From b64056064b992dad8c0d054a05655773e1b73da3 Mon Sep 17 00:00:00 2001
From: Alexander Bluhm <bluhm@cvs.openbsd.org>
Date: Mon, 3 Jun 2013 16:57:07 +0000
Subject: Link pf states and socket inpcbs together more tightly.  The linking
 was only done when a packet traveled up the stack from pf to tcp_input(). 
 Now also link the state and inpcb when the packet is going down from
 tcp_output() to pf.  As a consequence, divert-reply states where the initial
 SYN does not get an answer, can be handled more correctly.

This change is part of a larger diff that has been backed out in
2011.  Bring the feature back in small steps to see when bad things
start to happen.

OK henning deraadt
---
 sys/netinet/tcp_input.c  | 19 ++++++++++++++++---
 sys/netinet/tcp_output.c |  8 +++++++-
 2 files changed, 23 insertions(+), 4 deletions(-)

(limited to 'sys/netinet')

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 67d980bf29d..bd15f9971a4 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.261 2013/06/03 13:19:08 bluhm Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.262 2013/06/03 16:57:05 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -68,6 +68,8 @@
  * Research Laboratory (NRL).
  */
 
+#include "pf.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
@@ -96,7 +98,6 @@
 #include <netinet/tcpip.h>
 #include <netinet/tcp_debug.h>
 
-#include "pf.h"
 #if NPF > 0
 #include <net/pfvar.h>
 #endif
@@ -873,7 +874,8 @@ findpcb:
 #endif
 
 #if NPF > 0
-	if (m->m_pkthdr.pf.statekey) {
+	if (m->m_pkthdr.pf.statekey && !m->m_pkthdr.pf.statekey->inp &&
+	    !inp->inp_pf_sk) {
 		m->m_pkthdr.pf.statekey->inp = inp;
 		inp->inp_pf_sk = m->m_pkthdr.pf.statekey;
 	}
@@ -1318,6 +1320,17 @@ trimthenstep6:
 		    ((opti.ts_present &&
 		    TSTMP_LT(tp->ts_recent, opti.ts_val)) ||
 		    SEQ_GT(th->th_seq, tp->rcv_nxt))) {
+#if NPF > 0
+			/*
+			 * The socket will be recreated but the new state
+			 * has already been linked to the socket.  Remove the
+			 * link between old socket and new state.
+			 */
+			if (inp->inp_pf_sk) {
+				inp->inp_pf_sk->inp = NULL;
+				inp->inp_pf_sk = NULL;
+			}
+#endif
 			/*
 			* Advance the iss by at least 32768, but
 			* clear the msb in order to make sure
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index baf3b90c79c..c5cd8a8eaec 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_output.c,v 1.97 2012/09/20 10:25:03 blambert Exp $	*/
+/*	$OpenBSD: tcp_output.c,v 1.98 2013/06/03 16:57:06 bluhm Exp $	*/
 /*	$NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $	*/
 
 /*
@@ -68,6 +68,8 @@
  * Research Laboratory (NRL).
  */
 
+#include "pf.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
@@ -1075,6 +1077,10 @@ send:
 	/* force routing domain */
 	m->m_pkthdr.rdomain = tp->t_inpcb->inp_rtableid;
 
+#if NPF > 0
+	m->m_pkthdr.pf.inp = tp->t_inpcb;
+#endif
+
 	switch (tp->pf) {
 	case 0:	/*default to PF_INET*/
 #ifdef INET
-- 
cgit v1.2.3