src - OpenBSD base system

diff options


context:
space:
mode:

author	Joel Knight <joel@cvs.openbsd.org>	2005-04-15 12:59:41 +0000
committer	Joel Knight <joel@cvs.openbsd.org>	2005-04-15 12:59:41 +0000
commit	bee6b17d20ce07473a4628b85fef532562745a0d (patch)
tree	35d55d697dfdab53bb5b1e5a8ffc658d2546546c /sys
parent	7cdd4757b30cb2021c016a9ed948d05600a41818 (diff)

Try this again.

When synproxy sends packets to the destination host, make sure to copy the 'tag' from the original state entry into the outgoing mbuf. ok dhartmei@ deraadt@

Diffstat (limited to 'sys')

-rw-r--r--

sys/net/pf.c

1 files changed, 16 insertions, 11 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 2f18f1152b6..a5f9434551f 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pf.c,v 1.485 2005/04/14 08:21:01 henning Exp $ */

+/* $OpenBSD: pf.c,v 1.486 2005/04/15 12:59:40 joel Exp $ */

@@ -139,7 +139,7 @@ void pf_send_tcp(const struct pf_rule *, sa_family_t,

const struct pf_addr *, const struct pf_addr *,

u_int16_t, u_int16_t, u_int32_t, u_int32_t,

u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,

- struct ether_header *, struct ifnet *);

+ u_int16_t, struct ether_header *, struct ifnet *);

void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t,

sa_family_t, struct pf_rule *);

struct pf_rule *pf_match_translation(struct pf_pdesc *, struct mbuf *,

@@ -969,7 +969,7 @@ pf_purge_expired_state(struct pf_state *cur)

&cur->ext.addr, &cur->lan.addr,

cur->ext.port, cur->lan.port,

cur->src.seqhi, cur->src.seqlo + 1,

- TH_RST|TH_ACK, 0, 0, 0, 1, NULL, NULL);

+ TH_RST|TH_ACK, 0, 0, 0, 1, cur->tag, NULL, NULL);

RB_REMOVE(pf_state_tree_ext_gwy,

&cur->u.s.kif->pfik_ext_gwy, cur);

RB_REMOVE(pf_state_tree_lan_ext,

@@ -1429,7 +1429,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,

const struct pf_addr *saddr, const struct pf_addr *daddr,

u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack,

u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag,

- struct ether_header *eh, struct ifnet *ifp)

+ u_int16_t rtag, struct ether_header *eh, struct ifnet *ifp)

{

struct mbuf *m;

int len, tlen;

@@ -1474,6 +1474,11 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,

}

m_tag_prepend(m, mtag);

}

+ if (rtag)

+ if (pf_tag_packet(m, NULL, rtag)) {

+ m_freem(m);

+ return;

+ }

#ifdef ALTQ

if (r != NULL && r->qid) {

struct m_tag *mtag;

@@ -2832,7 +2837,7 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,

pf_send_tcp(r, af, pd->dst,

pd->src, th->th_dport, th->th_sport,

ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0,

- r->return_ttl, 1, pd->eh, kif->pfik_ifp);

+ r->return_ttl, 1, 0, pd->eh, kif->pfik_ifp);

} else if ((af == AF_INET) && r->return_icmp)

pf_send_icmp(m, r->return_icmp >> 8,

r->return_icmp & 255, af, r);

@@ -3032,7 +3037,7 @@ cleanup:

s->src.mss = mss;

pf_send_tcp(r, af, daddr, saddr, th->th_dport,

th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1,

- TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, NULL, NULL);

+ TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, 0, NULL, NULL);

REASON_SET(&reason, PFRES_SYNPROXY);

return (PF_SYNPROXY_DROP);

}

@@ -4008,7 +4013,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,

pd->src, th->th_dport, th->th_sport,

(*state)->src.seqhi, ntohl(th->th_seq) + 1,

TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1,

- NULL, NULL);

+ 0, NULL, NULL);

REASON_SET(reason, PFRES_SYNPROXY);

return (PF_SYNPROXY_DROP);

} else if (!(th->th_flags & TH_ACK) ||

@@ -4046,7 +4051,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,

pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,

&dst->addr, src->port, dst->port,

(*state)->dst.seqhi, 0, TH_SYN, 0,

- (*state)->src.mss, 0, 0, NULL, NULL);

+ (*state)->src.mss, 0, 0, (*state)->tag, NULL, NULL);

REASON_SET(reason, PFRES_SYNPROXY);

return (PF_SYNPROXY_DROP);

} else if (((th->th_flags & (TH_SYN|TH_ACK)) !=

@@ -4061,12 +4066,12 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,

pd->src, th->th_dport, th->th_sport,

ntohl(th->th_ack), ntohl(th->th_seq) + 1,

TH_ACK, (*state)->src.max_win, 0, 0, 0,

- NULL, NULL);

+ (*state)->tag, NULL, NULL);

pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr,

&dst->addr, src->port, dst->port,

(*state)->src.seqhi + 1, (*state)->src.seqlo + 1,

TH_ACK, (*state)->dst.max_win, 0, 0, 1,

- NULL, NULL);

+ 0, NULL, NULL);

(*state)->src.seqdiff = (*state)->dst.seqhi -

(*state)->src.seqlo;

(*state)->dst.seqdiff = (*state)->src.seqhi -

@@ -4345,7 +4350,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,

pd->dst, pd->src, th->th_dport,

th->th_sport, ntohl(th->th_ack), 0,

TH_RST, 0, 0,

- (*state)->rule.ptr->return_ttl, 1,

+ (*state)->rule.ptr->return_ttl, 1, 0,

pd->eh, kif->pfik_ifp);

src->seqlo = 0;

src->seqhi = 1;