svn commit: r339470 - head/sys/netpfil/pf
Kristof Provost
kp at FreeBSD.org
Sat Oct 20 18:37:22 UTC 2018
Author: kp
Date: Sat Oct 20 18:37:21 2018
New Revision: 339470
URL: https://svnweb.freebsd.org/changeset/base/339470
Log:
pf synproxy will do the 3WHS on behalf of the target machine, and once
the 3WHS is completed, establish the backend connection. The trigger
for "3WHS completed" is the reception of the first ACK. However, we
should not proceed if that ACK also has RST or FIN set.
PR: 197484
Obtained from: OpenBSD
MFC after: 2 weeks
Modified:
head/sys/netpfil/pf/pf.c
Modified: head/sys/netpfil/pf/pf.c
==============================================================================
--- head/sys/netpfil/pf/pf.c Sat Oct 20 18:32:34 2018 (r339469)
+++ head/sys/netpfil/pf/pf.c Sat Oct 20 18:37:21 2018 (r339470)
@@ -4401,7 +4401,7 @@ pf_test_state_tcp(struct pf_state **state, int directi
TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL);
REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP);
- } else if (!(th->th_flags & TH_ACK) ||
+ } else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK ||
(ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
(ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
REASON_SET(reason, PFRES_SYNPROXY);
More information about the svn-src-all
mailing list