diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-01-31 19:09:13 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-01-31 19:09:13 +0000 |
| commit | baf0b60d59eb2d2f920035eb3680a2d3edad0ab4 (patch) | |
| tree | 175d74be9934818d820805b816fdd7dfd97e4a34 /sys/net | |
| parent | 272ee5bd7fcefa25e5d50092ac72b540596d3c1f (diff) | |
Send a RST when an invalid packet matches a TCP state during the
handshake. Solves the issues with the "ACK+1000000 cookie scheme",
which depends on RFC 763 (p39, Reset Generation, 2. non-synchronized
state, "reset is sent"). ok henning@, camield@ and (I guess ;)
frantzen@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index e3f881170eb..bb7c571a8bc 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.311 2003/01/25 22:48:45 mcbride Exp $ */ +/* $OpenBSD: pf.c,v 1.312 2003/01/31 19:09:12 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3061,7 +3061,15 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, /* Fall through to PASS packet */ } else { - if (pf_status.debug >= PF_DEBUG_MISC) { + if ((*state)->dst.state == TCPS_SYN_SENT && + (*state)->src.state == TCPS_SYN_SENT) { + /* Send RST for state mismatches during handshake */ + pf_send_reset(off, th, pd, pd->af, 0, + (*state)->rule.ptr); + src->seqlo = 0; + src->seqhi = 1; + src->max_win = 1; + } else if (pf_status.debug >= PF_DEBUG_MISC) { printf("pf: BAD state: "); pf_print_state(*state); pf_print_flags(th->th_flags); |