diff options
| author |   henning <henning@openbsd.org> | 2008-06-12 18:41:41 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2008-06-12 18:41:41 +0000 |
| commit | dc9392ce2270bbbef4c8323a85594fa78ecd59f8 (patch) | |
| tree | 8d2e58b63d1f488e1f35c75517d25f1cd5496b94 | |
| parent | point to usb man pages more clearly; ok jmc (diff) | |
| download | wireguard-openbsd-dc9392ce2270bbbef4c8323a85594fa78ecd59f8.tar.xz wireguard-openbsd-dc9392ce2270bbbef4c8323a85594fa78ecd59f8.zip | |
fix synproxy.
the factored out pf_create_state() could return PF_PASS, _DROP, and
_SYNPROXY_DROP. We were treating the latter the same as _PASS and thus
passing the original SYN which we of course don't want in the synproxy
case.
breakage reported by sakurai-san, headscratching with and ok ryan
| -rw-r--r-- | sys/net/pf.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 6a1426a7b7f..a0dfe19c913 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.596 2008/06/11 17:52:37 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.597 2008/06/12 18:41:41 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3366,11 +3366,16 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, } if (!state_icmp && (r->keep_state || nr != NULL || - (pd->flags & PFDESC_TCP_NORM))) - if (pf_create_state(r, nr, a, pd, nsn, skw, sks, nk, sk, m, + (pd->flags & PFDESC_TCP_NORM))) { + int action; + action = pf_create_state(r, nr, a, pd, nsn, skw, sks, nk, sk, m, off, sport, dport, &rewrite, kif, sm, tag, bproto_sum, - bip_sum, hdrlen) == PF_DROP) + bip_sum, hdrlen); + if (action == PF_DROP) goto cleanup; + if (action != PF_PASS) + return (action); + } /* copy back packet headers if we performed NAT operations */ if (rewrite) |