kpriv/pkgsrc-wip
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sync-ed over OPENBSD_3_3 Revision 1.328.2.6, removed libexec

Browse source
This commit is contained in:
Emile `iMil' Heitor 2004-04-30 14:06:05 +00:00 committed by Thomas Klausner
parent 2295f684d6
commit cc956c68ea
7 changed files with 475 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pflkm/MESSAGE
View file

@ -1,6 +1,10 @@
===========================================================================
$NetBSD: MESSAGE,v 1.1.1.1 2004/04/29 12:18:14 imilh Exp $
$NetBSD: MESSAGE,v 1.2 2004/04/30 14:06:05 imilh Exp $
Please go to http://foo.unix.se/joelw/pflkm.html for documentation.
Load the LKM and create /dev/pf like this:
# modload -p ${PREFIX}/sbin/pfmkdev ${PREFIX}/lkm/pfmodule.o
Please go to http://foo.unix.se/joelw/pflkm.html for more documentation.
===========================================================================

4
pflkm/Makefile
View file

@ -1,7 +1,9 @@
# $NetBSD: Makefile,v 1.3 2004/04/29 12:42:49 imilh Exp $
# $NetBSD: Makefile,v 1.4 2004/04/30 14:06:05 imilh Exp $
#
DISTNAME= pflkm-3.3-current
PKGNAME= pflkm-3.3
PKGREVISION= 2
CATEGORIES= net
MASTER_SITES= http://unix.se/joelw/pflkm/

11
pflkm/PLIST
View file

@ -1,22 +1,13 @@
@comment $NetBSD: PLIST,v 1.1.1.1 2004/04/29 12:18:15 imilh Exp $
@comment $NetBSD: PLIST,v 1.2 2004/04/30 14:06:05 imilh Exp $
lkm/pfmodule.o
libexec/ftp-proxy
libexec/spamd
libexec/spamd-setup
sbin/pfctl
sbin/pflogd
sbin/pfmkdev
sbin/authpf
man/cat8/ftp-proxy.0
man/cat8/spamd.0
man/cat8/spamd-setup.0
man/cat8/pfctl.0
man/cat8/pflogd.0
man/cat8/authpf.0
man/cat4/pfmodule.0
man/man8/ftp-proxy.8
man/man8/spamd.8
man/man8/spamd-setup.8
man/man8/pfctl.8
man/man8/pflogd.8
man/man8/authpf.8

8
pflkm/distinfo
View file

@ -1,11 +1,11 @@
$NetBSD: distinfo,v 1.1.1.1 2004/04/29 12:18:15 imilh Exp $
$NetBSD: distinfo,v 1.2 2004/04/30 14:06:05 imilh Exp $
SHA1 (pflkm-3.3-current.tar.gz) = 6653a12741be7c76be98cb2f06b646b32d7bc8a4
Size (pflkm-3.3-current.tar.gz) = 178392 bytes
SHA1 (patch-aa) = b87dfce7365174f0e411836488c5811f353c8903
SHA1 (patch-aa) = 49baccd5cef6a2b7ee707cbb4d3736222d398ccf
SHA1 (patch-ab) = 81ccc65541f066b348eed9a188c8d959ddc726e7
SHA1 (patch-ac) = 58859c56741c9b732a5b4e0caebf3cf1ae264222
SHA1 (patch-ad) = fb3bd25723b15936efdbc6a05143fc660ec2f5fe
SHA1 (patch-ac) = d78cdda496db0b24453b4be2b87ec2792f00c418
SHA1 (patch-ad) = af494388a37a1f7868c252dbf1bdebb1b5b65808
SHA1 (patch-ae) = 6b089c30befe1d66c65b994eaa47493057932336
SHA1 (patch-af) = dff1e40cc684a702646861294fa734effa0fcf13
SHA1 (patch-ag) = 9cf01fca0489f98ebfbc94afc8b2609bd40a9fe4

15
pflkm/patches/patch-aa
View file

@ -1,8 +1,9 @@
$NetBSD: patch-aa,v 1.1.1.1 2004/04/29 12:18:15 imilh Exp $
$NetBSD: patch-aa,v 1.2 2004/04/30 14:06:06 imilh Exp $
--- libexec/Makefile.inc.orig 2003-06-04 08:41:05.000000000 +0200
+++ libexec/Makefile.inc
@@ -1 +1,2 @@
-BINDIR=/usr/libexec
+BINDIR=${PREFIX}/libexec
+MANDIR=${PREFIX}/man
--- Makefile.orig 2004-04-30 15:44:42.000000000 +0200
+++ Makefile
@@ -1,3 +1,3 @@
-SUBDIR= lkm sbin libexec usr.sbin
+SUBDIR= lkm sbin usr.sbin
.include <bsd.subdir.mk>

118
pflkm/patches/patch-ac
View file

@ -1,8 +1,108 @@
$NetBSD: patch-ac,v 1.1.1.1 2004/04/29 12:18:15 imilh Exp $
$NetBSD: patch-ac,v 1.2 2004/04/30 14:06:06 imilh Exp $
--- lkm/pf.c.orig 2004-04-26 18:06:59.000000000 +0200
--- lkm/pf.c.orig 2003-06-04 08:17:00.000000000 +0200
+++ lkm/pf.c
@@ -3889,9 +3889,6 @@ pf_routable(struct pf_addr *addr, sa_fam
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.328 2003/03/21 12:47:36 cedric Exp $ */
+/* $OpenBSD: pf.c,v 1.328.2.6 2004/03/14 00:15:05 brad Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1571,7 +1571,6 @@ pf_get_sport(sa_family_t af, u_int8_t pr
{
struct pf_tree_node key;
struct pf_addr init_addr;
- int step;
u_int16_t cut;
bzero(&init_addr, sizeof(init_addr));
@@ -1610,30 +1609,26 @@ pf_get_sport(sa_family_t af, u_int8_t pr
return (0);
}
} else {
- if (low < high) {
- step = 1;
- cut = arc4random() % (1 + high - low) + low;
- } else {
- step = -1;
- cut = arc4random() % (1 + low - high) + high;
- }
+ if (low > high) {
+ u_int16_t tmp;
- *nport = cut - step;
- do {
- *nport += step;
+ tmp = low;
+ low = high;
+ high = tmp;
+ }
+ /* low < high */
+ cut = arc4random() % (1 + high - low) + low;
+ /* low <= cut <= high */
+ for (*nport = cut; *nport <= high; ++(*nport)) {
key.port[1] = htons(*nport);
if (pf_find_state(&tree_ext_gwy, &key) == NULL)
return (0);
- } while (*nport != low && *nport != high);
-
- step = -step;
- *nport = cut;
- do {
- *nport += step;
+ }
+ for (*nport = cut - 1; *nport >= low; --(*nport)) {
key.port[1] = htons(*nport);
if (pf_find_state(&tree_ext_gwy, &key) == NULL)
return (0);
- } while (*nport != low && *nport != high);
+ }
}
switch (rpool->opts & PF_POOL_TYPEMASK) {
@@ -1778,13 +1773,12 @@ pf_get_translation(int direction, struct
else
PF_POOLMASK(naddr,
&r->src.addr.v.a.addr,
- &r->src.addr.v.a.mask, saddr, af);
+ &r->src.addr.v.a.mask, daddr, af);
break;
}
break;
case PF_RDR: {
- if (pf_map_addr(r->af, &r->rpool,
- &r->src.addr.v.a.addr, naddr, NULL))
+ if (pf_map_addr(r->af, &r->rpool, saddr, naddr, NULL))
return (NULL);
if (r->rpool.proxy_port[1]) {
@@ -2671,6 +2665,7 @@ pf_test_other(struct pf_rule **rm, struc
/* check incoming packet for BINAT/RDR */
if ((rdr = pf_get_translation(PF_IN, ifp, pd->proto,
saddr, 0, daddr, 0, &naddr, NULL, af)) != NULL) {
+ PF_ACPY(&baddr, daddr, af);
switch (af) {
#ifdef INET
case AF_INET:
@@ -3008,7 +3003,7 @@ pf_test_state_tcp(struct pf_state **stat
/* Retrans: not more than one window back */
(ackskew >= -MAXACKWINDOW) &&
/* Acking not more than one window back */
- (ackskew <= MAXACKWINDOW)) {
+ (ackskew <= (MAXACKWINDOW << sws))) {
/* Acking not more than one window forward */
(*state)->packets++;
@@ -3150,7 +3145,7 @@ pf_test_state_tcp(struct pf_state **stat
SEQ_GEQ(seq, src->seqlo - (dst->max_win << dws)) ?
' ': '2',
(ackskew >= -MAXACKWINDOW) ? ' ' : '3',
- (ackskew <= MAXACKWINDOW) ? ' ' : '4',
+ (ackskew <= (MAXACKWINDOW << sws)) ? ' ' : '4',
SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) ?' ' :'5',
SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW) ?' ' :'6');
}
@@ -3889,9 +3884,6 @@ pf_routable(struct pf_addr *addr, sa_fam
}
#ifdef INET
@ -12,3 +112,15 @@ $NetBSD: patch-ac,v 1.1.1.1 2004/04/29 12:18:15 imilh Exp $
void
pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
struct pf_state *s)
@@ -4043,8 +4035,10 @@ pf_route(struct mbuf **m, struct pf_rule
m1 = m0;
error = ip_fragment(m0, ifp, ifp->if_mtu);
- if (error == EMSGSIZE)
+ if (error) {
+ m0 = NULL;
goto bad;
+ }
for (m0 = m1; m0; m0 = m1) {
m1 = m0->m_nextpkt;

340
pflkm/patches/patch-ad
View file

@ -1,8 +1,311 @@
$NetBSD: patch-ad,v 1.1.1.1 2004/04/29 12:18:15 imilh Exp $
$NetBSD: patch-ad,v 1.2 2004/04/30 14:06:06 imilh Exp $
--- lkm/pf_norm.c.orig 2003-06-04 08:17:57.000000000 +0200
+++ lkm/pf_norm.c
@@ -817,7 +817,7 @@ pf_normalize_ip(struct mbuf **m0, int di
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_norm.c,v 1.55 2003/02/18 08:05:15 camield Exp $ */
+/* $OpenBSD: pf_norm.c,v 1.55.2.1 2003/09/24 19:31:19 brad Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -105,10 +105,10 @@ void pf_remove_fragment(struct pf_fra
void pf_flush_fragments(void);
void pf_free_fragment(struct pf_fragment *);
struct pf_fragment *pf_find_fragment(struct ip *, struct pf_frag_tree *);
-struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment *,
+struct mbuf *pf_reassemble(struct mbuf **, struct pf_fragment **,
struct pf_frent *, int);
struct mbuf *pf_fragcache(struct mbuf **, struct ip*,
- struct pf_fragment *, int, int, int *);
+ struct pf_fragment **, int, int, int *);
u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t);
int pf_normalize_tcp(int, struct ifnet *, struct mbuf *,
int, int, void *, struct pf_pdesc *);
@@ -328,7 +328,7 @@ pf_remove_fragment(struct pf_fragment *f
}
struct mbuf *
-pf_reassemble(struct mbuf **m0, struct pf_fragment *frag,
+pf_reassemble(struct mbuf **m0, struct pf_fragment **frag,
struct pf_frent *frent, int mff)
{
struct mbuf *m = *m0, *m2;
@@ -339,33 +339,33 @@ pf_reassemble(struct mbuf **m0, struct p
u_int16_t off = ip->ip_off;
u_int16_t max = ip->ip_len + off;
- KASSERT(frag == NULL || BUFFER_FRAGMENTS(frag));
+ KASSERT(*frag == NULL || BUFFER_FRAGMENTS(*frag));
/* Strip off ip header */
m->m_data += hlen;
m->m_len -= hlen;
/* Create a new reassembly queue for this packet */
- if (frag == NULL) {
- frag = pool_get(&pf_frag_pl, PR_NOWAIT);
- if (frag == NULL) {
+ if (*frag == NULL) {
+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT);
+ if (*frag == NULL) {
pf_flush_fragments();
- frag = pool_get(&pf_frag_pl, PR_NOWAIT);
- if (frag == NULL)
+ *frag = pool_get(&pf_frag_pl, PR_NOWAIT);
+ if (*frag == NULL)
goto drop_fragment;
}
- frag->fr_flags = 0;
- frag->fr_max = 0;
- frag->fr_src = frent->fr_ip->ip_src;
- frag->fr_dst = frent->fr_ip->ip_dst;
- frag->fr_p = frent->fr_ip->ip_p;
- frag->fr_id = frent->fr_ip->ip_id;
- frag->fr_timeout = time.tv_sec;
- LIST_INIT(&frag->fr_queue);
+ (*frag)->fr_flags = 0;
+ (*frag)->fr_max = 0;
+ (*frag)->fr_src = frent->fr_ip->ip_src;
+ (*frag)->fr_dst = frent->fr_ip->ip_dst;
+ (*frag)->fr_p = frent->fr_ip->ip_p;
+ (*frag)->fr_id = frent->fr_ip->ip_id;
+ (*frag)->fr_timeout = time.tv_sec;
+ LIST_INIT(&(*frag)->fr_queue);
- RB_INSERT(pf_frag_tree, &pf_frag_tree, frag);
- TAILQ_INSERT_HEAD(&pf_fragqueue, frag, frag_next);
+ RB_INSERT(pf_frag_tree, &pf_frag_tree, *frag);
+ TAILQ_INSERT_HEAD(&pf_fragqueue, *frag, frag_next);
/* We do not have a previous fragment */
frep = NULL;
@@ -376,7 +376,7 @@ pf_reassemble(struct mbuf **m0, struct p
* Find a fragment after the current one:
* - off contains the real shifted offset.
*/
- LIST_FOREACH(frea, &frag->fr_queue, fr_next) {
+ LIST_FOREACH(frea, &(*frag)->fr_queue, fr_next) {
if (frea->fr_ip->ip_off > off)
break;
frep = frea;
@@ -420,45 +420,46 @@ pf_reassemble(struct mbuf **m0, struct p
insert:
/* Update maximum data size */
- if (frag->fr_max < max)
- frag->fr_max = max;
+ if ((*frag)->fr_max < max)
+ (*frag)->fr_max = max;
/* This is the last segment */
if (!mff)
- frag->fr_flags |= PFFRAG_SEENLAST;
+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
if (frep == NULL)
- LIST_INSERT_HEAD(&frag->fr_queue, frent, fr_next);
+ LIST_INSERT_HEAD(&(*frag)->fr_queue, frent, fr_next);
else
LIST_INSERT_AFTER(frep, frent, fr_next);
/* Check if we are completely reassembled */
- if (!(frag->fr_flags & PFFRAG_SEENLAST))
+ if (!((*frag)->fr_flags & PFFRAG_SEENLAST))
return (NULL);
/* Check if we have all the data */
off = 0;
- for (frep = LIST_FIRST(&frag->fr_queue); frep; frep = next) {
+ for (frep = LIST_FIRST(&(*frag)->fr_queue); frep; frep = next) {
next = LIST_NEXT(frep, fr_next);
off += frep->fr_ip->ip_len;
- if (off < frag->fr_max &&
+ if (off < (*frag)->fr_max &&
(next == NULL || next->fr_ip->ip_off != off)) {
DPFPRINTF(("missing fragment at %d, next %d, max %d\n",
off, next == NULL ? -1 : next->fr_ip->ip_off,
- frag->fr_max));
+ (*frag)->fr_max));
return (NULL);
}
}
- DPFPRINTF(("%d < %d?\n", off, frag->fr_max));
- if (off < frag->fr_max)
+ DPFPRINTF(("%d < %d?\n", off, (*frag)->fr_max));
+ if (off < (*frag)->fr_max)
return (NULL);
/* We have all the data */
- frent = LIST_FIRST(&frag->fr_queue);
+ frent = LIST_FIRST(&(*frag)->fr_queue);
KASSERT(frent != NULL);
if ((frent->fr_ip->ip_hl << 2) + off > IP_MAXPACKET) {
DPFPRINTF(("drop: too big: %d\n", off));
- pf_free_fragment(frag);
+ pf_free_fragment(*frag);
+ *frag = NULL;
return (NULL);
}
next = LIST_NEXT(frent, fr_next);
@@ -480,11 +481,12 @@ pf_reassemble(struct mbuf **m0, struct p
m_cat(m, m2);
}
- ip->ip_src = frag->fr_src;
- ip->ip_dst = frag->fr_dst;
+ ip->ip_src = (*frag)->fr_src;
+ ip->ip_dst = (*frag)->fr_dst;
/* Remove from fragment queue */
- pf_remove_fragment(frag);
+ pf_remove_fragment(*frag);
+ *frag = NULL;
hlen = ip->ip_hl << 2;
ip->ip_len = off + hlen;
@@ -512,7 +514,7 @@ pf_reassemble(struct mbuf **m0, struct p
}
struct mbuf *
-pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment *frag, int mff,
+pf_fragcache(struct mbuf **m0, struct ip *h, struct pf_fragment **frag, int mff,
int drop, int *nomem)
{
struct mbuf *m = *m0;
@@ -522,41 +524,42 @@ pf_fragcache(struct mbuf **m0, struct ip
u_int16_t max = ip_len + off;
int hosed = 0;
- KASSERT(frag == NULL || !BUFFER_FRAGMENTS(frag));
+ KASSERT(*frag == NULL || !BUFFER_FRAGMENTS(*frag));
/* Create a new range queue for this packet */
- if (frag == NULL) {
- frag = pool_get(&pf_cache_pl, PR_NOWAIT);
- if (frag == NULL) {
+ if (*frag == NULL) {
+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT);
+ if (*frag == NULL) {
pf_flush_fragments();
- frag = pool_get(&pf_cache_pl, PR_NOWAIT);
- if (frag == NULL)
+ *frag = pool_get(&pf_cache_pl, PR_NOWAIT);
+ if (*frag == NULL)
goto no_mem;
}
/* Get an entry for the queue */
cur = pool_get(&pf_cent_pl, PR_NOWAIT);
if (cur == NULL) {
- pool_put(&pf_cache_pl, frag);
+ pool_put(&pf_cache_pl, *frag);
+ *frag = NULL;
goto no_mem;
}
pf_ncache++;
- frag->fr_flags = PFFRAG_NOBUFFER;
- frag->fr_max = 0;
- frag->fr_src = h->ip_src;
- frag->fr_dst = h->ip_dst;
- frag->fr_p = h->ip_p;
- frag->fr_id = h->ip_id;
- frag->fr_timeout = time.tv_sec;
+ (*frag)->fr_flags = PFFRAG_NOBUFFER;
+ (*frag)->fr_max = 0;
+ (*frag)->fr_src = h->ip_src;
+ (*frag)->fr_dst = h->ip_dst;
+ (*frag)->fr_p = h->ip_p;
+ (*frag)->fr_id = h->ip_id;
+ (*frag)->fr_timeout = time.tv_sec;
cur->fr_off = off;
cur->fr_end = max;
- LIST_INIT(&frag->fr_cache);
- LIST_INSERT_HEAD(&frag->fr_cache, cur, fr_next);
+ LIST_INIT(&(*frag)->fr_cache);
+ LIST_INSERT_HEAD(&(*frag)->fr_cache, cur, fr_next);
- RB_INSERT(pf_frag_tree, &pf_cache_tree, frag);
- TAILQ_INSERT_HEAD(&pf_cachequeue, frag, frag_next);
+ RB_INSERT(pf_frag_tree, &pf_cache_tree, *frag);
+ TAILQ_INSERT_HEAD(&pf_cachequeue, *frag, frag_next);
DPFPRINTF(("fragcache[%d]: new %d-%d\n", h->ip_id, off, max));
@@ -568,7 +571,7 @@ pf_fragcache(struct mbuf **m0, struct ip
* - off contains the real shifted offset.
*/
frp = NULL;
- LIST_FOREACH(fra, &frag->fr_cache, fr_next) {
+ LIST_FOREACH(fra, &(*frag)->fr_cache, fr_next) {
if (fra->fr_off > off)
break;
frp = fra;
@@ -759,21 +762,22 @@ pf_fragcache(struct mbuf **m0, struct ip
pass:
/* Update maximum data size */
- if (frag->fr_max < max)
- frag->fr_max = max;
+ if ((*frag)->fr_max < max)
+ (*frag)->fr_max = max;
/* This is the last segment */
if (!mff)
- frag->fr_flags |= PFFRAG_SEENLAST;
+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
/* Check if we are completely reassembled */
- if ((frag->fr_flags & PFFRAG_SEENLAST) &&
- LIST_FIRST(&frag->fr_cache)->fr_off == 0 &&
- LIST_FIRST(&frag->fr_cache)->fr_end == frag->fr_max) {
+ if (((*frag)->fr_flags & PFFRAG_SEENLAST) &&
+ LIST_FIRST(&(*frag)->fr_cache)->fr_off == 0 &&
+ LIST_FIRST(&(*frag)->fr_cache)->fr_end == (*frag)->fr_max) {
/* Remove from fragment queue */
DPFPRINTF(("fragcache[%d]: done 0-%d\n", h->ip_id,
- frag->fr_max));
- pf_free_fragment(frag);
+ (*frag)->fr_max));
+ pf_free_fragment(*frag);
+ *frag = NULL;
}
return (m);
@@ -782,8 +786,8 @@ pf_fragcache(struct mbuf **m0, struct ip
*nomem = 1;
/* Still need to pay attention to !IP_MF */
- if (!mff && frag)
- frag->fr_flags |= PFFRAG_SEENLAST;
+ if (!mff && *frag != NULL)
+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
m_freem(m);
return (NULL);
@@ -791,15 +795,15 @@ pf_fragcache(struct mbuf **m0, struct ip
drop_fragment:
/* Still need to pay attention to !IP_MF */
- if (!mff && frag)
- frag->fr_flags |= PFFRAG_SEENLAST;
+ if (!mff && *frag != NULL)
+ (*frag)->fr_flags |= PFFRAG_SEENLAST;
if (drop) {
/* This fragment has been deemed bad. Don't reass */
- if ((frag->fr_flags & PFFRAG_DROP) == 0)
+ if (((*frag)->fr_flags & PFFRAG_DROP) == 0)
DPFPRINTF(("fragcache[%d]: dropping overall fragment\n",
h->ip_id));
- frag->fr_flags |= PFFRAG_DROP;
+ (*frag)->fr_flags |= PFFRAG_DROP;
}
m_freem(m);
@@ -817,7 +821,7 @@ pf_normalize_ip(struct mbuf **m0, int di
int mff = (h->ip_off & IP_MF);
int hlen = h->ip_hl << 2;
u_int16_t fragoff = (h->ip_off & IP_OFFMASK) << 3;
@ -11,3 +314,36 @@ $NetBSD: patch-ad,v 1.1.1.1 2004/04/29 12:18:15 imilh Exp $
int ip_len;
int ip_off;
@@ -911,12 +915,12 @@ pf_normalize_ip(struct mbuf **m0, int di
/* Might return a completely reassembled mbuf, or NULL */
DPFPRINTF(("reass frag %d @ %d-%d\n", h->ip_id, fragoff, max));
- *m0 = m = pf_reassemble(m0, frag, frent, mff);
+ *m0 = m = pf_reassemble(m0, &frag, frent, mff);
if (m == NULL)
return (PF_DROP);
- if (frag && (frag->fr_flags & PFFRAG_DROP))
+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP))
goto drop;
h = mtod(m, struct ip *);
@@ -945,7 +949,7 @@ pf_normalize_ip(struct mbuf **m0, int di
goto bad;
}
- *m0 = m = pf_fragcache(m0, h, frag, mff,
+ *m0 = m = pf_fragcache(m0, h, &frag, mff,
(r->rule_flag & PFRULE_FRAGDROP) ? 1 : 0, &nomem);
if (m == NULL) {
if (nomem)
@@ -961,7 +965,7 @@ pf_normalize_ip(struct mbuf **m0, int di
goto no_mem;
m_tag_prepend(m, mtag);
}
- if (frag && (frag->fr_flags & PFFRAG_DROP))
+ if (frag != NULL && (frag->fr_flags & PFFRAG_DROP))
goto drop;
goto fragment_pass;
}