Link pf states and socket inpcbs together more tightly. The linking

was only done when a packet traveled up the stack from pf to
tcp_input().  Now also link the state and inpcb when the packet is
going down from tcp_output() to pf.  As a consequence, divert-reply
states where the initial SYN does not get an answer, can be handled
more correctly.

This change is part of a larger diff that has been backed out in
2011.  Bring the feature back in small steps to see when bad things
start to happen.

OK henning deraadt

1 files changed, 16 insertions, 3 deletions

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 67d980bf29d..bd15f9971a4 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.261 2013/06/03 13:19:08 bluhm Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.262 2013/06/03 16:57:05 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -68,6 +68,8 @@
  * Research Laboratory (NRL).
  */
 
+#include "pf.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
@@ -96,7 +98,6 @@
 #include <netinet/tcpip.h>
 #include <netinet/tcp_debug.h>
 
-#include "pf.h"
 #if NPF > 0
 #include <net/pfvar.h>
 #endif
@@ -873,7 +874,8 @@ findpcb:
 #endif
 
 #if NPF > 0
-	if (m->m_pkthdr.pf.statekey) {
+	if (m->m_pkthdr.pf.statekey && !m->m_pkthdr.pf.statekey->inp &&
+	    !inp->inp_pf_sk) {
 		m->m_pkthdr.pf.statekey->inp = inp;
 		inp->inp_pf_sk = m->m_pkthdr.pf.statekey;
 	}
@@ -1318,6 +1320,17 @@ trimthenstep6:
 		    ((opti.ts_present &&
 		    TSTMP_LT(tp->ts_recent, opti.ts_val)) ||
 		    SEQ_GT(th->th_seq, tp->rcv_nxt))) {
+#if NPF > 0
+			/*
+			 * The socket will be recreated but the new state
+			 * has already been linked to the socket.  Remove the
+			 * link between old socket and new state.
+			 */
+			if (inp->inp_pf_sk) {
+				inp->inp_pf_sk->inp = NULL;
+				inp->inp_pf_sk = NULL;
+			}
+#endif
 			/*
 			* Advance the iss by at least 32768, but
 			* clear the msb in order to make sure