Date: Fri, 01 Aug 2003 15:10:09 -0400 From: "Louis A. Mamakos" <louie@TransSys.COM> To: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no> Cc: freebsd-ipfw@freebsd.org Subject: Re: Suggestion regarding a new option for IPFW2 Message-ID: <200308011910.h71JA9RY033752@whizzo.transsys.com> In-Reply-To: Your message of "Fri, 01 Aug 2003 18:32:05 %2B0200." <0AF1BBDF1218F14E9B4CCE414744E70F1F3E28@exchange.wanglobal.net> References: <0AF1BBDF1218F14E9B4CCE414744E70F1F3E28@exchange.wanglobal.net>
next in thread | previous in thread | raw e-mail | index | archive | help
TCP resets MUST already come with the source address rewritten
otherwise it won't match up with the connection attempt on the
original host. If you look in ip_fw2.c:
/*
* Assume we are sending a RST (or a keepalive in the reverse
* direction), swap src and destination addresses and ports.
*/
ip->ip_src.s_addr = htonl(id->dst_ip);
ip->ip_dst.s_addr = htonl(id->src_ip);
tcp->th_sport = htons(id->dst_port);
tcp->th_dport = htons(id->src_port);
appears in the send_pkt() function which appears to be called to
send the reset segments.
louie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308011910.h71JA9RY033752>