From owner-freebsd-pf@FreeBSD.ORG Tue Feb 2 22:21:02 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7B5710656D6 for ; Tue, 2 Feb 2010 22:21:02 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 1163C8FC16 for ; Tue, 2 Feb 2010 22:21:00 +0000 (UTC) Received: (qmail invoked by alias); 02 Feb 2010 22:20:56 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO u18-124.dsl.vianetworks.de) [194.231.39.124] by mail.gmx.net (mp015) with SMTP; 02 Feb 2010 23:20:56 +0100 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1+JFaM5x+OJhT2+FbQmygiNay8Qi+iP79hEaHXjCu vCAGejSoJF7iHH Received: by u18-124.dsl.vianetworks.de (Postfix, from userid 1100) id C2F2526183; Tue, 2 Feb 2010 23:20:44 +0100 (CET) To: FreeBSD-gnats-submit@freebsd.org From: olli hauer X-send-pr-version: 3.113 X-GNATS-Notify: Message-Id: <20100202222044.C2F2526183@u18-124.dsl.vianetworks.de> Date: Tue, 2 Feb 2010 23:20:44 +0100 (CET) X-Y-GMX-Trusted: 0 X-FuHaFi: 0.41999999999999998 Cc: freebsd-pf@freebsd.org Subject: [patch] outgoing states are not killed by authpf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: olli hauer List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 22:21:02 -0000 >Submitter-Id: current-users >Originator: olli hauer >Organization: >Confidential: no >Synopsis: [patch] outgoing states are not killed by authpf >Severity: non-critical >Priority: low >Category: kern >Class: sw-bug >Release: FreeBSD 7.2-RELEASE-p6 i386 >Environment: System: FreeBSD 7.2-RELEASE-p6 >Description: Outgoing states are not killed by authpf, since psk.psk_af is overridden in authpf_kill_states with the No. of killed states for incoming ipsrc. Patch is only needed until code from OpenBSD >=200811 is merged to FreeBSD since OpenBSD_4.4+ returns No. off killed states in psk.psk_killed. The OpenBSD change is not documented in man page at the moment, but you can find it out in the source (net/pfvar.h). I found it this way by hacking snortsam. Please see additional my PR 140369 to correct the man page for FreeBSD >From man (4) pf: DIOCKILLSTATES struct pfioc_state_kill *psk Remove matching entries from the state table. This ioctl returns the number of killed states in psk_af. Here are the structs from FreeBSD and OpenBSD FreeBSD: struct pfioc_state_kill { /* XXX returns the number of states killed in psk_af */ sa_family_t psk_af; int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; char psk_ifname[IFNAMSIZ]; }; OpenBSD_4.4/4.5: struct pfioc_state_kill { struct pf_state_cmp psk_pfcmp; sa_family_t psk_af; int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; char psk_ifname[IFNAMSIZ]; char psk_label[PF_RULE_LABEL_SIZE]; u_int psk_killed; }; >How-To-Repeat: >Fix: The following patch safes the sa_family into a variable 'saf' and restores psk.psk_af to this family after killing states from incoming ipsrc. --- patch_authpf.c begins here --- Index: base/stable/7/contrib/pf/authpf/authpf.c =================================================================== --- base/stable/7/contrib/pf/authpf/authpf.c (revision 203401) +++ base/stable/7/contrib/pf/authpf/authpf.c (working copy) @@ -788,14 +788,15 @@ authpf_kill_states(void) { struct pfioc_state_kill psk; struct pf_addr target; + sa_family_t saf; /* safe AF_INET family */ memset(&psk, 0, sizeof(psk)); memset(&target, 0, sizeof(target)); if (inet_pton(AF_INET, ipsrc, &target.v4) == 1) - psk.psk_af = AF_INET; + psk.psk_af = saf = AF_INET; else if (inet_pton(AF_INET6, ipsrc, &target.v6) == 1) - psk.psk_af = AF_INET6; + psk.psk_af = saf = AF_INET6; else { syslog(LOG_ERR, "inet_pton(%s) failed", ipsrc); return; @@ -809,6 +810,9 @@ authpf_kill_states(void) if (ioctl(dev, DIOCKILLSTATES, &psk)) syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)"); + /* restore AF_INET, since it contains now the Nr. of killed states */ + psk.psk_af = saf; + /* Kill all states to ipsrc */ memset(&psk.psk_src, 0, sizeof(psk.psk_src)); memcpy(&psk.psk_dst.addr.v.a.addr, &target, --- patch_authpf.c ends here ---