µ±Ç°Î»ÖãºÊ×Ò³ > ·þÎñÆ÷Àà > Unix > > FreeBSD ipfilterµÄÑÏÖØÎÊÌâ

FreeBSD ipfilterµÄÑÏÖØÎÊÌâ

µã»÷´ÎÊý£º32 ´Î ·¢²¼ÈÕÆÚ£º2008-11-22 10:20:03 ×÷ÕߣºÔ´´úÂëÍø
Ô´´úÂëÍøÍƼö

ÎÒΪһ¿Í»§×öµÄ·À»ðǽ£¨FreeBSD(p23)+ipfilter 3.4.33pre2£©Ã¿Ì춼ҪËÀºÃ¼¸´Î£¬¶øÇÒÿ´Î¶¼ÊÇÔÚûÈκη´Ó¦ºÍÊä³öÐÅÏ¢µÄÇé¿öÏÂËÀµô£¬ÅªµÃÎÒºÃûÃæ×Ó¡£ÎÒһֱû²é³öÎÊÌâÔÚÄÄ¡£
Õ⼸ÌìÔÚIpfilterµÄÍøÕ¾ÉÏ¿´µ½ÓʼþÁбíÀïÒ»¸öÈËÅöµ½ºÍÎÒÏàͬµÄÇé¿ö£¬Ô­ÎÄÈçÏ£º
Using FreeBSD 4.9-STABLE + ipfilter 3.4.33pre2
If I have ipf rules like:
block return-icmp (port-unr) in log quick on xl0 proto udp from any to any port = 111
attempts to connect to that port cause the sytem to freeze instantly, no crash dumps, no errors etc.
The same happens using
block return-icmp-as-dest ........
I haven"t seen anything like this in recent archives.
What can I do to further debug this ?

´ó¼Ò¿ÉÒÔ×ö¸ö¼òµ¥µÄ²âÊÔ£º
¼ÙÉè·À»ðǽΪA£¬¹¤×÷վΪB¡£
ÔÚÄãµÄipf.conf¹æÔòÎļþµÄ×îÇ°Ãæ¼ÓÉÏÕâÑùÒ»Ìõ¹æÔò£º
block return-icmp-as-dest in quick on fxp0 proto udp from any to any port = 53

ÆäÖÐfxp0ÊÇÄãÒª²âÊԵĽӿڣ¬¸ù¾ÝÄã×Ô¼ºµÄÇé¿öÐ޸ġ£
È»ºóÔÚÁíÍâһ̨µçÄÔBÉÏ°ÑDNSÉèΪҪ²âÊÔµÄÕą̂·À»ðǽAµÄIPµØÖ·£¬ÔÚBÉÏÔËÐÐnslookup£¬Ëæ±ã²éѯ¼¸¸öÓòÃû£¬¶à²é¼¸´Î£¬Äã¾Í»á¿´µ½·À»ðǽAÔÚûÈκÎÐÅÏ¢Êä³öµÄÇé¿öÏÂÁ¢¼´¶³½á£¬ËÀ»ú¡£Õæ¿ÉÅ£¬°ÙÊ°ÙÁé¡£¼´Ê¹ÄãµÄipf.confûÕâ¸ö¹æÔòÔÚÌØÊâÇé¿öÏÂÒ²»á³öÏÖÕâÖÖÏÖÏó£¬ÎÒÊÔÁË3.4.33pre1-pre3¶¼ÓÐÕâ¸ö벡£¬¾Ý˵3.4.32Ò²ÊÇ£¬3.4.31ºÃÏóûÕâ¸ö벡¡£ÓÐÈ˹«²¼ÁËÒ»¸öpatch£¬ÎÒÊÔÁËһϣ¬ÓÐЧ¡£ÎÒ¸½ÔÚºóÃ棬Õâ¸öpatchÒѵõ½ipfilter×÷ÕßµÄÈÏͬ£¬¿ÉÒÔ·ÅÐÄʹÓá£


Index: ip_fil.c
===================================================================
RCS file: /home/cvs/firewall/firewall/usrlocal/ipfilter34/ipfilter3433/ip_fil.c,v
retrieving revision 1.3
diff -u -r1.3 ip_fil.c
--- ip_fil.c 17 Dec 2003 12:33:56 -0000 1.3
+++ ip_fil.c 22 Dec 2003 11:23:28 -0000
@@ -1285,7 +1285,7 @@
frn.fin_ifp = fin->fin_ifp;
frn.fin_v = fin->fin_v;
frn.fin_out = fin->fin_out;
- frn.fin_mp = fin->fin_mp;
+ frn.fin_mp = mp;

ip = mtod(m, ip_t *);
hlen = sizeof(*ip);
@@ -1465,7 +1465,13 @@
#endif

if (avail) {
+ slen = oip->ip_len;
+ oip->ip_len = htons(oip->ip_len);
+ soff = oip->ip_off;
+ oip->ip_off = htons(oip->ip_off);
bcopy((char *)oip, (char *)&icmp->icmp_ip, MIN(ohlen, avail));
+ oip->ip_len = slen;
+ oip->ip_off = soff;
avail -= MIN(ohlen, avail);
}

@@ -1486,10 +1492,6 @@
} else
#endif
{
- slen = oip->ip_len;
- oip->ip_len = htons(oip->ip_len);
- soff = oip->ip_off;
- oip->ip_off = htons(ip->ip_off);

ip->ip_src.s_addr = dst4.s_addr;
ip->ip_dst.s_addr = oip->ip_src.s_addr;
@@ -1509,13 +1511,7 @@
fin->fin_hlen = hlen;
err = send_ip(oip, fin, &m);
fin->fin_hlen = shlen;
-#ifdef USE_INET6
- if (fin->fin_v == 4)
-#endif
- {
- oip->ip_len = slen;
- oip->ip_off = soff;
- }
+
return err;
}


 

Ô´´úÂëÍø¹©¸å.
ÍøÓÑÆÀÂÛ (0)
ÎÒҲҪдÆÀÂÛ
»áÔ±ÖÐÐÄ
·þÎñÆ÷Àà
±¾Õ¾ÍƼö
·þÎñÆ÷ÀàÖ®¾«»ª