synproxy should be processing incoming SYN packets only.

issue noticed by sthen@. fix discussed with bluhm@ and procter@ OK bluhm@, kn@, procter@
author: sashan <sashan@openbsd.org> 2020-12-07 08:29:41 +0000
committer: sashan <sashan@openbsd.org> 2020-12-07 08:29:41 +0000
commit: 4e62cf09d9b60392fb204355196d717aa8b5ffc5 (patch)
tree: 4ac11489447d76524541a16502920dd68909e521 /sys/net/pf.c
parent: change from bus_addr_t to paddr_t for phys_addr_t and resource_size_t (diff)
download: wireguard-openbsd-4e62cf09d9b60392fb204355196d717aa8b5ffc5.tar.xz
wireguard-openbsd-4e62cf09d9b60392fb204355196d717aa8b5ffc5.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 823fdc22133..4ac4cc45f78 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.1094 2020/07/24 18:17:15 mvs Exp $ */
+/*	$OpenBSD: pf.c,v 1.1095 2020/12/07 08:29:41 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -4161,7 +4161,7 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
 		s->tag = tag;
 	}
 	if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) ==
-	    TH_SYN && r->keep_state == PF_STATE_SYNPROXY) {
+	    TH_SYN && r->keep_state == PF_STATE_SYNPROXY && pd->dir == PF_IN) {
 		int rtid = pd->rdomain;
 		if (act->rtableid >= 0)
 			rtid = act->rtableid;
author	sashan <sashan@openbsd.org>	2020-12-07 08:29:41 +0000
committer	sashan <sashan@openbsd.org>	2020-12-07 08:29:41 +0000
commit	4e62cf09d9b60392fb204355196d717aa8b5ffc5 (patch)
tree	4ac11489447d76524541a16502920dd68909e521 /sys/net/pf.c
parent	change from bus_addr_t to paddr_t for phys_addr_t and resource_size_t (diff)
download	wireguard-openbsd-4e62cf09d9b60392fb204355196d717aa8b5ffc5.tar.xz wireguard-openbsd-4e62cf09d9b60392fb204355196d717aa8b5ffc5.zip