Print this page 
Only exploit ipf state keeping for CFW logging.


2571                         break;
2572                 }
2573 
2574                 if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) {
2575                         if (fr_updateipid(fin) == -1) {
2576                                 IPF_BUMP(ifs->ifs_frstats[1].fr_ipud);
2577                                 pass &= ~FR_CMDMASK;
2578                                 pass |= FR_BLOCK;
2579                         } else {
2580                                 IPF_BUMP(ifs->ifs_frstats[0].fr_ipud);
2581                         }
2582                 }
2583         }
2584 
2585 #ifdef  IPFILTER_LOG
2586         if ((ifs->ifs_fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
2587                 (void) fr_dolog(fin, &pass);
2588         }
2589 #endif
2590 



2591         /*
2592          * The FI_STATE flag is cleared here so that calling fr_checkstate
2593          * will work when called from inside of fr_fastroute.  Although
2594          * there is a similar flag, FI_NATED, for NAT, it does have the same
2595          * impact on code execution.
2596          */
2597         fin->fin_flx &= ~FI_STATE;
2598 
2599         /*
2600          * Only allow FR_DUP to work if a rule matched - it makes no sense to
2601          * set FR_DUP as a "default" as there are no instructions about where
2602          * to send the packet.  Use fin_m here because it may have changed
2603          * (without an update of 'm') in prior processing.
2604          */
2605         if ((fr != NULL) && (pass & FR_DUP)) {
2606                 mc = M_DUPLICATE(fin->fin_m);
2607 #ifdef _KERNEL
2608                 mc->b_rptr += fin->fin_ipoff;
2609 #endif
2610         }




2571                         break;
2572                 }
2573 
2574                 if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) {
2575                         if (fr_updateipid(fin) == -1) {
2576                                 IPF_BUMP(ifs->ifs_frstats[1].fr_ipud);
2577                                 pass &= ~FR_CMDMASK;
2578                                 pass |= FR_BLOCK;
2579                         } else {
2580                                 IPF_BUMP(ifs->ifs_frstats[0].fr_ipud);
2581                         }
2582                 }
2583         }
2584 
2585 #ifdef  IPFILTER_LOG
2586         if ((ifs->ifs_fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
2587                 (void) fr_dolog(fin, &pass);
2588         }
2589 #endif
2590 
2591         if (IFS_CFWLOG(ifs) && FR_ISBLOCK(pass))
2592                 ipf_block_cfwlog(fr, fin, ifs);
2593 
2594         /*
2595          * The FI_STATE flag is cleared here so that calling fr_checkstate
2596          * will work when called from inside of fr_fastroute.  Although
2597          * there is a similar flag, FI_NATED, for NAT, it does have the same
2598          * impact on code execution.
2599          */
2600         fin->fin_flx &= ~FI_STATE;
2601 
2602         /*
2603          * Only allow FR_DUP to work if a rule matched - it makes no sense to
2604          * set FR_DUP as a "default" as there are no instructions about where
2605          * to send the packet.  Use fin_m here because it may have changed
2606          * (without an update of 'm') in prior processing.
2607          */
2608         if ((fr != NULL) && (pass & FR_DUP)) {
2609                 mc = M_DUPLICATE(fin->fin_m);
2610 #ifdef _KERNEL
2611                 mc->b_rptr += fin->fin_ipoff;
2612 #endif
2613         }