On Fri, Sep 30, 2016 at 11:55:48PM +0200, Alexandr Nedvedicky wrote:
> The patch makes PF to send 'challenge ACK' for SYN packet, which matches
> session in established state.
regress/sys/net/pf_forward has found a bug in your code. Looks
like the route-to feature was affected. By splitting the if
expression and keeping the return (PF_DROP) in the outer block,
much more packets than before were dropped.
> - if (((pd->hdr.tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) &&
> - dst->state >= TCPS_FIN_WAIT_2 &&
> - src->state >= TCPS_FIN_WAIT_2) {
> + if ((pd->hdr.tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) {
> +
> + if (dst->state >= TCPS_FIN_WAIT_2 &&
> + src->state >= TCPS_FIN_WAIT_2) {
...
> + } else if (dst->state >= TCPS_ESTABLISHED &&
> + src->state >= TCPS_ESTABLISHED) {
...
> }
...
> return (PF_DROP);
> }
With this follow up fix it passes and is OK bluhm@.
diff --git a/net/pf.c b/net/pf.c
index f65bc4e..1a862df 100644
--- a/net/pf.c
+++ b/net/pf.c
@@ -4682,6 +4682,7 @@ pf_test_state(struct pf_pdesc *pd, struct pf_state
**state, u_short *reason)
pf_remove_state(*state);
*state = NULL;
pd->m->m_pkthdr.pf.inp = inp;
+ return (PF_DROP);
} else if (dst->state >= TCPS_ESTABLISHED &&
src->state >= TCPS_ESTABLISHED) {
/*
@@ -4693,8 +4694,8 @@ pf_test_state(struct pf_pdesc *pd, struct pf_state
**state, u_short *reason)
* to get in sync again.
*/
pf_send_challenge_ack(pd, *state, src, dst);
+ return (PF_DROP);
}
- return (PF_DROP);
}
if ((*state)->state_flags & PFSTATE_SLOPPY) {
