From 8fb86335b77ede8336a79244cc80f4c72eaa8912 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Thu, 12 Jun 2008 18:41:42 +0000 Subject: fix synproxy. the factored out pf_create_state() could return PF_PASS, _DROP, and _SYNPROXY_DROP. We were treating the latter the same as _PASS and thus passing the original SYN which we of course don't want in the synproxy case. breakage reported by sakurai-san, headscratching with and ok ryan --- sys/net/pf.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'sys/net') diff --git a/sys/net/pf.c b/sys/net/pf.c index 6a1426a7b7f..a0dfe19c913 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.596 2008/06/11 17:52:37 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.597 2008/06/12 18:41:41 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3366,11 +3366,16 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, } if (!state_icmp && (r->keep_state || nr != NULL || - (pd->flags & PFDESC_TCP_NORM))) - if (pf_create_state(r, nr, a, pd, nsn, skw, sks, nk, sk, m, + (pd->flags & PFDESC_TCP_NORM))) { + int action; + action = pf_create_state(r, nr, a, pd, nsn, skw, sks, nk, sk, m, off, sport, dport, &rewrite, kif, sm, tag, bproto_sum, - bip_sum, hdrlen) == PF_DROP) + bip_sum, hdrlen); + if (action == PF_DROP) goto cleanup; + if (action != PF_PASS) + return (action); + } /* copy back packet headers if we performed NAT operations */ if (rewrite) -- cgit v1.2.3