diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-07-10 22:17:59 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-07-10 22:17:59 +0000 |
| commit | e74439ee98c4cc7caf1ed8a059e01977ba8a4036 (patch) | |
| tree | 847916d864bbde177df720fe9bfa5cade0a231c9 /sys/net | |
| parent | 6b21b1cf010b3a7755b13b895bf5d2a09393a005 (diff) | |
let IPv6 fragment go through based on normal rulesets.
TODO: sort-of normalization against fragments for inspection
ok dhartmei@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index b7c1ddba665..2c215464ee9 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.235 2002/06/14 21:35:00 todd Exp $ */ +/* $OpenBSD: pf.c,v 1.236 2002/07/10 22:17:58 itojun Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3194,7 +3194,10 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, do { switch (pd2.proto) { case IPPROTO_FRAGMENT: - /* XXX we don't handle fagments yet */ + /* + * ICMPv6 error messages for + * non-first fragments + */ return (PF_DROP); case IPPROTO_AH: case IPPROTO_HOPOPTS: @@ -4094,9 +4097,9 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) do { switch (pd.proto) { case IPPROTO_FRAGMENT: - /* XXX we don't handle fragments yet */ - action = PF_DROP; - REASON_SET(&reason, PFRES_FRAG); + action = pf_test_fragment(&r, dir, ifp, m, h, &pd); + if (action == PF_DROP) + REASON_SET(&reason, PFRES_FRAG); goto done; case IPPROTO_AH: case IPPROTO_HOPOPTS: |