From 8bbec60f6bba3fbcb7fbe69fd8b08bc75242789a Mon Sep 17 00:00:00 2001 From: cy Date: Wed, 26 Apr 2017 02:37:25 +0000 Subject: [PATCH] MFC r316810, r316814, r316816, r316991: Keep state incorrectly assumes keep frags. This is counter to the ipfilter man pages. This also currently restricts keep frags to only when keep state is used, which is redundant because keep state currently assumes keep frags. This commit fixes this. To the user this change means that to maintain the current behaviour one must add keep frags to any ipfilter keep state rule (as documented in the man pages). This patch also allows the flexability to specify and use keep frags separate from keep state, as documented in an example in ipf.conf.5, instead of the currently broken behaviour. MFC suggested by: rgrimes Relnotes: yes git-svn-id: svn://svn.freebsd.org/base/stable/10@317434 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 9 +++++++++ sys/contrib/ipfilter/netinet/fil.c | 2 +- sys/contrib/ipfilter/netinet/ip_state.c | 3 ++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/UPDATING b/UPDATING index ac5d36481..bcc948f22 100644 --- a/UPDATING +++ b/UPDATING @@ -16,6 +16,15 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20170413: + As of r316810 for ipfilter, keep frags is no longer assumed when + keep state is specified in a rule. r316810 aligns ipfilter with + documentation in man pages separating keep frags from keep state. + This allows keep state to specified without forcing keep frags + and allows keep frags to be specified independently of keep state. + To maintain previous behaviour, also specify keep frags with + keep state (as documented in ipf.conf.5). + 20170323: The code that provides support for ZFS .zfs/ directory functionality has been reimplemented. It's not possible now to create a snapshot diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 55a2a4d76..00e4a811d 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -2752,7 +2752,7 @@ ipf_firewall(fin, passp) * If the rule has "keep frag" and the packet is actually a fragment, * then create a fragment state entry. */ - if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { + if (pass & FR_KEEPFRAG) { if (fin->fin_flx & FI_FRAG) { if (ipf_frag_new(softc, fin, pass) == -1) { LBUMP(ipf_stats[out].fr_bnfr); diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index 2ceec3262..0d90505cf 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -3408,7 +3408,8 @@ ipf_state_check(fin, passp) * If this packet is a fragment and the rule says to track fragments, * then create a new fragment cache entry. */ - if ((fin->fin_flx & FI_FRAG) && FR_ISPASS(is->is_pass)) + if (fin->fin_flx & FI_FRAG && FR_ISPASS(is->is_pass) && + is->is_pass & FR_KEEPFRAG) (void) ipf_frag_new(softc, fin, is->is_pass); /* -- 2.45.0