[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf blocks ACK response
> > For what I can make out of the pf flow diagram at:
> > http://mniam.net/pf/pf.png, the 'state check' is done before any rules can
> > match. Is this so?
> Oh, that's a bug/limitation in pf, I'd say.
> If TCP packet matches a state entry based on the key values (ports,IP#'s)
> but does not fall within the window, it is automatically dropped with no
> other processing possible.
It is a side-affect of the unification of the state table and the nat
table. If we were to send a out-of-window stateful packet back to the
rule base, we would risk creating another state. That second state
could get natted differently and you may have just shot down the
connection depending on the orientation of the tree.
> If you look through src/sys/net/pf.c, find pf_test_state_tcp() and add
> some code to do "*state = NULL;" before it returns PF_DROP (only once),
> you'll be able to make that block rule kick in, I think.
That could be very bad. The way the AVL trees are used, duplicate
identical tree entries can result in using an object after it is freed
and random memory scribbling. Bad bad bad.