diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2018-10-20 18:37:21 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2018-10-20 18:37:21 +0000 |
| commit | 1563a27e1fde8615d1ef632bd23fc5bd2f38b628 (patch) | |
| tree | 6ca97464e726eef08d026d8a4af5cc34b8fbe93c /sys/netpfil/pf | |
| parent | 18227e20e4058509488c73b6ddd538c9502d37a7 (diff) | |
| download | src-1563a27e1fde8615d1ef632bd23fc5bd2f38b628.tar.gz src-1563a27e1fde8615d1ef632bd23fc5bd2f38b628.zip | |
pf synproxy will do the 3WHS on behalf of the target machine, and once
the 3WHS is completed, establish the backend connection. The trigger
for "3WHS completed" is the reception of the first ACK. However, we
should not proceed if that ACK also has RST or FIN set.
PR: 197484
Obtained from: OpenBSD
MFC after: 2 weeks
Notes
Notes:
svn path=/head/; revision=339470
Diffstat (limited to 'sys/netpfil/pf')
| -rw-r--r-- | sys/netpfil/pf/pf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 13c3c6463c0c..1c8a9e28568e 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4401,7 +4401,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif, TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL); REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); - } else if (!(th->th_flags & TH_ACK) || + } else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK || (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { REASON_SET(reason, PFRES_SYNPROXY); |