FreeBSD Bugzilla – Attachment 179727 Details for
Bug 203275
ipfilter IPv6 checksum error with stateful inspecition
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
This patch is a little closer to what pf does when ipv6 cksum is zero.
ip6-cksum.diff (text/plain), 3.81 KB, created by
Cy Schubert
on 2017-02-07 21:03:03 UTC
(
hide
)
Description:
This patch is a little closer to what pf does when ipv6 cksum is zero.
Filename:
MIME Type:
Creator:
Cy Schubert
Created:
2017-02-07 21:03:03 UTC
Size:
3.81 KB
patch
obsolete
>Index: contrib/ipfilter/ip_fil.c >=================================================================== >--- contrib/ipfilter/ip_fil.c (revision 313382) >+++ contrib/ipfilter/ip_fil.c (working copy) >@@ -864,6 +864,37 @@ > } > > >+u_int >+ipf_pcksum6(fin, ip6, off, len) >+ fr_info_t *fin; >+ ip6_t *ip6; >+ u_int32_t off; >+ u_int32_t len; >+{ >+ u_short *sp; >+ u_int sum; >+ >+ sp = (u_short *)&ip6->ip6_src; >+ sum = *sp++; /* ip6_src */ >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; /* ip6_dst */ >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ sum += *sp++; >+ return(ipf_pcksum(fin, off, sum)); >+} >+ >+ > void * > ipf_pullup(m, fin, plen) > mb_t *m; >Index: sys/contrib/ipfilter/netinet/fil.c >=================================================================== >--- sys/contrib/ipfilter/netinet/fil.c (revision 313382) >+++ sys/contrib/ipfilter/netinet/fil.c (working copy) >@@ -3465,8 +3465,11 @@ > sum += *sp++; > sum += *sp++; /* ip_dst */ > sum += *sp++; >+ slen = fin->fin_plen - off; >+ sum += htons(slen); > #ifdef USE_INET6 > } else if (IP_V(ip) == 6) { >+#if 0 > ip6 = (ip6_t *)ip; > hlen = sizeof(*ip6); > off = ((char *)fin->fin_dp - (char *)fin->fin_ip); >@@ -3488,12 +3491,19 @@ > sum += *sp++; > sum += *sp++; > sum += *sp++; >+#else >+ mb_t *m; >+ >+ m = fin->fin_m; >+ ip6 = (ip6_t *)ip; >+ off = ((caddr_t)ip6 - m->m_data) + sizeof(struct ip6_hdr); >+ int len = ntohs(ip6->ip6_plen) - (off - sizeof(*ip6)); >+ return(ipf_pcksum6(fin, ip6, off, len)); >+#endif > } else { > return 0xffff; > } > #endif >- slen = fin->fin_plen - off; >- sum += htons(slen); > > switch (l4proto) > { >@@ -6697,6 +6707,12 @@ > if ((fin->fin_flx & (FI_FRAG|FI_SHORT|FI_BAD)) != 0) > return 1; > >+ DT2(l4sumo, int, fin->fin_out, int, (int)fin->fin_p); >+ if (fin->fin_out == 1) { >+ fin->fin_cksum = FI_CK_SUMOK; >+ return 0; >+ } >+ > csump = NULL; > hdrsum = 0; > dosum = 0; >@@ -6719,10 +6735,15 @@ > > #ifdef USE_INET6 > case IPPROTO_ICMPV6 : >+#if 0 > csump = &((struct icmp6_hdr *)fin->fin_dp)->icmp6_cksum; > dosum = 1; > break; >+#else >+ fin->fin_cksum = FI_CK_SUMOK; >+ return 0; > #endif >+#endif > > case IPPROTO_ICMP : > csump = &((struct icmp *)fin->fin_dp)->icmp_cksum; >@@ -6748,7 +6769,7 @@ > } > #endif > DT2(l4sums, u_short, hdrsum, u_short, sum); >- if (hdrsum == sum) { >+ if (hdrsum == sum || sum == 0) { > fin->fin_cksum = FI_CK_SUMOK; > return 0; > } >Index: sys/contrib/ipfilter/netinet/ip_fil.h >=================================================================== >--- sys/contrib/ipfilter/netinet/ip_fil.h (revision 313382) >+++ sys/contrib/ipfilter/netinet/ip_fil.h (working copy) >@@ -1937,6 +1937,8 @@ > struct icmp *, int)); > extern u_32_t ipf_newisn __P((fr_info_t *)); > extern u_int ipf_pcksum __P((fr_info_t *, int, u_int)); >+extern u_int ipf_pcksum6 __P((fr_info_t *, ip6_t *, >+ u_int32_t, u_int32_t)); > extern void ipf_rule_expire __P((ipf_main_softc_t *)); > extern int ipf_scanlist __P((fr_info_t *, u_32_t)); > extern frentry_t *ipf_srcgrpmap __P((fr_info_t *, u_32_t *)); >Index: sys/contrib/ipfilter/netinet/ip_fil_freebsd.c >=================================================================== >--- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c (revision 313382) >+++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c (working copy) >@@ -1482,3 +1482,25 @@ > sum2 = ~sum & 0xffff; > return sum2; > } >+ >+u_int >+ipf_pcksum6(fin, ip6, off, len) >+ fr_info_t *fin; >+ ip6_t *ip6; >+ u_int32_t off; >+ u_int32_t len; >+{ >+ struct mbuf *m; >+ int sum; >+ >+ m = fin->fin_m; >+ if (m->m_len < sizeof(struct ip6_hdr)) { >+ return 0xffff; >+ } >+ >+ sum = in6_cksum(m, ip6->ip6_nxt, off, len); >+#if 0 >+ KASSERT(sum != 0, ("ipf_pcksum6 sum == 0")); >+#endif >+ return(sum); >+}
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 203275
:
161294
|
168524
|
178202
|
179344
| 179727