diff options
author | Mike Frantzen <frantzen@cvs.openbsd.org> | 2001-08-21 01:54:18 +0000 |
---|---|---|
committer | Mike Frantzen <frantzen@cvs.openbsd.org> | 2001-08-21 01:54:18 +0000 |
commit | 96e304e16630db19ba3eda61564cb88f58f4ce8b (patch) | |
tree | 93e41b171dd4b7f29a9c4b7b9bb6779fabd79f72 /sys | |
parent | 36bd657f7b93126d6170e288c895e7b1ef18c7ec (diff) |
Pass closing TCP connections through looser state machine (handle Solaris'
stupid spurious ACK|FINs after a close)
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pf.c | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 1f46ade3c78..db23a73af83 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.133 2001/08/19 20:25:22 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.134 2001/08/21 01:54:17 frantzen Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2577,24 +2577,33 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, /* Fall through to PASS packet */ - } else if (dst->state < TCPS_SYN_SENT && + } else if ((dst->state < TCPS_SYN_SENT || + dst->state >= TCPS_FIN_WAIT_2 || + src->state >= TCPS_FIN_WAIT_2) && SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) && /* Within a window forward of the originating packet */ SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) { /* Within a window backward of the originating packet */ /* - * This is the check for stupid stacks that shotgun SYNs before - * their peer replies. It also handles the case when PF - * catches an already established stream (the firewall - * rebooted, the state table was flushed, routes changed...) + * This currently handles three situations: + * 1) Stupid stacks will shotgun SYNs before their peer + * replies. + * 2) When PF catches an already established stream (the + * firewall rebooted, the state table was flushed, routes + * changed...) + * 3) Packets get funky immediately after the connection + * closes (this should catch Solaris spurious ACK|FINs + * that web servers like to spew after a close) * * This must be a little more careful than the above code - * since packet floods will also be caught by the stupid stack - * check. We won't update the ttl here to mitigate the - * damage of a packet flood -- the ttl will be updated when - * the peer ACKs (then we'll just assume the connection is - * valid) + * since packet floods will also be caught here. We don't + * update the TTL here to mitigate the damage of a packet + * flood and so the same code can handle awkward establishment + * and a loosened connection close. + * In the establishment case, a correct peer response will + * validate the connection, go through the normal state code + * and keep updating the state TTL. */ (*state)->packets++; |