Date: Thu, 7 Sep 2000 00:38:33 -0500 (CDT) From: missnglnk <missnglnk@sneakerz.org> To: Luigi Rizzo <luigi@info.iet.unipi.it> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Issues with ipfw(8)'s dynamic rules Message-ID: <Pine.BSF.4.21.0009070037280.46060-100000@sneakerz.org> In-Reply-To: <Pine.BSF.4.21.0009042008070.38117-100000@sneakerz.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--- sys/netinet/ip_fw.c.orig Wed Sep 6 21:01:07 2000
+++ sys/netinet/ip_fw.c Wed Sep 6 21:40:55 2000
@@ -735,4 +735,3 @@
break ;
- default:
-#if 0
+ case TH_RST | (TH_RST << 8) :
/*
@@ -741,7 +740,18 @@
*/
- if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
- printf("invalid state: 0x%x\n", q->state);
-#endif
+ printf("invalid state: 0x%x\n", q->state);
q->expire = time_second + dyn_rst_lifetime ;
break ;
+ default:
+ /*
+ * A TCP packet found in unknown state, drop it.
+ */
+ DEB(printf("packet should be dropped (state: 0x%x)\n", q->state));
+ old_q = q ;
+ if (prev != NULL)
+ prev->next = q = q->next ;
+ else
+ ipfw_dyn_v[i] = q = q->next ;
+ dyn_count-- ;
+ free(old_q, M_IPFW);
+ break ;
}
@@ -838,4 +848,7 @@
}
- if (dyn_count >= dyn_max) /* try remove old ones... */
- remove_dyn_rule(NULL, 0 /* expire */);
+ /*
+ * Unconditionally remove expired states.
+ */
+ remove_dyn_rule(NULL, 0 /* expire */);
+
if (dyn_count >= dyn_max) {
@@ -1277,4 +1290,43 @@
*/
- if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S)
- install_state(chain);
+ if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S) {
+ /*
+ * Instead of unconditionally adding a new state,
+ * check the protocol and flags, and add a new state
+ * or ignore packet.
+ */
+ switch(proto) {
+ case IPPROTO_TCP:
+ if (flags & TH_SYN) {
+ DEB(printf("-- installing state for TCP packet\n"));
+ install_state(chain);
+ } else {
+ DEB(printf("-- invalid TCP connection state\n"));
+ }
+ break;
+ case IPPROTO_UDP:
+ DEB(printf("-- installing state for UDP packet\n"));
+ install_state(chain);
+ break;
+ case IPPROTO_ICMP:
+ if (is_icmp_query(ip)) {
+ DEB(printf("-- installing state for ICMP packet\n"));
+ install_state(chain);
+ } else {
+ DEB(printf("-- invalid ICMP connection state\n"));
+ }
+ break;
+ default:
+ /*
+ * Unknown packet, if default is to accept all
+ * packets, add a new state, otherwise ignore.
+ */
+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+ DEB(printf("-- installing state for unknown packet\n"));
+ install_state(chain);
+#else
+ DEB(printf("invalid unknown protocol connection state\n"));
+#endif
+ break;
+ }
+ }
#endif
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0009070037280.46060-100000>