From owner-svn-src-all@freebsd.org Sun Nov 18 10:47:37 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB5741134D1C; Sun, 18 Nov 2018 10:47:37 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6644976A56; Sun, 18 Nov 2018 10:47:37 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 428A412449; Sun, 18 Nov 2018 10:47:37 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wAIAlb0C006660; Sun, 18 Nov 2018 10:47:37 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wAIAlbx9006659; Sun, 18 Nov 2018 10:47:37 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201811181047.wAIAlbx9006659@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Sun, 18 Nov 2018 10:47:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r340558 - stable/12/sys/netpfil/pf X-SVN-Group: stable-12 X-SVN-Commit-Author: kp X-SVN-Commit-Paths: stable/12/sys/netpfil/pf X-SVN-Commit-Revision: 340558 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 6644976A56 X-Spamd-Result: default: False [-0.05 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_SHORT(-0.05)[-0.052,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Nov 2018 10:47:38 -0000 Author: kp Date: Sun Nov 18 10:47:36 2018 New Revision: 340558 URL: https://svnweb.freebsd.org/changeset/base/340558 Log: MFC r339470: pf synproxy will do the 3WHS on behalf of the target machine, and once the 3WHS is completed, establish the backend connection. The trigger for "3WHS completed" is the reception of the first ACK. However, we should not proceed if that ACK also has RST or FIN set. PR: 197484 Obtained from: OpenBSD Modified: stable/12/sys/netpfil/pf/pf.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netpfil/pf/pf.c ============================================================================== --- stable/12/sys/netpfil/pf/pf.c Sun Nov 18 10:22:42 2018 (r340557) +++ stable/12/sys/netpfil/pf/pf.c Sun Nov 18 10:47:36 2018 (r340558) @@ -4401,7 +4401,7 @@ pf_test_state_tcp(struct pf_state **state, int directi TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL); REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); - } else if (!(th->th_flags & TH_ACK) || + } else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK || (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { REASON_SET(reason, PFRES_SYNPROXY);