFW_INC_RULE_COUNTER(f, pktlen); ip_off = ntohs(ip->ip_off); /* if not fragmented, go to next rule */ -- 2.45.0