Date: Sat, 14 Jul 2018 10:14:59 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r336275 - head/sys/netpfil/pf Message-ID: <201807141014.w6EAExfp033287@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Sat Jul 14 10:14:59 2018 New Revision: 336275 URL: https://svnweb.freebsd.org/changeset/base/336275 Log: pf: Fix synproxy Synproxy was accidentally broken by r335569. The 'return (action)' must be executed for every non-PF_PASS result, but the error packet (TCP RST or ICMP error) should only be sent if the packet was dropped (i.e. PF_DROP) and the return flag is set. PR: 229477 Submitted by: Andre Albsmeier <mail AT fbsd.e4m.org> MFC after: 1 week Modified: head/sys/netpfil/pf/pf.c Modified: head/sys/netpfil/pf/pf.c ============================================================================== --- head/sys/netpfil/pf/pf.c Sat Jul 14 09:29:45 2018 (r336274) +++ head/sys/netpfil/pf/pf.c Sat Jul 14 10:14:59 2018 (r336275) @@ -3558,9 +3558,11 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, off, sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum, hdrlen); - if (action != PF_PASS && r->rule_flag & PFRULE_RETURN) { - pf_return(r, nr, pd, sk, off, m, th, kif, - bproto_sum, bip_sum, hdrlen, &reason); + if (action != PF_PASS) { + if (action == PF_DROP && + (r->rule_flag & PFRULE_RETURN)) + pf_return(r, nr, pd, sk, off, m, th, kif, + bproto_sum, bip_sum, hdrlen, &reason); return (action); } } else {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807141014.w6EAExfp033287>