pf synproxy will do the 3WHS on behalf of the target machine, and once
the 3WHS is completed, establish the backend connection. The trigger for "3WHS completed" is the reception of the first ACK. However, we should not proceed if that ACK also has RST or FIN set. PR: 197484 Obtained from: OpenBSD MFC after: 2 weeks
This commit is contained in:
parent
18227e20e4
commit
1563a27e1f
@ -4401,7 +4401,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
|
|||||||
TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL);
|
TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL);
|
||||||
REASON_SET(reason, PFRES_SYNPROXY);
|
REASON_SET(reason, PFRES_SYNPROXY);
|
||||||
return (PF_SYNPROXY_DROP);
|
return (PF_SYNPROXY_DROP);
|
||||||
} else if (!(th->th_flags & TH_ACK) ||
|
} else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK ||
|
||||||
(ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
|
(ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
|
||||||
(ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
|
(ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
|
||||||
REASON_SET(reason, PFRES_SYNPROXY);
|
REASON_SET(reason, PFRES_SYNPROXY);
|
||||||
|
Loading…
Reference in New Issue
Block a user