From owner-freebsd-bugs@FreeBSD.ORG  Tue Feb  2 22:30:02 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 23F4E1065676
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  2 Feb 2010 22:30:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id D696A8FC17
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  2 Feb 2010 22:30:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o12MU11e079863
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 2 Feb 2010 22:30:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o12MU1ct079862;
	Tue, 2 Feb 2010 22:30:01 GMT (envelope-from gnats)
Resent-Date: Tue, 2 Feb 2010 22:30:01 GMT
Resent-Message-Id: <201002022230.o12MU1ct079862@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, olli hauer <ohauer@gmx.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4857410656F5
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  2 Feb 2010 22:21:03 +0000 (UTC) (envelope-from ohauer@gmx.de)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20])
	by mx1.freebsd.org (Postfix) with SMTP id 2E7798FC15
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  2 Feb 2010 22:20:58 +0000 (UTC)
Received: (qmail invoked by alias); 02 Feb 2010 22:20:56 -0000
Received: from u18-124.dsl.vianetworks.de (EHLO u18-124.dsl.vianetworks.de)
	[194.231.39.124]
	by mail.gmx.net (mp015) with SMTP; 02 Feb 2010 23:20:56 +0100
Received: by u18-124.dsl.vianetworks.de (Postfix, from userid 1100)
	id C2F2526183; Tue,  2 Feb 2010 23:20:44 +0100 (CET)
Message-Id: <20100202222044.C2F2526183@u18-124.dsl.vianetworks.de>
Date: Tue,  2 Feb 2010 23:20:44 +0100 (CET)
From: olli hauer <ohauer@gmx.de>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: ohauer@gmx.de, freebsd-pf@FreeBSD.org
Subject: kern/143504: [patch] outgoing states are not killed by authpf
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: olli hauer <ohauer@gmx.de>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2010 22:30:02 -0000


>Number:         143504
>Category:       kern
>Synopsis:       [patch] outgoing states are not killed by authpf
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 02 22:30:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     olli hauer <ohauer@gmx.de>
>Release:        FreeBSD 7.2-RELEASE-p6 i386
>Organization:
>Environment:
System: FreeBSD 7.2-RELEASE-p6


>Description:
Outgoing states are not killed by authpf, since psk.psk_af is
overridden in authpf_kill_states with the No. of killed states
for incoming ipsrc.

Patch is only needed until code from OpenBSD >=200811 is merged
to FreeBSD since OpenBSD_4.4+ returns No. off killed states in 
psk.psk_killed.

The OpenBSD change is not documented in man page at the moment,
but you can find it out in the source (net/pfvar.h).
I found it this way by hacking snortsam.

Please see additional my PR 140369 to correct the man page for FreeBSD

>From man (4) pf:

DIOCKILLSTATES struct pfioc_state_kill *psk
     Remove matching entries from the state table. This ioctl returns
     the number of killed states in psk_af.


Here are the structs from FreeBSD and OpenBSD

FreeBSD:
struct pfioc_state_kill {
        /* XXX returns the number of states killed in psk_af */
        sa_family_t             psk_af;
        int                     psk_proto;
        struct pf_rule_addr     psk_src;
        struct pf_rule_addr     psk_dst;
        char                    psk_ifname[IFNAMSIZ];
};

OpenBSD_4.4/4.5:
struct pfioc_state_kill {
        struct pf_state_cmp     psk_pfcmp;
        sa_family_t             psk_af;
        int                     psk_proto;
        struct pf_rule_addr     psk_src;
        struct pf_rule_addr     psk_dst;
        char                    psk_ifname[IFNAMSIZ];
        char                    psk_label[PF_RULE_LABEL_SIZE];
        u_int                   psk_killed;
};


>How-To-Repeat:
>Fix:
The following patch safes the sa_family into a variable 'saf' and restores
psk.psk_af to this family after killing states from incoming ipsrc.



--- patch_authpf.c begins here ---
Index: base/stable/7/contrib/pf/authpf/authpf.c
===================================================================
--- base/stable/7/contrib/pf/authpf/authpf.c	(revision 203401)
+++ base/stable/7/contrib/pf/authpf/authpf.c	(working copy)
@@ -788,14 +788,15 @@ authpf_kill_states(void)
 {
 	struct pfioc_state_kill	psk;
 	struct pf_addr target;
+	sa_family_t saf;        /* safe AF_INET family */
 
 	memset(&psk, 0, sizeof(psk));
 	memset(&target, 0, sizeof(target));
 
 	if (inet_pton(AF_INET, ipsrc, &target.v4) == 1)
-		psk.psk_af = AF_INET;
+		psk.psk_af = saf = AF_INET;
 	else if (inet_pton(AF_INET6, ipsrc, &target.v6) == 1)
-		psk.psk_af = AF_INET6;
+		psk.psk_af = saf = AF_INET6;
 	else {
 		syslog(LOG_ERR, "inet_pton(%s) failed", ipsrc);
 		return;
@@ -809,6 +810,9 @@ authpf_kill_states(void)
 	if (ioctl(dev, DIOCKILLSTATES, &psk))
 		syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)");
 
+	/* restore AF_INET, since it contains now the Nr. of killed states */
+	psk.psk_af = saf;
+
 	/* Kill all states to ipsrc */
 	memset(&psk.psk_src, 0, sizeof(psk.psk_src));
 	memcpy(&psk.psk_dst.addr.v.a.addr, &target,
--- patch_authpf.c ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: