From owner-dev-commits-src-branches@freebsd.org Tue Jul 27 11:46:44 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1F96B65DB3E; Tue, 27 Jul 2021 11:46:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GYw4N02s3z3s1C; Tue, 27 Jul 2021 11:46:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DDB8D1DF3; Tue, 27 Jul 2021 11:46:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 16RBkhpe067561; Tue, 27 Jul 2021 11:46:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 16RBkh6e067560; Tue, 27 Jul 2021 11:46:43 GMT (envelope-from git) Date: Tue, 27 Jul 2021 11:46:43 GMT Message-Id: <202107271146.16RBkh6e067560@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 0df576d98e15 - stable/13 - pf: factor out pf_synproxy() MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 0df576d98e15bbafa73522a099bf0f34990496b4 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jul 2021 11:46:44 -0000 The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0df576d98e15bbafa73522a099bf0f34990496b4 commit 0df576d98e15bbafa73522a099bf0f34990496b4 Author: Kristof Provost AuthorDate: 2021-06-10 13:49:09 +0000 Commit: Kristof Provost CommitDate: 2021-07-27 07:42:13 +0000 pf: factor out pf_synproxy() MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31137 (cherry picked from commit ee9c3d38039eb29966e1f0b8f617bc564c078289) --- sys/netpfil/pf/pf.c | 85 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 49 insertions(+), 36 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index c47a0098550d..a08f38f3a286 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4455,45 +4455,13 @@ pf_tcp_track_sloppy(struct pf_state_peer *src, struct pf_state_peer *dst, } static int -pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, - struct mbuf *m, int off, void *h, struct pf_pdesc *pd, - u_short *reason) +pf_synproxy(struct pf_pdesc *pd, struct pf_kstate **state, u_short *reason) { - struct pf_state_key_cmp key; + struct pf_state_key *sk = (*state)->key[pd->didx]; struct tcphdr *th = &pd->hdr.tcp; - int copyback = 0; - struct pf_state_peer *src, *dst; - struct pf_state_key *sk; - - bzero(&key, sizeof(key)); - key.af = pd->af; - key.proto = IPPROTO_TCP; - if (direction == PF_IN) { /* wire side, straight */ - PF_ACPY(&key.addr[0], pd->src, key.af); - PF_ACPY(&key.addr[1], pd->dst, key.af); - key.port[0] = th->th_sport; - key.port[1] = th->th_dport; - } else { /* stack side, reverse */ - PF_ACPY(&key.addr[1], pd->src, key.af); - PF_ACPY(&key.addr[0], pd->dst, key.af); - key.port[1] = th->th_sport; - key.port[0] = th->th_dport; - } - - STATE_LOOKUP(kif, &key, direction, *state, pd); - - if (direction == (*state)->direction) { - src = &(*state)->src; - dst = &(*state)->dst; - } else { - src = &(*state)->dst; - dst = &(*state)->src; - } - - sk = (*state)->key[pd->didx]; if ((*state)->src.state == PF_TCPS_PROXY_SRC) { - if (direction != (*state)->direction) { + if (pd->dir != (*state)->direction) { REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); } @@ -4521,7 +4489,7 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, (*state)->src.state = PF_TCPS_PROXY_DST; } if ((*state)->src.state == PF_TCPS_PROXY_DST) { - if (direction == (*state)->direction) { + if (pd->dir == (*state)->direction) { if (((th->th_flags & (TH_SYN|TH_ACK)) != TH_ACK) || (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { @@ -4572,6 +4540,51 @@ pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, } } + return (PF_PASS); +} + +static int +pf_test_state_tcp(struct pf_kstate **state, int direction, struct pfi_kkif *kif, + struct mbuf *m, int off, void *h, struct pf_pdesc *pd, + u_short *reason) +{ + struct pf_state_key_cmp key; + struct tcphdr *th = &pd->hdr.tcp; + int copyback = 0; + int action; + struct pf_state_peer *src, *dst; + struct pf_state_key *sk; + + bzero(&key, sizeof(key)); + key.af = pd->af; + key.proto = IPPROTO_TCP; + if (direction == PF_IN) { /* wire side, straight */ + PF_ACPY(&key.addr[0], pd->src, key.af); + PF_ACPY(&key.addr[1], pd->dst, key.af); + key.port[0] = th->th_sport; + key.port[1] = th->th_dport; + } else { /* stack side, reverse */ + PF_ACPY(&key.addr[1], pd->src, key.af); + PF_ACPY(&key.addr[0], pd->dst, key.af); + key.port[1] = th->th_sport; + key.port[0] = th->th_dport; + } + + STATE_LOOKUP(kif, &key, direction, *state, pd); + + if (direction == (*state)->direction) { + src = &(*state)->src; + dst = &(*state)->dst; + } else { + src = &(*state)->dst; + dst = &(*state)->src; + } + + sk = (*state)->key[pd->didx]; + + if ((action = pf_synproxy(pd, state, reason)) != PF_PASS) + return (action); + if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) && dst->state >= TCPS_FIN_WAIT_2 && src->state >= TCPS_FIN_WAIT_2) {