git: b09707abf932 - main - pf: synproxy should be processing incoming SYN packets only.

Tue, 15 Jul 2025 03:08:20 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=b09707abf932d3fea37aa7ef8bab0e9631fb7529

commit b09707abf932d3fea37aa7ef8bab0e9631fb7529
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-07 14:47:42 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-15 07:55:28 +0000

    pf: synproxy should be processing incoming SYN packets only.
    
    issue noticed by sthen@. fix discussed with bluhm@ and procter@
    
    OK bluhm@, kn@, procter@
    
    Obtained from:  OpenBSD, sashan <sas...@openbsd.org>, 4e62cf09d9
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y       | 4 ++++
 share/man/man5/pf.conf.5 | 1 +
 sys/netpfil/pf/pf.c      | 2 +-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 9a917d1d8464..4286b6149ac6 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -5324,6 +5324,10 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
                    "synproxy state or modulate state");
                problems++;
        }
+       if ((r->keep_state == PF_STATE_SYNPROXY) && (r->direction != PF_IN))
+               fprintf(stderr, "%s:%d: warning: "
+                   "synproxy used for inbound rules only, "
+                   "ignored for outbound\n", file->name, yylval.lineno);
        if (r->rule_flag & PFRULE_AFTO && r->rt) {
                if (r->rt != PF_ROUTETO && r->rt != PF_REPLYTO) {
                        yyerror("dup-to "
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index b5843d67e106..a51fde500367 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -2574,6 +2574,7 @@ will not work if
 .Xr pf 4
 operates on a
 .Xr bridge 4 .
+Also they act on incoming SYN packets only.
 .Pp
 Example:
 .Bd -literal -offset indent
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index a410fe570c39..ac05cad7d4c8 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6219,7 +6219,7 @@ pf_create_state(struct pf_krule *r, struct pf_test_ctx 
*ctx,
        if (ctx->tag > 0)
                s->tag = ctx->tag;
        if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) ==
-           TH_SYN && r->keep_state == PF_STATE_SYNPROXY) {
+           TH_SYN && r->keep_state == PF_STATE_SYNPROXY && pd->dir == PF_IN) {
                pf_set_protostate(s, PF_PEER_SRC, PF_TCPS_PROXY_SRC);
                pf_undo_nat(ctx->nr, pd, bip_sum);
                s->src.seqhi = arc4random();

Reply via email to