From b5e819ec23e70de6e6f0246047a242dfab0f8f1f Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@FreeBSD.org>
Date: Fri, 14 Apr 2000 15:34:55 +0000
Subject: [PATCH] Apply TCP_EXPIRE_CONNECTED (86400 seconds) timeout only to
 established connections, after SYN packets were seen from both ends.  Before
 this, it would get applied right after the first SYN packet was seen (either
 from client or server).  With broken TCP connection attempts, when the remote
 end does not respond with SYNACK nor with RST, this resulted in having a
 useless (ie, no actual TCP connection associated with it) TCP link with 86400
 seconds TTL, wasting system memory.  With high rate of such broken connection
 attempts (for example, remote end simply blocks these connection attempts
 with ipfw(8) without sending RST back), this could result in a
 denial-of-service.

PR:		bin/17963
---
 lib/libalias/alias_db.c         | 26 ++++++++++----------------
 sys/netinet/libalias/alias_db.c | 26 ++++++++++----------------
 2 files changed, 20 insertions(+), 32 deletions(-)

diff --git a/lib/libalias/alias_db.c b/lib/libalias/alias_db.c
index 86223cd22e40..1ea34131dbf8 100644
--- a/lib/libalias/alias_db.c
+++ b/lib/libalias/alias_db.c
@@ -1544,22 +1544,19 @@ SetStateIn(struct alias_link *link, int state)
     /* TCP input state */
     switch (state) {
     case ALIAS_TCP_STATE_DISCONNECTED:
-        if (link->data.tcp->state.out != ALIAS_TCP_STATE_CONNECTED) {
+        if (link->data.tcp->state.out != ALIAS_TCP_STATE_CONNECTED)
             link->expire_time = TCP_EXPIRE_DEAD;
-        } else {
+        else
             link->expire_time = TCP_EXPIRE_SINGLEDEAD;
-        }
-        link->data.tcp->state.in = state;
         break;
     case ALIAS_TCP_STATE_CONNECTED:
-        link->expire_time = TCP_EXPIRE_CONNECTED;
-        /*FALLTHROUGH*/
-    case ALIAS_TCP_STATE_NOT_CONNECTED:
-        link->data.tcp->state.in = state;
+        if (link->data.tcp->state.out == ALIAS_TCP_STATE_CONNECTED)
+            link->expire_time = TCP_EXPIRE_CONNECTED;
         break;
     default:
         abort();
     }
+    link->data.tcp->state.in = state;
 }
 
 
@@ -1569,22 +1566,19 @@ SetStateOut(struct alias_link *link, int state)
     /* TCP output state */
     switch (state) {
     case ALIAS_TCP_STATE_DISCONNECTED:
-        if (link->data.tcp->state.in != ALIAS_TCP_STATE_CONNECTED) {
+        if (link->data.tcp->state.in != ALIAS_TCP_STATE_CONNECTED)
             link->expire_time = TCP_EXPIRE_DEAD;
-        } else {
+        else
             link->expire_time = TCP_EXPIRE_SINGLEDEAD;
-        }
-        link->data.tcp->state.out = state;
         break;
     case ALIAS_TCP_STATE_CONNECTED:
-        link->expire_time = TCP_EXPIRE_CONNECTED;
-        /*FALLTHROUGH*/
-    case ALIAS_TCP_STATE_NOT_CONNECTED:
-        link->data.tcp->state.out = state;
+        if (link->data.tcp->state.in == ALIAS_TCP_STATE_CONNECTED)
+            link->expire_time = TCP_EXPIRE_CONNECTED;
         break;
     default:
         abort();
     }
+    link->data.tcp->state.out = state;
 }
 
 
diff --git a/sys/netinet/libalias/alias_db.c b/sys/netinet/libalias/alias_db.c
index 86223cd22e40..1ea34131dbf8 100644
--- a/sys/netinet/libalias/alias_db.c
+++ b/sys/netinet/libalias/alias_db.c
@@ -1544,22 +1544,19 @@ SetStateIn(struct alias_link *link, int state)
     /* TCP input state */
     switch (state) {
     case ALIAS_TCP_STATE_DISCONNECTED:
-        if (link->data.tcp->state.out != ALIAS_TCP_STATE_CONNECTED) {
+        if (link->data.tcp->state.out != ALIAS_TCP_STATE_CONNECTED)
             link->expire_time = TCP_EXPIRE_DEAD;
-        } else {
+        else
             link->expire_time = TCP_EXPIRE_SINGLEDEAD;
-        }
-        link->data.tcp->state.in = state;
         break;
     case ALIAS_TCP_STATE_CONNECTED:
-        link->expire_time = TCP_EXPIRE_CONNECTED;
-        /*FALLTHROUGH*/
-    case ALIAS_TCP_STATE_NOT_CONNECTED:
-        link->data.tcp->state.in = state;
+        if (link->data.tcp->state.out == ALIAS_TCP_STATE_CONNECTED)
+            link->expire_time = TCP_EXPIRE_CONNECTED;
         break;
     default:
         abort();
     }
+    link->data.tcp->state.in = state;
 }
 
 
@@ -1569,22 +1566,19 @@ SetStateOut(struct alias_link *link, int state)
     /* TCP output state */
     switch (state) {
     case ALIAS_TCP_STATE_DISCONNECTED:
-        if (link->data.tcp->state.in != ALIAS_TCP_STATE_CONNECTED) {
+        if (link->data.tcp->state.in != ALIAS_TCP_STATE_CONNECTED)
             link->expire_time = TCP_EXPIRE_DEAD;
-        } else {
+        else
             link->expire_time = TCP_EXPIRE_SINGLEDEAD;
-        }
-        link->data.tcp->state.out = state;
         break;
     case ALIAS_TCP_STATE_CONNECTED:
-        link->expire_time = TCP_EXPIRE_CONNECTED;
-        /*FALLTHROUGH*/
-    case ALIAS_TCP_STATE_NOT_CONNECTED:
-        link->data.tcp->state.out = state;
+        if (link->data.tcp->state.in == ALIAS_TCP_STATE_CONNECTED)
+            link->expire_time = TCP_EXPIRE_CONNECTED;
         break;
     default:
         abort();
     }
+    link->data.tcp->state.out = state;
 }