FreeBSD/src
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2026-06-02 11:24:32 +00:00
Code Issues Projects Releases Wiki Activity

ipfw: fix IPv6 flow label matching

Browse Source 
* do not require just only ip6 proto for flow-id opcode in ipfw(8).
  ipv6-icmp, tcp, udp should be fine too.
* fix off-by-one bug leading to out-of-bounds read.
* apply IPV6_FLOWLABEL_MASK before comparison in flow6id_match(),
  so flow-id opcode will match a specified flow label. No need to
  take protocol version and traffic class into account.
* add the test to verify that opcode is working correctly.

Reviewed by:	pouria
Obtained from:	Yandex LLC
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D56869
This commit is contained in:
Boris Lytochkin
2026-05-12 10:44:10 +03:00
committed by Andrey V. Elsukov
parent e26b5e0749
commit 3d39eadcde
5 changed files with 95 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
sbin/ipfw/ipfw2.c
+1 -4
View File
@@ -5515,10 +5515,7 @@ read_options:
break;
case TOK_FLOWID:
if (proto != IPPROTO_IPV6 )
errx( EX_USAGE, "flow-id filter is active "
"only for ipv6 protocol\n");
fill_flow6( (ipfw_insn_u32 *) cmd, *av, cblen);
fill_flow6(insntod(cmd, u32), *av, cblen);
av++;
break;