diff options
| author | Alexander Langer <alex@FreeBSD.org> | 1998-02-13 01:58:13 +0000 |
|---|---|---|
| committer | Alexander Langer <alex@FreeBSD.org> | 1998-02-13 01:58:13 +0000 |
| commit | c080068bf4e07796ffed5f9d4bf538909bd83bd2 (patch) | |
| tree | 93d2a3182bb7654733e17fc781520b47bce0d0bc /sys/netinet | |
| parent | c6b074e9c0d7f7e23647e4b9bdfbaa5177f8c7cb (diff) | |
Notes
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_fw.c | 38 |
1 files changed, 35 insertions, 3 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 1ddf27fa75ad..f3699b5c01af 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -12,7 +12,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.c,v 1.51.2.10 1998/01/05 00:14:54 alex Exp $ + * $Id: ip_fw.c,v 1.51.2.11 1998/02/07 00:28:25 alex Exp $ */ /* @@ -454,8 +454,18 @@ ip_fw_chk(struct ip **pip, int hlen, if (offset == 1) /* cf. RFC 1858 */ goto bogusfrag; - if (offset != 0) /* Flags, ports aren't valid */ + if (offset != 0) { + /* + * TCP flags and ports aren't available in this + * packet -- if this rule specified either one, + * we consider the rule a non-match. + */ + if (f->fw_nports != 0 || + f->fw_tcpf != f->fw_tcpnf) + continue; + break; + } PULLUP_TO(hlen + 14); tcp = (struct tcphdr *) ((u_long *)ip + ip->ip_hl); if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f)) @@ -469,8 +479,17 @@ ip_fw_chk(struct ip **pip, int hlen, { struct udphdr *udp; - if (offset != 0) /* Ports aren't valid */ + if (offset != 0) { + /* + * Port specification is unavailable -- if this + * rule specifies a port, we consider the rule + * a non-match. + */ + if (f->fw_nports != 0) + continue; + break; + } PULLUP_TO(hlen + 4); udp = (struct udphdr *) ((u_long *)ip + ip->ip_hl); src_port = ntohs(udp->uh_sport); @@ -838,6 +857,19 @@ check_ipfw_struct(struct ip_fw *frwl) return(NULL); } + if ((frwl->fw_flg & IP_FW_F_FRAG) && + (frwl->fw_prot == IPPROTO_UDP || frwl->fw_prot == IPPROTO_TCP)) { + if (frwl->fw_nports) { + dprintf(("%s cannot mix 'frag' and ports\n", err_prefix)); + return(NULL); + } + if (frwl->fw_prot == IPPROTO_TCP && + frwl->fw_tcpf != frwl->fw_tcpnf) { + dprintf(("%s cannot mix 'frag' with TCP flags\n", err_prefix)); + return(NULL); + } + } + /* Check command specific stuff */ switch (frwl->fw_flg & IP_FW_F_COMMAND) { |