diff options
| author |   henning <henning@openbsd.org> | 2015-02-07 09:15:25 +0000 |
|---|---|---|
| committer | henning <henning@openbsd.org> | 2015-02-07 09:15:25 +0000 |
| commit | ed1f804e710f10818c0088829c00eec657b0973e (patch) | |
| tree | fc0f05b59c03d57f0056694c84053c2309ed11ab | |
| parent | Convert several of the server side handshake functions to the new handshake (diff) | |
| download | wireguard-openbsd-ed1f804e710f10818c0088829c00eec657b0973e.tar.xz wireguard-openbsd-ed1f804e710f10818c0088829c00eec657b0973e.zip | |
pf synproxy will do the 3WHS on behalf of the target machine, and once
the 3WHS is completed, establish the backend connection. The trigger
for "3WHS completed" is the reception of the first ACK. However, we
should not proceed if that ACK also has RST or FIN set.
ACK+RST part pointed out by Kojedzinszky Richard <krichy at tvnetwork hu>
ok mikeb dlg phessler claudio
| -rw-r--r-- | sys/net/pf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 9d87d1664b4..ade98898e65 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.900 2015/02/05 01:10:57 mpi Exp $ */ +/* $OpenBSD: pf.c,v 1.901 2015/02/07 09:15:25 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -4192,7 +4192,7 @@ pf_synproxy(struct pf_pdesc *pd, struct pf_state **state, u_short *reason) 0, pd->rdomain, NULL, NULL); REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); - } else if (!(th->th_flags & TH_ACK) || + } else if ((th->th_flags & (TH_ACK|TH_RST|TH_FIN)) != TH_ACK || (ntohl(th->th_ack) != (*state)->src.seqhi + 1) || (ntohl(th->th_seq) != (*state)->src.seqlo + 1)) { REASON_SET(reason, PFRES_SYNPROXY); |