Date: Sat, 20 Oct 2018 18:37:22 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r339470 - head/sys/netpfil/pf Message-ID: <201810201837.w9KIbMOh045867@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Sat Oct 20 18:37:21 2018 New Revision: 339470 URL: https://svnweb.freebsd.org/changeset/base/339470 Log: pf synproxy will do the 3WHS on behalf of the target machine, and once the 3WHS is completed, establish the backend connection. The trigger for "3WHS completed" is the reception of the first ACK. However, we should not proceed if that ACK also has RST or FIN set. PR: 197484 Obtained from: OpenBSD MFC after: 2 weeks Modified: head/sys/netpfil/pf/pf.c Modified: head/sys/netpfil/pf/pf.c ============================================================================== --- head/sys/netpfil/pf/pf.c Sat Oct 20 18:32:34 2018 (r339469) +++ head/sys/netpfil/pf/pf.c Sat Oct 20 18:37:21 2018 (r339470) @@ -4401,7 +4401,7 @@ pf_test_state_tcp(struct pf_state **state, int directi TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL); REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); - } else if (!(th->th_flags & TH_ACK) || + } else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK || (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { REASON_SET(reason, PFRES_SYNPROXY);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201810201837.w9KIbMOh045867>