On Mon, Jun 20, 2011 at 02:09:39AM +0200, Alexander Bluhm wrote: > Hi, > > We accept more TCP reset packets in pf, if fragment reassembly is > turned off. That does not make sense to me. It came into the tree > here: > > revision 1.443 > date: 2004/04/27 18:28:07; author: frantzen; state: Exp; lines: +9 -6 > validate the sequence numbers on TCP resets are an exact match. check is only > enabled when we're doing full frag reassembly and thus have full seq info > ok markus@ > > Nowadays we have full fragment reassembly on by default, the fragment > cache has gone. When the user turns it off, he has to cope with > the consequences. Fragmented TCP reset packets too short for the > sequence number are likely to be evil. > > ok to remove PFDESC_IP_REAS? >
Yes please. OK claudio@ and sorry for the conflict. The codepath with this check is only entered with either not fragmented packets or with packets that are reassembled. So there is no way you could end up there with a fragment. Plus it removes the pd from pf_normalize_ip() which is something I planned to do soon. > > Index: net/pf.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v > retrieving revision 1.747 > diff -u -p -r1.747 pf.c > --- net/pf.c 2 Jun 2011 22:08:40 -0000 1.747 > +++ net/pf.c 17 Jun 2011 23:59:35 -0000 > @@ -3617,8 +3617,7 @@ pf_tcp_track_full(struct pf_state_peer * > (ackskew <= (MAXACKWINDOW << sws)) && > /* Acking not more than one window forward */ > ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo || > - (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) || > - (pd->flags & PFDESC_IP_REAS) == 0)) { > + (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) { > /* Require an exact/+1 sequence match on resets when possible */ > > if (dst->scrub || src->scrub) { > @@ -5810,7 +5809,7 @@ pf_test(int dir, struct ifnet *ifp, stru > h = mtod(m, struct ip *); > if (pf_status.reass && > (h->ip_off & htons(IP_MF | IP_OFFMASK)) && > - pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) { > + pf_normalize_ip(m0, dir, kif, &reason) != PF_PASS) { > action = PF_DROP; > goto done; > } > @@ -6090,7 +6089,7 @@ pf_test6(int fwdir, struct ifnet *ifp, s > > /* packet reassembly */ > if (pf_status.reass && > - pf_normalize_ip6(m0, fwdir, kif, &reason, &pd) != PF_PASS) { > + pf_normalize_ip6(m0, fwdir, kif, &reason) != PF_PASS) { > action = PF_DROP; > goto done; > } > Index: net/pf_norm.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf_norm.c,v > retrieving revision 1.133 > diff -u -p -r1.133 pf_norm.c > --- net/pf_norm.c 24 May 2011 14:01:52 -0000 1.133 > +++ net/pf_norm.c 17 Jun 2011 23:58:35 -0000 > @@ -740,7 +740,7 @@ pf_refragment6(struct mbuf **m0, struct > > int > pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, > - u_short *reason, struct pf_pdesc *pd) > + u_short *reason) > { > struct mbuf *m = *m0; > struct ip *h = mtod(m, struct ip *); > @@ -787,7 +787,6 @@ pf_normalize_ip(struct mbuf **m0, int di > if (h->ip_off & ~htons(IP_DF)) > h->ip_off &= htons(IP_DF); > > - pd->flags |= PFDESC_IP_REAS; > return (PF_PASS); > > drop: > @@ -798,7 +797,7 @@ pf_normalize_ip(struct mbuf **m0, int di > #ifdef INET6 > int > pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kif *kif, > - u_short *reason, struct pf_pdesc *pd) > + u_short *reason) > { > struct mbuf *m = *m0; > struct ip6_hdr *h = mtod(m, struct ip6_hdr *); > @@ -924,7 +923,6 @@ pf_normalize_ip6(struct mbuf **m0, int d > if (m == NULL) > return (PF_PASS); > > - pd->flags |= PFDESC_IP_REAS; > return (PF_PASS); > > shortpkt: > Index: net/pfvar.h > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/net/pfvar.h,v > retrieving revision 1.332 > diff -u -p -r1.332 pfvar.h > --- net/pfvar.h 24 May 2011 14:01:52 -0000 1.332 > +++ net/pfvar.h 17 Jun 2011 23:58:57 -0000 > @@ -1221,8 +1221,6 @@ struct pf_pdesc { > u_int16_t *proto_sum; > > u_int16_t rdomain; /* original routing domain */ > - u_int16_t flags; > -#define PFDESC_IP_REAS 0x0002 /* IP frags would've been > reassembled */ > sa_family_t af; > u_int8_t proto; > u_int8_t tos; > @@ -1777,10 +1775,8 @@ int pf_match_gid(u_int8_t, gid_t, gid_t, > > int pf_refragment6(struct mbuf **, struct m_tag *mtag, int); > void pf_normalize_init(void); > -int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *, > - struct pf_pdesc *); > -int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *, > - struct pf_pdesc *); > +int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *); > +int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *); > int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *, > struct pf_pdesc *); > void pf_normalize_tcp_cleanup(struct pf_state *); > -- :wq Claudio