d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import two fixes from OpenBSD's stable branch:

Browse Source 
- Fix binat for incoming connections when a netblock (not just a single
  address) is used for source in the binat rule. closes PR 3535, reported by
  Karl O.Pinc. ok henning@, cedric@

- Fix a problem related to empty anchor rulesets, which could cause a kernel
  panic.

Approved by:	bms(mentor)
This commit is contained in:
Max Laier 2004-03-28 19:31:37 +00:00
parent 5c45a928b9
commit b855d39384
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/vendor-sys/pf/dist/; revision=127528
svn path=/vendor-sys/pf/3.4.001/; revision=127529; tag=vendor/pf-sys/3.4.001
2 changed files with 41 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
sys/contrib/pf/net/pf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pf.c,v 1.390 2003/09/24 17:18:03 mcbride Exp $ */
/* $OpenBSD: pf.c,v 1.389.2.2 2004/03/14 00:13:42 brad Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -1897,7 +1897,7 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction,
else
PF_POOLMASK(naddr,
&r->src.addr.v.a.addr,
&r->src.addr.v.a.mask, saddr,
&r->src.addr.v.a.mask, daddr,
pd->af);
break;
}
@ -2413,8 +2413,10 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction,
}
if (th->th_flags & TH_FIN)
s->src.seqhi++;
s->dst.seqlo = 0; /* Haven't seen these yet */
s->dst.seqhi = 1;
s->dst.max_win = 1;
s->dst.seqdiff = 0; /* Defer random generation */
s->src.state = TCPS_SYN_SENT;
s->dst.state = TCPS_CLOSED;
s->creation = time.tv_sec;
@ -2687,7 +2689,15 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction,
s->gwy.port = s->lan.port;
}
}
s->src.seqlo = 0;
s->src.seqhi = 0;
s->src.seqdiff = 0;
s->src.max_win = 0;
s->src.state = PFUDPS_SINGLE;
s->dst.seqlo = 0;
s->dst.seqhi = 0;
s->dst.seqdiff = 0;
s->dst.max_win = 0;
s->dst.state = PFUDPS_NO_TRAFFIC;
s->creation = time.tv_sec;
s->expire = time.tv_sec;
@ -2937,6 +2947,16 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction,
PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
s->gwy.port = icmpid;
}
s->src.seqlo = 0;
s->src.seqhi = 0;
s->src.seqdiff = 0;
s->src.max_win = 0;
s->src.state = 0;
s->dst.seqlo = 0;
s->dst.seqhi = 0;
s->dst.seqdiff = 0;
s->dst.max_win = 0;
s->dst.state = 0;
s->creation = time.tv_sec;
s->expire = time.tv_sec;
s->timeout = PFTM_ICMP_FIRST_PACKET;
@ -3149,20 +3169,34 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction,
s->af = af;
if (direction == PF_OUT) {
PF_ACPY(&s->gwy.addr, saddr, af);
s->gwy.port = 0;
PF_ACPY(&s->ext.addr, daddr, af);
s->ext.port = 0;
if (nat != NULL)
PF_ACPY(&s->lan.addr, &baddr, af);
else
PF_ACPY(&s->lan.addr, &s->gwy.addr, af);
s->lan.port = 0;
} else {
PF_ACPY(&s->lan.addr, daddr, af);
s->lan.port = 0;
PF_ACPY(&s->ext.addr, saddr, af);
s->ext.port = 0;
if (rdr != NULL)
PF_ACPY(&s->gwy.addr, &baddr, af);
else
PF_ACPY(&s->gwy.addr, &s->lan.addr, af);
s->gwy.port = 0;
}
s->src.seqlo = 0;
s->src.seqhi = 0;
s->src.seqdiff = 0;
s->src.max_win = 0;
s->src.state = PFOTHERS_SINGLE;
s->dst.seqlo = 0;
s->dst.seqhi = 0;
s->dst.seqdiff = 0;
s->dst.max_win = 0;
s->dst.state = PFOTHERS_NO_TRAFFIC;
s->creation = time.tv_sec;
s->expire = time.tv_sec;
@ -4569,8 +4603,10 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
m1 = m0;
error = ip_fragment(m0, ifp, ifp->if_mtu);
if (error == EMSGSIZE)
if (error) {
m0 = NULL;
goto bad;
}
for (m0 = m1; m0; m0 = m1) {
m1 = m0->m_nextpkt;

3
sys/contrib/pf/net/pf_ioctl.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pf_ioctl.c,v 1.81 2003/08/22 21:50:34 david Exp $ */
/* $OpenBSD: pf_ioctl.c,v 1.81.2.1 2004/03/28 01:34:15 brad Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@ -363,6 +363,7 @@ pf_remove_if_empty_ruleset(struct pf_ruleset *ruleset)
if (TAILQ_EMPTY(&anchor->rulesets)) {
TAILQ_REMOVE(&pf_anchors, anchor, entries);
free(anchor, M_TEMP);
pf_update_anchor_rules();
}
}