stack compliance pf_send_reset()

[Philipp Buehler <philipp_(_at_)_buehler_(_dot_)_de>]

Hi,

ip_output.c will keep the DF bit, it was set by the caller.

pf_send_rest() doesnt do so, the following patch would help:


--- sys/net/pf.c.orig	Thu Jun  6 23:26:24 2002
+++ sys/net/pf.c	Fri Jun  7 00:34:26 2002
@@ -224,7 +224,7 @@
 			    u_int16_t *, u_int16_t *, u_int16_t *,
 			    u_int16_t *, u_int8_t, int);
 void			 pf_send_reset(int, struct tcphdr *,
-			    struct pf_pdesc *, int);
+			    struct pf_pdesc *, int, struct mbuf *);
 void			 pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, int);
 u_int16_t		 pf_map_port_range(struct pf_rdr *, u_int16_t);
 struct pf_nat		*pf_get_nat(struct ifnet *, u_int8_t,
@@ -2739,12 +2739,13 @@
 }
 
 void
-pf_send_reset(int off, struct tcphdr *th, struct pf_pdesc *pd, int af)
+pf_send_reset(int off, struct tcphdr *th, struct pf_pdesc *pd, int af, struct mbuf *m_old)
 {
 	struct mbuf *m;
 	struct m_tag *mtag;
 	int len;
 #ifdef INET
+	struct ip *h;
 	struct ip *h2;
 #endif /* INET */
 #ifdef INET6
@@ -2832,6 +2833,9 @@
 	switch (af) {
 #ifdef INET
 	case AF_INET:
+		/* catch ip header of old/incoming packet) */
+		h = mtod(m_old, struct ip *);
+
 		/* TCP checksum */
 		th2->th_sum = in_cksum(m, len);
 
@@ -2841,7 +2845,7 @@
 		h2->ip_ttl = ip_defttl;
 		h2->ip_sum = 0;
 		h2->ip_len = len;
-		h2->ip_off = 0;
+		h2->ip_off = h->ip_off & IP_DF;
 		ip_output(m, NULL, NULL, 0, NULL, NULL);
 		break;
 #endif /* INET */
@@ -3398,7 +3402,7 @@
 				rewrite++;
 			}
 			if ((*rm)->rule_flag & PFRULE_RETURNRST)
-				pf_send_reset(off, th, pd, af);
+				pf_send_reset(off, th, pd, af, m);
 			else
 				pf_send_icmp(m, (*rm)->return_icmp >> 8,
 				    (*rm)->return_icmp & 255, af);

thx to dhartmei@ for discussion

ciao
-- 
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p> 

#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?