K 10
svn:author
V 2
bz
K 8
svn:date
V 27
2012-02-08T16:07:07.388291Z
K 7
svn:log
V 763
MFC r225032,225034:

 ipfw internally checks for offset == 0 to determine whether the
 packet is a/the first fragment or not.  For IPv6 we have added the
 "more fragments" flag as well to be able to determine on whether
 there will be more as we do not have the fragment header avaialble
 for logging, while for IPv4 this information can be derived directly
 from the IPv4 header.  This allowed fragmented packets to bypass
 normal rules as proper masking was not done when checking offset.
 Split variables to not need masking for IPv6 to avoid further errors.

 After r225032 fix logging in a similar way masking the the IPv6
 more fragments flag off so that offset == 0 checks work properly.

 Submitted by:	Matthew Luckie (mjl luckie.org.nz)
PR:		kern/145733

END