From owner-freebsd-ipfw  Wed Sep  6 22:38:41 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from sneakerz.org (sneakerz.org [207.154.226.254])
	by hub.freebsd.org (Postfix) with ESMTP id 909D637B423
	for <freebsd-ipfw@FreeBSD.ORG>; Wed,  6 Sep 2000 22:38:38 -0700 (PDT)
Received: by sneakerz.org (Postfix, from userid 1023)
	id 3F5505D006; Thu,  7 Sep 2000 00:38:33 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1])
	by sneakerz.org (Postfix) with ESMTP
	id 3DAE059206; Thu,  7 Sep 2000 00:38:33 -0500 (CDT)
Date: Thu, 7 Sep 2000 00:38:33 -0500 (CDT)
From: missnglnk <missnglnk@sneakerz.org>
To: Luigi Rizzo <luigi@info.iet.unipi.it>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: Issues with ipfw(8)'s dynamic rules
In-Reply-To: <Pine.BSF.4.21.0009042008070.38117-100000@sneakerz.org>
Message-ID: <Pine.BSF.4.21.0009070037280.46060-100000@sneakerz.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

--- sys/netinet/ip_fw.c.orig	Wed Sep  6 21:01:07 2000
+++ sys/netinet/ip_fw.c	Wed Sep  6 21:40:55 2000
@@ -735,4 +735,3 @@
 	    break ;
-	default:
-#if 0
+	case TH_RST | (TH_RST << 8) :
 	    /*
@@ -741,7 +740,18 @@
 	     */
-	    if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
-		printf("invalid state: 0x%x\n", q->state);
-#endif
+	    printf("invalid state: 0x%x\n", q->state);
 	    q->expire = time_second + dyn_rst_lifetime ;
 	    break ;
+	default:
+	    /*
+             * A TCP packet found in unknown state, drop it.
+	     */
+	    DEB(printf("packet should be dropped (state: 0x%x)\n", q->state));
+            old_q = q ;
+            if (prev != NULL)
+                prev->next = q = q->next ;
+            else
+                ipfw_dyn_v[i] = q = q->next ;
+            dyn_count-- ;
+            free(old_q, M_IPFW);
+	    break ;
 	}
@@ -838,4 +848,7 @@
     }
-    if (dyn_count >= dyn_max) /* try remove old ones... */
-	remove_dyn_rule(NULL, 0 /* expire */);
+    /*
+     * Unconditionally remove expired states.
+     */
+    remove_dyn_rule(NULL, 0 /* expire */);
+
     if (dyn_count >= dyn_max) {
@@ -1277,4 +1290,43 @@
 		 */
-		if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S)
-		    install_state(chain);
+		if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S) {
+		    /*
+		     * Instead of unconditionally adding a new state,
+		     * check the protocol and flags, and add a new state
+		     * or ignore packet.
+		     */
+		    switch(proto) {
+		        case IPPROTO_TCP:
+		            if (flags & TH_SYN) {
+		                DEB(printf("-- installing state for TCP packet\n"));
+		                install_state(chain);
+		            } else {
+		                DEB(printf("-- invalid TCP connection state\n"));
+		            }
+                            break;
+		        case IPPROTO_UDP:
+		            DEB(printf("-- installing state for UDP packet\n"));
+		            install_state(chain);
+                            break;
+		        case IPPROTO_ICMP:
+		            if (is_icmp_query(ip)) {
+		                DEB(printf("-- installing state for ICMP packet\n"));
+		                install_state(chain);
+		            } else {
+		                DEB(printf("-- invalid ICMP connection state\n"));
+		            }
+                            break;
+		        default:
+		            /*
+		             * Unknown packet, if default is to accept all
+		             * packets, add a new state, otherwise ignore.
+			     */
+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+		            DEB(printf("-- installing state for unknown packet\n"));
+		            install_state(chain);
+#else
+		            DEB(printf("invalid unknown protocol connection state\n"));
+#endif
+                            break;
+                    }
+		}
 #endif



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message