TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use

'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.

No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.

ok frantzen@

3 files changed, 21 insertions, 10 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 4f208fcd243..4ba5bed97b6 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.383 2003/05/15 06:22:46 henning Exp $	*/
+/*	$OpenBSD: parse.y,v 1.384 2003/05/16 17:15:17 dhartmei Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -361,7 +361,7 @@ typedef struct {
 %token	NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
 %token	REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR
 %token	SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
-%token	REQUIREORDER
+%token	REQUIREORDER SYNPROXY
 %token	ANTISPOOF FOR
 %token	BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT
 %token	ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
@@ -2245,6 +2245,10 @@ keep		: KEEP STATE state_opt_spec	{
 			$$.action = PF_STATE_MODULATE;
 			$$.options = $3;
 		}
+		| SYNPROXY STATE state_opt_spec {
+			$$.action = PF_STATE_SYNPROXY;
+			$$.options = $3;
+		}
 		;
 
 state_opt_spec	: '(' state_opt_list ')'	{ $$ = $2; }
@@ -2973,9 +2977,10 @@ filter_consistent(struct pf_rule *r)
 		    r->af == AF_INET ? "inet" : "inet6");
 		problems++;
 	}
-	if (r->keep_state == PF_STATE_MODULATE && r->proto &&
-	    r->proto != IPPROTO_TCP) {
-		yyerror("modulate state can only be applied to TCP rules");
+	if ((r->keep_state == PF_STATE_MODULATE || r->keep_state ==
+	    PF_STATE_SYNPROXY) && r->proto && r->proto != IPPROTO_TCP) {
+		yyerror("modulate/synproxy state can only be applied to "
+		    "TCP rules");
 		problems++;
 	}
 	if (r->allow_opts && r->action != PF_PASS) {
@@ -3743,6 +3748,7 @@ lookup(char *s)
 		{ "source-hash",	SOURCEHASH},
 		{ "state",		STATE},
 		{ "static-port",	STATICPORT},
+		{ "synproxy",		SYNPROXY},
 		{ "table",		TABLE},
 		{ "tag",		TAG},
 		{ "tagged",		TAGGED},
diff --git a/sbin/pfctl/pf_print_state.c b/sbin/pfctl/pf_print_state.c
index 3ed6df2ded2..29f9b83c299 100644
--- a/sbin/pfctl/pf_print_state.c
+++ b/sbin/pfctl/pf_print_state.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_print_state.c,v 1.25 2003/04/09 15:38:46 cedric Exp $	*/
+/*	$OpenBSD: pf_print_state.c,v 1.26 2003/05/16 17:15:17 dhartmei Exp $	*/
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -196,12 +196,15 @@ print_state(struct pf_state *s, int opts)
 	printf("    ");
 	if (s->proto == IPPROTO_TCP) {
 		if (src->state <= TCPS_TIME_WAIT &&
-		    dst->state <= TCPS_TIME_WAIT) {
+		    dst->state <= TCPS_TIME_WAIT)
 			printf("   %s:%s\n", tcpstates[src->state],
 			    tcpstates[dst->state]);
-		} else {
+		else if (src->state == PF_TCPS_PROXY_SRC)
+			printf("   PROXY_SRC\n");
+		else if (src->state == PF_TCPS_PROXY_DST)
+			printf("   PROXY_DST\n");
+		else
 			printf("   <BAD STATE LEVELS>\n");
-		}
 		if (opts & PF_OPT_VERBOSE) {
 			printf("   ");
 			print_seq(src);
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index af95a4bdcf3..96cb1e496e5 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.156 2003/05/14 23:51:29 frantzen Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.157 2003/05/16 17:15:17 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -692,6 +692,8 @@ print_rule(struct pf_rule *r, int verbose)
 		printf("keep state ");
 	else if (r->keep_state == PF_STATE_MODULATE)
 		printf("modulate state ");
+	else if (r->keep_state == PF_STATE_SYNPROXY)
+		printf("synproxy state ");
 	opts = 0;
 	if (r->max_states)
 		opts = 1;