d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9c041b450d
freebsd-dev/sys/net
History
Kristof Provost 9c041b450d pf: fix syncookies in conjunction with tcp fast port reuse 
Basic scenario: we have a closed connection (In TCPS_FIN_WAIT_2), and
get a new connection (i.e. SYN) re-using the tuple.

Without syncookies we look at the SYN, and completely unlink the old,
closed state on the SYN.
With syncookies we send a generated SYN|ACK back, and drop the SYN,
never looking at the state table.

So when the ACK (i.e. the third step in the three way handshake for
connection setup) turns up, we’ve not actually removed the old state, so
we find it, and don’t do the syncookie dance, or allow the new
connection to get set up.

Explicitly check for this in pf_test_state_tcp(). If we find a state in
TCPS_FIN_WAIT_2 and the syncookie is valid we delete the existing state
so we can set up the new state.
Note that when we verify the syncookie in pf_test_state_tcp() we don't
decrement the number of half-open connections to avoid an incorrect
double decrement.

MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D37919
2023-01-13 23:14:12 +01:00
..
altq net: remove stale altq_input reference 2022-09-07 10:03:12 +00:00
route routing: add missed RIB_WUNLOCK in the add_route_flags(). 2022-12-30 15:54:06 +00:00
bpf_buffer.c
bpf_buffer.h
bpf_filter.c bpf(3): Grammar fix for a source code comment 2022-09-04 17:30:05 +02:00
bpf_jitter.c
bpf_jitter.h
bpf_zerocopy.c
bpf_zerocopy.h
bpf.c bpf: only access refcounts using dedicated primitives 2022-11-24 19:44:25 +00:00
bpf.h bpf: Correct a comment 2022-06-20 12:48:13 -04:00
bpfdesc.h bpf: Add an ioctl to set the VLAN Priority on packets sent by bpf 2021-07-26 23:13:31 +02:00
bridgestp.c bridgestp: validate timer values in config BPDU 2021-04-19 12:09:18 +02:00
bridgestp.h
debugnet_inet.c debugnet: Fix false-positive assertions for dp_state 2021-07-28 16:34:14 -07:00
debugnet_int.h
debugnet.c debugnet: remove spurious message on boot 2022-12-16 10:30:58 -05:00
debugnet.h debugnet: Fix a typo in a source code comment 2022-08-07 16:07:01 +02:00
dlt.h net(4): Fix a typo in a source code comment 2022-04-02 14:57:06 +02:00
ethernet.h net(3): Fix a typo in a source code comment 2022-04-02 10:53:40 +02:00
firewire.h
ieee8023ad_lacp.c lacp: Remove racy kassert 2022-06-13 11:32:10 -04:00
ieee8023ad_lacp.h lacp: short timeout erroneously declares link-flapping 2022-04-27 12:41:30 -07:00
ieee_oui.h Remove "All Rights Reserved" from FreeBSD Foundation sys/ copyrights 2021-08-08 10:42:24 -04:00
if_arp.h
if_bridge.c bridge: Fix a potential memory leak in bridge_enqueue() 2022-12-11 11:41:12 -05:00
if_bridgevar.h net: make if_bridgevar.h self-contained 2021-12-17 12:38:35 +01:00
if_clone.c if_clone: add ifc_link_ifp() / ifc_unlink_ifp() to the KPI 2022-09-24 19:42:42 +00:00
if_clone.h if_clone: add ifc_link_ifp() / ifc_unlink_ifp() to the KPI 2022-09-24 19:42:42 +00:00
if_dead.c Add a switch structure for send tags. 2021-09-14 11:43:41 -07:00
if_disc.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-08-22 22:56:08 +00:00
if_dl.h
if_edsc.c
if_enc.c
if_enc.h
if_epair.c if_epair: fix build with RSS 2022-10-03 17:02:55 +02:00
if_ethersubr.c ether_demux: Defer stripping the Ethernet header. 2022-11-30 14:38:51 -08:00
if_fwsubr.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-08-22 22:56:08 +00:00
if_gif.c if_gif: fix vnet shutdown panic 2021-11-08 12:00:00 +01:00
if_gif.h
if_gre.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-08-22 22:56:08 +00:00
if_gre.h
if_infiniband.c infiniband_resolve_addr: ih is only used for INET or INET6. 2022-04-13 16:08:21 -07:00
if_ipsec.c Use network epoch to protect local IPv4 addresses hash. 2021-10-22 14:40:53 -07:00
if_ipsec.h
if_lagg.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_lagg.h lagg: fix lagg ifioctl after SIOCSIFCAPNV 2022-07-28 10:39:00 -04:00
if_llatbl.c if_llatbl: Fix a typo in a debug statement 2022-06-04 15:22:09 +02:00
if_llatbl.h netinet6: Fix mbuf leak in NDP 2022-05-31 21:06:14 +00:00
if_llc.h
if_loop.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_me.c if_me: Use dedicated network privilege 2022-10-15 17:05:36 +02:00
if_media.c
if_media.h
if_mib.c ifnet: make V_if_index static to if.c 2021-12-06 09:32:31 -08:00
if_mib.h
if_ovpn.c Revert "if_ovpn: allow peer lookup by vpn4/vpn6 address" 2022-12-26 22:38:10 +01:00
if_ovpn.h if_ovpn: implement OVPN_GET_PEER_STATS 2022-12-14 06:48:58 +01:00
if_pflog.h pflog: align header to 4 bytes, not 8 2022-02-01 18:17:44 +01:00
if_pfsync.h pfsync: prepare code to accommodate AF_INET6 family 2022-11-09 21:06:07 +01:00
if_stf.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_stf.h if_stf: make if_stf.h self-contained 2021-12-17 12:38:34 +01:00
if_tap.h
if_tun.h
if_tuntap.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_types.h Import the WireGuard driver from zx2c4.com. 2022-10-28 13:36:12 -07:00
if_var.h Revert "ifnet/API: Move the IfAPI from if_var.h to if.h" 2023-01-12 21:29:19 -05:00
if_vlan_var.h vlan: deduplicate bpf_setpcp() and pf_ieee8021q_setpcp() 2021-07-26 23:13:31 +02:00
if_vlan.c if_clone: migrate some consumers to the new KPI. 2022-09-22 12:30:09 +00:00
if_vxlan.c if_vxlan(4): Correct the statistic for output bytes 2022-10-07 13:45:16 +02:00
if_vxlan.h
if.c ifnet/API: Change if_set*bit accessors to clear first 2023-01-09 16:00:22 -05:00
if.h Revert "ifnet/API: Move the IfAPI from if_var.h to if.h" 2023-01-12 21:29:19 -05:00
ifdi_if.m iflib: add support for admin completion queues 2021-03-03 00:40:47 +01:00
iflib_clone.c Create wrapper for Giant taken for newbus 2021-12-09 17:04:45 -07:00
iflib_private.h
iflib.c Convert iflib(4) and iflib-based drivers to the DrvAPI 2022-12-21 09:20:06 -05:00
iflib.h iflib: Introduce v2 of TX Queue Select Functionality 2022-10-17 14:59:55 -07:00
ifq.h
infiniband.h
mp_ring.c
mp_ring.h
mppc.h
mppcc.c
mppcd.c
netisr_internal.h
netisr.c netisr(9): Fix a typo in a source code comment 2022-09-03 15:04:15 +02:00
netisr.h
netmap_legacy.h netmap: add kernel support for the "offsets" feature 2021-03-29 16:29:01 +00:00
netmap_user.h netmap: fix refcount bug in netmap allocator 2022-03-06 16:39:16 +00:00
netmap_virt.h netmap: add kernel support for the "offsets" feature 2021-03-29 16:29:01 +00:00
netmap.h netmap(4): Fix a typo in a source code comment 2022-10-25 14:56:25 +02:00
paravirt.h
pfil.c net: add pfil_mbuf_{in,out} 2022-09-08 16:20:43 +00:00
pfil.h net: add pfil_mbuf_{in,out} 2022-09-08 16:20:43 +00:00
pfkeyv2.h ipsec: add support for CHACHA20POLY1305 2022-11-02 14:19:04 +01:00
pfvar.h pf: fix syncookies in conjunction with tcp fast port reuse 2023-01-13 23:14:12 +01:00
ppp_defs.h
radix.c net: constantify radix.c functions 2022-08-01 07:32:40 +00:00
radix.h net: constantify radix.c functions 2022-08-01 07:32:40 +00:00
rndis.h Hyper-V: hn: Enable vSwitch RSC support in hn netvsc driver 2021-03-12 04:35:16 +00:00
route.c route: allow RTM_CHANGE notifications in rt_routemsg(). 2022-12-15 10:40:35 +00:00
route.h netlink: add interface notification on link status / flags change. 2022-12-09 11:20:07 +00:00
rss_config.c Revert "wpa: Import wpa_supplicant/hostapd commit 14ab4a816" 2021-12-02 14:45:04 -08:00
rss_config.h
rtsock.c netlink: add interface notification on link status / flags change. 2022-12-09 11:20:07 +00:00
sff8436.h
sff8472.h
slcompress.c
slcompress.h
toeplitz.c
toeplitz.h
vnet.c ddb: annotate some commands with DB_CMD_MEMSAFE 2022-07-18 22:06:09 +00:00
vnet.h IPv4: experimental changes to allow net 0/8, 240/4, part of 127/8 2022-07-13 09:46:05 -05:00