pf synproxy will do the 3WHS on behalf of the target machine, and once

the 3WHS is completed, establish the backend connection. The trigger
for "3WHS completed" is the reception of the first ACK. However, we
should not proceed if that ACK also has RST or FIN set.

PR:		197484
Obtained from:	OpenBSD
MFC after:	2 weeks
This commit is contained in:
Kristof Provost 2018-10-20 18:37:21 +00:00
parent 18227e20e4
commit 1563a27e1f

View File

@ -4401,7 +4401,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct pfi_kif *kif,
TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL); TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, 0, NULL);
REASON_SET(reason, PFRES_SYNPROXY); REASON_SET(reason, PFRES_SYNPROXY);
return (PF_SYNPROXY_DROP); return (PF_SYNPROXY_DROP);
} else if (!(th->th_flags & TH_ACK) || } else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK ||
(ntohl(th->th_ack) != (*state)->src.seqhi + 1) || (ntohl(th->th_ack) != (*state)->src.seqhi + 1) ||
(ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) {
REASON_SET(reason, PFRES_SYNPROXY); REASON_SET(reason, PFRES_SYNPROXY);