Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: npf bug(?)
Christos Zoulas <christos%zoulas.com@localhost> writes:
> Current has been changed not to do reassembly for IPv6 so this will
> probably solve your problems. We found that the v6 reassembly code
> does not work properly. The patch is simple and should apply to -7.
...and is the change from 1.36 to 1.37 of both sys/net/npf/npf_inet.c
and sys/net/npf/npf_handler.c:
Index: sys/net/npf/npf_handler.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_handler.c,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- sys/net/npf/npf_handler.c 29 Jan 2017 00:15:54 -0000 1.36
+++ sys/net/npf/npf_handler.c 19 Feb 2017 20:27:22 -0000 1.37
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_handler.c,v 1.36 2017/01/29 00:15:54 christos Exp $ */
+/* $NetBSD: npf_handler.c,v 1.37 2017/02/19 20:27:22 christos Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -37,7 +37,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.36 2017/01/29 00:15:54 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_handler.c,v 1.37 2017/02/19 20:27:22 christos Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -129,7 +129,7 @@
npf_conn_t *con;
npf_rule_t *rl;
npf_rproc_t *rp;
- int error, decision;
+ int error, decision, flags;
uint32_t ntag;
npf_match_info_t mi;
@@ -155,9 +155,17 @@
rp = NULL;
/* Cache everything. Determine whether it is an IP fragment. */
- if (__predict_false(npf_cache_all(&npc) & NPC_IPFRAG)) {
+ flags = npf_cache_all(&npc);
+ if (__predict_false(flags & NPC_IPFRAG)) {
/*
- * Pass to IPv4 or IPv6 reassembly mechanism.
+ * We pass IPv6 fragments unconditionally
+ * The first IPv6 fragment is not marked as such
+ * and passes through the filter
+ */
+ if (flags & NPC_IP6)
+ return 0;
+ /*
+ * Pass to IPv4 reassembly mechanism.
*/
error = npf_reassembly(npf, &npc, mp);
if (error) {
Index: sys/net/npf/npf_inet.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_inet.c,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- sys/net/npf/npf_inet.c 26 Dec 2016 23:05:06 -0000 1.36
+++ sys/net/npf/npf_inet.c 19 Feb 2017 20:27:22 -0000 1.37
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_inet.c,v 1.36 2016/12/26 23:05:06 christos Exp $ */
+/* $NetBSD: npf_inet.c,v 1.37 2017/02/19 20:27:22 christos Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -40,7 +40,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.36 2016/12/26 23:05:06 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_inet.c,v 1.37 2017/02/19 20:27:22 christos Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -355,6 +355,7 @@
case (IPV6_VERSION >> 4): {
struct ip6_hdr *ip6;
struct ip6_ext *ip6e;
+ struct ip6_frag *ip6f;
size_t off, hlen;
ip6 = nbuf_ensure_contig(nbuf, sizeof(struct ip6_hdr));
@@ -387,8 +388,21 @@
hlen = (ip6e->ip6e_len + 1) << 3;
break;
case IPPROTO_FRAGMENT:
+ ip6f = nbuf_ensure_contig(nbuf, sizeof(*ip6f));
+ if (ip6f == NULL)
+ return 0;
+ /*
+ * We treat the first fragment as a regular
+ * packet and then we pass the rest of the
+ * fragments unconditionally. This way if
+ * the first packet passes the rest will
+ * be able to reassembled, if not they will
+ * be ignored. We can do better later.
+ */
+ if (ntohs(ip6f->ip6f_offlg & IP6F_OFF_MASK) != 0)
+ flags |= NPC_IPFRAG;
+
hlen = sizeof(struct ip6_frag);
- flags |= NPC_IPFRAG;
break;
case IPPROTO_AH:
hlen = (ip6e->ip6e_len + 2) << 2;
-tih
--
Most people who graduate with CS degrees don't understand the significance
of Lisp. Lisp is the most important idea in computer science. --Alan Kay
Home |
Main Index |
Thread Index |
Old Index