Recent change to frag regressed backward compatibility.
Handle the case when there is an option after "frag" which is not a frag token.
Details
Details
Try ipfw add 00330 deny all from any to any frag in via wlan0
(example from: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html)
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
Comment Actions
An attempt to also handle "!" with frag options and options like !via
(I hope review comment edits do not make new notifications)
Tested with:
ipfw add deny all from any to any frag ipfw add deny all from any to any frag df ipfw add deny all from any to any frag df,mf ipfw add deny all from any to any frag !df ipfw add deny all from any to any frag !df,mf ipfw add deny all from any to any frag !df,!mf ipfw add deny all from any to any frag in ipfw add deny all from any to any frag !in ipfw add deny all from any to any frag out ipfw add deny all from any to any frag !out ipfw add deny all from any to any frag via wlan0 ipfw add deny all from any to any frag !via wlan0 ipfw add deny all from any to any frag not via wlan0
Comment Actions
I think this patch is too complicated. Can you properly test this patch instead? https://people.freebsd.org/~ae/ipfw_frag.diff
Comment Actions
That's a good approach.
You need to explicitly set "clear" in the compatibility branch, too.
Comment Actions
I tested (ipfw add / ipfw show) ipfw_frag.diff and your approach works.
It also looks miles better. When you commit ipfw_frag.diff, please close this review. Thanks.
Comment Actions
For reliability, also tested with http://icmpcheckv6.popcount.org/ and http://icmpcheck.popcount.org/.
Rule counter increments and fragments were dropped with a legacy rule.