Date: Sun, 18 Nov 2018 10:47:51 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r340559 - stable/11/sys/netpfil/pf Message-ID: <201811181047.wAIAlpGn006727@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Sun Nov 18 10:47:50 2018 New Revision: 340559 URL: https://svnweb.freebsd.org/changeset/base/340559 Log: MFC r339470: pf synproxy will do the 3WHS on behalf of the target machine, and once the 3WHS is completed, establish the backend connection. The trigger for "3WHS completed" is the reception of the first ACK. However, we should not proceed if that ACK also has RST or FIN set. PR: 197484 Obtained from: OpenBSD Modified: stable/11/sys/netpfil/pf/pf.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netpfil/pf/pf.c ============================================================================== --- stable/11/sys/netpfil/pf/pf.c Sun Nov 18 10:47:36 2018 (r340558) +++ stable/11/sys/netpfil/pf/pf.c Sun Nov 18 10:47:50 2018 (r340559) @@ -4389,7 +4389,7 @@ pf_test_state_tcp(struct pf_state **state, int directi TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL); REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); - } else if (!(th->th_flags & TH_ACK) || + } else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK || (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { REASON_SET(reason, PFRES_SYNPROXY);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811181047.wAIAlpGn006727>