summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sbin/pfctl/pf_print_state.c8
-rw-r--r--sys/net/pf.c65
-rw-r--r--sys/net/pfvar.h6
3 files changed, 70 insertions, 9 deletions
diff --git a/sbin/pfctl/pf_print_state.c b/sbin/pfctl/pf_print_state.c
index fd7dc9d0555..53c197ab676 100644
--- a/sbin/pfctl/pf_print_state.c
+++ b/sbin/pfctl/pf_print_state.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_print_state.c,v 1.20 2003/01/20 18:37:52 camield Exp $ */
+/* $OpenBSD: pf_print_state.c,v 1.21 2003/01/21 22:23:49 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -199,8 +199,14 @@ print_state(struct pf_state *s, int opts)
if (opts & PF_OPT_VERBOSE) {
printf(" ");
print_seq(src);
+ if (src->wscale && dst->wscale)
+ printf(" wscale %u",
+ src->wscale & PF_WSCALE_MASK);
printf(" ");
print_seq(dst);
+ if (src->wscale && dst->wscale)
+ printf(" wscale %u",
+ dst->wscale & PF_WSCALE_MASK);
printf("\n");
}
} else if (s->proto == IPPROTO_UDP && src->state < PFUDPS_NSTATES &&
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 7a2c88f0e27..7643f9c1872 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.305 2003/01/19 13:52:18 henning Exp $ */
+/* $OpenBSD: pf.c,v 1.306 2003/01/21 22:23:49 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -232,6 +232,8 @@ void pf_route6(struct mbuf **, struct pf_rule *, int,
struct ifnet *, struct pf_state *);
int pf_socket_lookup(uid_t *, gid_t *, int, sa_family_t,
int, struct pf_pdesc *);
+u_int8_t pf_get_wscale(struct mbuf *, int, struct tcphdr *,
+ sa_family_t);
struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] =
{ { &pf_state_pl, PFSTATE_HIWAT }, { &pf_frent_pl, PFFRAG_FRENT_HIWAT } };
@@ -720,10 +722,16 @@ pf_print_state(struct pf_state *s)
pf_print_host(&s->gwy.addr, s->gwy.port, s->af);
printf(" ");
pf_print_host(&s->ext.addr, s->ext.port, s->af);
- printf(" [lo=%u high=%u win=%u modulator=%u]", s->src.seqlo,
+ printf(" [lo=%u high=%u win=%u modulator=%u", s->src.seqlo,
s->src.seqhi, s->src.max_win, s->src.seqdiff);
- printf(" [lo=%u high=%u win=%u modulator=%u]", s->dst.seqlo,
+ if (s->src.wscale && s->dst.wscale)
+ printf(" wscale=%u", s->src.wscale & PF_WSCALE_MASK);
+ printf("]");
+ printf(" [lo=%u high=%u win=%u modulator=%u", s->dst.seqlo,
s->dst.seqhi, s->dst.max_win, s->dst.seqdiff);
+ if (s->src.wscale && s->dst.wscale)
+ printf(" wscale=%u", s->dst.wscale & PF_WSCALE_MASK);
+ printf("]");
printf(" %u:%u", s->src.state, s->dst.state);
}
@@ -1811,6 +1819,44 @@ pf_socket_lookup(uid_t *uid, gid_t *gid, int direction, sa_family_t af,
return (1);
}
+u_int8_t
+pf_get_wscale(struct mbuf *m, int off, struct tcphdr *th, sa_family_t af)
+{
+ int hlen;
+ u_int8_t *opt, optlen;
+ u_int8_t wscale = 0;
+
+ hlen = th->th_off * 4;
+ if (hlen <= sizeof(*th))
+ return (0);
+ if (!pf_pull_hdr(m, off, th, hlen, NULL, NULL, af))
+ return (0);
+ opt = (u_int8_t *)(th + 1);
+ hlen -= sizeof(*th);
+ while (hlen >= 3) {
+ switch (*opt) {
+ case TCPOPT_EOL:
+ case TCPOPT_NOP:
+ ++opt;
+ --hlen;
+ break;
+ case TCPOPT_WINDOW:
+ wscale = opt[2];
+ if (wscale > TCP_MAX_WINSHIFT)
+ wscale = TCP_MAX_WINSHIFT;
+ wscale |= PF_WSCALE_FLAG;
+ /* fallthrough */
+ default:
+ optlen = opt[1];
+ if (optlen < 2)
+ optlen = 2;
+ hlen -= optlen;
+ opt += optlen;
+ }
+ }
+ return (wscale);
+}
+
int
pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp,
struct mbuf *m, int ipoff, int off, void *h, struct pf_pdesc *pd)
@@ -2027,8 +2073,10 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp,
rewrite = 1;
} else
s->src.seqdiff = 0;
- if (th->th_flags & TH_SYN)
+ if (th->th_flags & TH_SYN) {
s->src.seqhi++;
+ s->src.wscale = pf_get_wscale(m, off, th, af);
+ }
if (th->th_flags & TH_FIN)
s->src.seqhi++;
s->src.max_win = MAX(ntohs(th->th_win), 1);
@@ -2766,7 +2814,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
{
struct pf_tree_node key;
struct tcphdr *th = pd->hdr.tcp;
- u_int16_t win = ntohs(th->th_win);
+ u_int32_t win = ntohs(th->th_win);
u_int32_t ack, end, seq;
int ackskew;
struct pf_state_peer *src, *dst;
@@ -2811,8 +2859,10 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
}
end = seq + pd->p_len;
- if (th->th_flags & TH_SYN)
+ if (th->th_flags & TH_SYN) {
end++;
+ src->wscale = pf_get_wscale(m, off, th, pd->af);
+ }
if (th->th_flags & TH_FIN)
end++;
@@ -2846,6 +2896,9 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
end++;
}
+ if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN))
+ win <<= src->wscale & PF_WSCALE_MASK;
+
if ((th->th_flags & TH_ACK) == 0) {
/* Let it pass through the ack skew check */
ack = dst->seqlo;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 3c1b9fca777..6e6b9f94d52 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.133 2003/01/15 16:28:56 cedric Exp $ */
+/* $OpenBSD: pfvar.h,v 1.134 2003/01/21 22:23:49 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -66,6 +66,8 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
PF_ADDR_TABLE };
#define PF_POOL_TYPEMASK 0x0f
#define PF_POOL_STATICPORT 0x10
+#define PF_WSCALE_FLAG 0x80
+#define PF_WSCALE_MASK 0x0f
struct pf_addr {
union {
@@ -406,7 +408,7 @@ struct pf_state_peer {
u_int32_t seqdiff; /* Sequence number modulator */
u_int16_t max_win;
u_int8_t state;
- u_int8_t pad;
+ u_int8_t wscale;
};
struct pf_state {