From 2830eb5a462209e20f30d7799a35d1c9d393e732 Mon Sep 17 00:00:00 2001 From: Bruce M Simpson Date: Tue, 25 Nov 2003 14:08:02 +0000 Subject: [PATCH] Supersedes ports/59442 and previous hasty-fix, and fixes the following: - Build with __FreeBSD_version > 501114 (see bms commit) - Build with new route.h (no RTF_PRCLONING) - Don't use hardware assistance on framentation when DF is set. - Allow pftcpdump -w to be used with pfsync. Found-by: bento / Pyun YongHyeon Submitted by: Max Laier PR: ports/59548 --- security/pf/Makefile | 5 +- security/pf/files/extra-patch-pf::pf.c | 22 ------ security/pf/files/patch-ac | 98 ++++++++++++++++++++++++++ security/pf/files/patch-ad | 23 ++++++ 4 files changed, 122 insertions(+), 26 deletions(-) delete mode 100644 security/pf/files/extra-patch-pf::pf.c create mode 100644 security/pf/files/patch-ac create mode 100644 security/pf/files/patch-ad diff --git a/security/pf/Makefile b/security/pf/Makefile index 3e3aeaff2596..7ebf07fa1177 100644 --- a/security/pf/Makefile +++ b/security/pf/Makefile @@ -7,6 +7,7 @@ PORTNAME= pf_freebsd PORTVERSION= 2.00 +PORTREVISION= 1 CATEGORIES= security ipv6 MASTER_SITES= http://pf4freebsd.love2party.net/ .if defined(WITH_ALTQ) && (${WITH_ALTQ} == "yes") @@ -50,10 +51,6 @@ PLIST_SUB+= WITH_ALTQ="@comment " IGNORE= "Only for 5.0 and above" .endif -.if ${OSVERSION} >= 501114 -EXTRA_PATCHES+= ${PATCHDIR}/extra-patch-pf::pf.c -.endif - .if !exists(${SRC_BASE}/sys/Makefile) && \ (defined(WITH_ALTQ) && !exists(${SYS_ALTQ}/Makefile)) IGNORE= "Kernel source files required" diff --git a/security/pf/files/extra-patch-pf::pf.c b/security/pf/files/extra-patch-pf::pf.c deleted file mode 100644 index 30be4db7683e..000000000000 --- a/security/pf/files/extra-patch-pf::pf.c +++ /dev/null @@ -1,22 +0,0 @@ -Update pf to be more in line with current TCP stack behaviour at -5.2 code freeze point after andre's initial commit to decouple -protocol-level stats from routing. -- bms@FreeBSD.org - ---- pf/pf.c.orig Wed Nov 19 11:51:34 2003 -+++ pf/pf.c Wed Nov 19 11:53:42 2003 -@@ -1376,14 +1376,10 @@ - */ - NTOHS(ip->ip_len); - NTOHS(ip->ip_off); -- ip_rtaddr(ip->ip_dst, &ro); - PF_UNLOCK(); -- ip_output(m, (void *)NULL, &ro, 0, (void *)NULL, -+ ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, - (void *)NULL); - PF_LOCK(); -- if(ro.ro_rt) { -- RTFREE(ro.ro_rt); -- } - #else - ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, - (void *)NULL); diff --git a/security/pf/files/patch-ac b/security/pf/files/patch-ac new file mode 100644 index 000000000000..ae562f0605d3 --- /dev/null +++ b/security/pf/files/patch-ac @@ -0,0 +1,98 @@ +--- pf/pf.c.orig Fri Nov 21 14:32:14 2003 ++++ pf/pf.c Fri Nov 21 14:32:33 2003 +@@ -1250,8 +1250,10 @@ + struct tcphdr *th; + #if defined(__FreeBSD__) + struct ip *ip; ++#if (__FreeBSD_version < 501114) + struct route ro; + #endif ++#endif + char *opt; + + /* maximum segment size tcp option */ +@@ -1366,7 +1368,6 @@ + h->ip_ttl = ttl ? ttl : ip_defttl; + h->ip_sum = 0; + #if defined(__FreeBSD__) +- bzero(&ro, sizeof(ro)); + ip = mtod(m, struct ip *); + /* + * XXX +@@ -1376,6 +1377,8 @@ + */ + NTOHS(ip->ip_len); + NTOHS(ip->ip_off); ++#if (__FreeBSD_version < 501114) ++ bzero(&ro, sizeof(ro)); + ip_rtaddr(ip->ip_dst, &ro); + PF_UNLOCK(); + ip_output(m, (void *)NULL, &ro, 0, (void *)NULL, +@@ -1384,7 +1387,13 @@ + if(ro.ro_rt) { + RTFREE(ro.ro_rt); + } +-#else ++#else /* __FreeBSD_version >= 501114 */ ++ PF_UNLOCK(); ++ ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, ++ (void *)NULL); ++ PF_LOCK(); ++#endif ++#else /* ! __FreeBSD__ */ + ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, + (void *)NULL); + #endif +@@ -2354,8 +2363,12 @@ + dst->sin_len = sizeof(*dst); + dst->sin_addr = addr->v4; + #if defined(__FreeBSD__) ++#ifdef RTF_PRCLONING + rtalloc_ign(&ro, (RTF_CLONING | RTF_PRCLONING)); +-#else ++#else /* !RTF_PRCLONING */ ++ rtalloc_ign(&ro, RTF_CLONING); ++#endif ++#else /* ! __FreeBSD__ */ + rtalloc_noclone(&ro, NO_CLONING); + #endif + rt = ro.ro_rt; +@@ -2370,9 +2383,13 @@ + dst6->sin6_len = sizeof(*dst6); + dst6->sin6_addr = addr->v6; + #if defined(__FreeBSD__) ++#ifdef RTF_PRCLONING + rtalloc_ign((struct route *)&ro6, + (RTF_CLONING | RTF_PRCLONING)); +-#else ++#else /* !RTF_PRCLONING */ ++ rtalloc_ign((struct route *)&ro6, RTF_CLONING); ++#endif ++#else /* ! __FreeBSD__ */ + rtalloc_noclone((struct route *)&ro6, NO_CLONING); + #endif + rt = ro6.ro_rt; +@@ -4731,8 +4748,12 @@ + dst->sin_len = sizeof(*dst); + dst->sin_addr = addr->v4; + #if defined(__FreeBSD__) ++#ifdef RTF_PRCLONING + rtalloc_ign(&ro, (RTF_CLONING|RTF_PRCLONING)); +-#else ++#else /* !RTF_PRCLONING */ ++ rtalloc_ign(&ro, RTF_CLONING); ++#endif ++#else /* ! __FreeBSD__ */ + rtalloc_noclone(&ro, NO_CLONING); + #endif + +@@ -5044,7 +5065,8 @@ + m0->m_pkthdr.csum_flags &= ifp->if_hwassist; + + if (ntohs(ip->ip_len) <= ifp->if_mtu || +- ifp->if_hwassist & CSUM_FRAGMENT) { ++ (ifp->if_hwassist & CSUM_FRAGMENT && ++ ((ip->ip_off & htons(IP_DF)) == 0))) { + /* + * ip->ip_len = htons(ip->ip_len); + * ip->ip_off = htons(ip->ip_off); diff --git a/security/pf/files/patch-ad b/security/pf/files/patch-ad new file mode 100644 index 000000000000..8473380dac8e --- /dev/null +++ b/security/pf/files/patch-ad @@ -0,0 +1,23 @@ +--- freebsd_libpcap/savefile.c.orig Fri Nov 21 14:35:34 2003 ++++ freebsd_libpcap/savefile.c Fri Nov 21 14:35:46 2003 +@@ -178,6 +178,9 @@ + #define LINKTYPE_HDLC 112 /* NetBSD HDLC framing */ + #define LINKTYPE_IPFILTER 116 /* IP Filter capture files */ + #define LINKTYPE_PFLOG 117 /* OpenBSD DLT_PFLOG */ ++#if defined(DLT_PFSYNC) ++#define LINKTYPE_PFSYNC DLT_PFSYNC ++#endif + + static struct linktype_map { + int dlt; +@@ -271,6 +274,10 @@ + * defining DLT_* values that collide with those + * LINKTYPE_* values, either). + */ ++ { DLT_PFLOG, LINKTYPE_PFLOG }, ++#if defined(DLT_PFSYNC) ++ { DLT_PFSYNC, LINKTYPE_PFSYNC }, ++#endif + { -1, -1 } + }; +