Page MenuHomeFreeBSD
Files F108537960

D37919.diff
No OneTemporary
Actions

D37919.diff
View Options

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -2263,6 +2263,7 @@
int pf_synflood_check(struct pf_pdesc *);
void pf_syncookie_send(struct mbuf *m, int off,
struct pf_pdesc *);
+bool pf_syncookie_check(struct pf_pdesc *);
u_int8_t pf_syncookie_validate(struct pf_pdesc *);
struct mbuf * pf_syncookie_recreate_syn(uint8_t, int,
struct pf_pdesc *);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5446,9 +5446,11 @@
if ((action = pf_synproxy(pd, state, reason)) != PF_PASS)
return (action);
- if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) &&
- dst->state >= TCPS_FIN_WAIT_2 &&
- src->state >= TCPS_FIN_WAIT_2) {
+ if (dst->state >= TCPS_FIN_WAIT_2 &&
+ src->state >= TCPS_FIN_WAIT_2 &&
+ (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) ||
+ ((th->th_flags & (TH_SYN|TH_ACK|TH_RST)) == TH_ACK &&
+ pf_syncookie_check(pd) && pd->dir == PF_IN))) {
if (V_pf_status.debug >= PF_DEBUG_MISC) {
printf("pf: state reuse ");
pf_print_state(*state);
diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c
--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@@ -301,8 +301,8 @@
1);
}
-uint8_t
-pf_syncookie_validate(struct pf_pdesc *pd)
+bool
+pf_syncookie_check(struct pf_pdesc *pd)
{
uint32_t hash, ack, seq;
union pf_syncookie cookie;
@@ -315,14 +315,29 @@
cookie.cookie = (ack & 0xff) ^ (ack >> 24);
/* we don't know oddeven before setting the cookie (union) */
- if (atomic_load_64(&V_pf_status.syncookies_inflight[cookie.flags.oddeven])
+ if (atomic_load_64(&V_pf_status.syncookies_inflight[cookie.flags.oddeven])
== 0)
- return (0);
+ return (0);
hash = pf_syncookie_mac(pd, cookie, seq);
if ((ack & ~0xff) != (hash & ~0xff))
+ return (false);
+
+ return (true);
+}
+
+uint8_t
+pf_syncookie_validate(struct pf_pdesc *pd)
+{
+ uint32_t ack;
+ union pf_syncookie cookie;
+
+ if (! pf_syncookie_check(pd))
return (0);
+ ack = ntohl(pd->hdr.tcp.th_ack) - 1;
+ cookie.cookie = (ack & 0xff) ^ (ack >> 24);
+
counter_u64_add(V_pf_status.lcounters[KLCNT_SYNCOOKIES_VALID], 1);
atomic_add_64(&V_pf_status.syncookies_inflight[cookie.flags.oddeven], -1);

File Metadata

Mime Type
text/plain
Expires
Mon, Jan 27, 1:50 AM (2 m, 4 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
16185012
Default Alt Text
D37919.diff (2 KB)

Event Timeline