Commit 5435c7dc authored by Alessandro Rubini's avatar Alessandro Rubini

pfilter: novlan: accept all UDP ports from 0 to 511

This shortens the rule-set by two rules, making space for pdelay.

By accepting all ports from 0 to 511, we get all of our services,
including snmp that will be tested soon.  This relaxed check will give
us possibly some false positives (then discarded by the CPU) while
still protecting from most of an hostile or just probing  port sweep.
Signed-off-by: Alessandro Rubini's avatarAlessandro Rubini <rubini@gnudd.com>
parent 5e4ed884
......@@ -406,10 +406,8 @@ void pfilter_init_novlan(char *fname)
pfilter_logic3(FRAME_FOR_CPU, FRAME_IP_UNI, AND, FRAME_ICMP, OR, FRAME_FOR_CPU);
/* Now look in UDP ports: at offset 18 (14 + 20 + 8 = 36) */
pfilter_cmp(18, 0x0044, 0xffff, MOV, PORT_UDP_HOST); /* bootpc */
pfilter_cmp(18, 0x013f, 0xffff, OR, PORT_UDP_HOST); /* ptp event */
pfilter_cmp(18, 0x0140, 0xffff, OR, PORT_UDP_HOST); /* ptp general */
pfilter_cmp(18, 0x0025, 0xffff, OR, PORT_UDP_HOST); /* rdate */
pfilter_cmp(18, 0x0000, 0xff00, MOV, PORT_UDP_HOST); /* ports 0-255 */
pfilter_cmp(18, 0x0100, 0xff00, OR, PORT_UDP_HOST); /* ports 256-511 */
/* The CPU gets those ports in a proper UDP frame, plus the previous selections */
pfilter_logic3(FRAME_FOR_CPU, FRAME_UDP, AND, PORT_UDP_HOST, OR, FRAME_FOR_CPU);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment