[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf blocks ACK response

To: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: pf blocks ACK response
From: Mike Frantzen <frantzen@w4g.org>
Date: Thu, 21 Mar 2002 21:18:23 -0500
Cc: Ramon Reyes Carrion <ramon@cimat.mx>, misc@openbsd.org
Content-Disposition: inline
References: <Pine.SOL.4.21.0203211732340.3542-100000@pulque> <200203220109.MAA00570@caligula.anu.edu.au>

> > For what I can make out of the pf flow diagram at:
> > http://mniam.net/pf/pf.png, the 'state check' is done before any rules can
> > match. Is this so?
> Oh, that's a bug/limitation in pf, I'd say.
> If TCP packet matches a state entry based on the key values (ports,IP#'s)
> but does not fall within the window, it is automatically dropped with no
> other processing possible.

It is a side-affect of the unification of the state table and the nat
table.  If we were to send a out-of-window stateful packet back to the
rule base, we would risk creating another state.  That second state
could get natted differently and you may have just shot down the
connection depending on the orientation of the tree.

> If you look through src/sys/net/pf.c, find pf_test_state_tcp() and add
> some code to do "*state = NULL;" before it returns PF_DROP (only once),
> you'll be able to make that block rule kick in, I think.

That could be very bad.  The way the AVL trees are used, duplicate
identical tree entries can result in using an object after it is freed
and random memory scribbling.  Bad bad bad.

.mike

Follow-Ups:
- Re: pf blocks ACK response
  - From: Darren Reed <avalon@coombs.anu.edu.au>

References:
- Re: pf blocks ACK response
  - From: Ramon Reyes Carrion <ramon@cimat.mx>
- Re: pf blocks ACK response
  - From: Darren Reed <avalon@coombs.anu.edu.au>

Prev by Date: Re: pf blocks ACK response
Next by Date: Re: pf blocks ACK response
Prev by thread: Re: pf blocks ACK response
Next by thread: Re: pf blocks ACK response
Index(es):
- Date
- Thread