summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorMike Frantzen <frantzen@cvs.openbsd.org>2001-08-21 01:54:18 +0000
committerMike Frantzen <frantzen@cvs.openbsd.org>2001-08-21 01:54:18 +0000
commit96e304e16630db19ba3eda61564cb88f58f4ce8b (patch)
tree93e41b171dd4b7f29a9c4b7b9bb6779fabd79f72 /sys
parent36bd657f7b93126d6170e288c895e7b1ef18c7ec (diff)
Pass closing TCP connections through looser state machine (handle Solaris'
stupid spurious ACK|FINs after a close)
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf.c31
1 files changed, 20 insertions, 11 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 1f46ade3c78..db23a73af83 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.133 2001/08/19 20:25:22 dhartmei Exp $ */
+/* $OpenBSD: pf.c,v 1.134 2001/08/21 01:54:17 frantzen Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -2577,24 +2577,33 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
/* Fall through to PASS packet */
- } else if (dst->state < TCPS_SYN_SENT &&
+ } else if ((dst->state < TCPS_SYN_SENT ||
+ dst->state >= TCPS_FIN_WAIT_2 ||
+ src->state >= TCPS_FIN_WAIT_2) &&
SEQ_GEQ(src->seqhi + MAXACKWINDOW, end) &&
/* Within a window forward of the originating packet */
SEQ_GEQ(seq, src->seqlo - MAXACKWINDOW)) {
/* Within a window backward of the originating packet */
/*
- * This is the check for stupid stacks that shotgun SYNs before
- * their peer replies. It also handles the case when PF
- * catches an already established stream (the firewall
- * rebooted, the state table was flushed, routes changed...)
+ * This currently handles three situations:
+ * 1) Stupid stacks will shotgun SYNs before their peer
+ * replies.
+ * 2) When PF catches an already established stream (the
+ * firewall rebooted, the state table was flushed, routes
+ * changed...)
+ * 3) Packets get funky immediately after the connection
+ * closes (this should catch Solaris spurious ACK|FINs
+ * that web servers like to spew after a close)
*
* This must be a little more careful than the above code
- * since packet floods will also be caught by the stupid stack
- * check. We won't update the ttl here to mitigate the
- * damage of a packet flood -- the ttl will be updated when
- * the peer ACKs (then we'll just assume the connection is
- * valid)
+ * since packet floods will also be caught here. We don't
+ * update the TTL here to mitigate the damage of a packet
+ * flood and so the same code can handle awkward establishment
+ * and a loosened connection close.
+ * In the establishment case, a correct peer response will
+ * validate the connection, go through the normal state code
+ * and keep updating the state TTL.
*/
(*state)->packets++;