Handle TCP reset sequence properly.

In the words of originator: :If an incoming connection is initiated through natd and deny_incoming is :not set, then a new alias_link structure is created to handle the link. :If there is nothing listening for the incoming connection, then the kernel :responds with a RST for the connection. However, this is not processed :correctly in libalias/alias.c:TcpMonitor{In,Out} and :libalias/alias_db.c:SetState{In,Out} as it thinks a connection :has been established and therefore applies a timeout of 86400 seconds :to the link. : :If many of these half-connections are initiated (during, for example, a :port scan of the host), then many thousands of unnecessary links are :created and the resident size of natd balloons to 20MB or more. PR: 13639 Reviewed by: brian
1999-09-09 13:42:51 +00:00 · 1999-09-09 13:42:51 +00:00 · 29d958bb8a
commit 29d958bb8a
parent 909bce6f2b
2 changed files with 4 additions and 4 deletions
--- a/lib/libalias/alias.c
+++ b/lib/libalias/alias.c
@ -142,7 +142,7 @@ TcpMonitorIn(struct ip *pip, struct alias_link *link)
        case ALIAS_TCP_STATE_NOT_CONNECTED:
            if (tc->th_flags & TH_SYN)
                SetStateIn(link, ALIAS_TCP_STATE_CONNECTED);
-            break;
+            /*FALLTHROUGH*/
        case ALIAS_TCP_STATE_CONNECTED:
            if (tc->th_flags & TH_FIN
                || tc->th_flags & TH_RST)
@ -163,7 +163,7 @@ TcpMonitorOut(struct ip *pip, struct alias_link *link)
        case ALIAS_TCP_STATE_NOT_CONNECTED:
            if (tc->th_flags & TH_SYN)
                SetStateOut(link, ALIAS_TCP_STATE_CONNECTED);
-            break;
+            /*FALLTHROUGH*/
        case ALIAS_TCP_STATE_CONNECTED:
            if (tc->th_flags & TH_FIN
                || tc->th_flags & TH_RST)
--- a/sys/netinet/libalias/alias.c
+++ b/sys/netinet/libalias/alias.c
@ -142,7 +142,7 @@ TcpMonitorIn(struct ip *pip, struct alias_link *link)
        case ALIAS_TCP_STATE_NOT_CONNECTED:
            if (tc->th_flags & TH_SYN)
                SetStateIn(link, ALIAS_TCP_STATE_CONNECTED);
-            break;
+            /*FALLTHROUGH*/
        case ALIAS_TCP_STATE_CONNECTED:
            if (tc->th_flags & TH_FIN
                || tc->th_flags & TH_RST)
@ -163,7 +163,7 @@ TcpMonitorOut(struct ip *pip, struct alias_link *link)
        case ALIAS_TCP_STATE_NOT_CONNECTED:
            if (tc->th_flags & TH_SYN)
                SetStateOut(link, ALIAS_TCP_STATE_CONNECTED);
-            break;
+            /*FALLTHROUGH*/
        case ALIAS_TCP_STATE_CONNECTED:
            if (tc->th_flags & TH_FIN
                || tc->th_flags & TH_RST)