reassembled packets and pfil

[Matthew Luckie]

Hi

Reassembled packets are not passed to the packet filter interface for
both IPv4 and IPv6, so a firewall has no effect if the packets arrive
in fragments. Here is a patch to fix this for IPv6. The patch for
IPv4 is similarly trivial, but I have not written / tested it yet.

Is there any particular reason why reassembled packets were not
checked? If the answer is no, I'll send in a PR.

I've tested the patch below.

Matthew

--- sys/netinet6/frag6.c.orig 2008-11-25 15:59:29.000000000 +1300
+++ sys/netinet6/frag6.c 2010-04-13 13:21:02.000000000 +1200
@@ -46,6 +46,7 @@ __FBSDID("$FreeBSD: src/sys/netinet6/fra

#include <net/if.h>
#include <net/route.h>
+#include <net/pfil.h>

#include <netinet/in.h>
#include <netinet/in_var.h>
@@ -568,6 +569,13 @@ insert:
*offp = offset;

IP6Q_UNLOCK();
+
+ if (PFIL_HOOKED(&inet6_pfil_hook) &&
+ (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL) ||
+ m == NULL)) {
+ return IPPROTO_DONE;
+ }
+
return nxt;

dropfrag: