197484 – fix pf 3whs ACK handling

Bug 197484 - fix pf 3whs ACK handling

Summary: fix pf 3whs ACK handling

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.1-STABLE
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-pf (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2015-02-09 15:54 UTC by krichy
Modified:	2018-11-18 11:20 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
the fix (593 bytes, patch) 2015-02-09 15:54 UTC, krichy	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description krichy 2015-02-09 15:54:54 UTC

Created attachment 152799 [details]
the fix

pf synproxy will do the 3WHS on behalf of the target machine, and once
the 3WHS is completed, establish the backend connection. The trigger
for "3WHS completed" is the reception of the first ACK. However, we
should not proceed if that ACK also has RST or FIN set.

reference: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c?rev=1.901&content-type=text/x-cvsweb-markup

Comment 1 krichy 2015-06-18 09:02:08 UTC

Any updates on this?

Comment 2 commit-hook freebsd_committer

2018-10-20 18:37:49 UTC

A commit references this bug:

Author: kp
Date: Sat Oct 20 18:37:22 UTC 2018
New revision: 339470
URL: https://svnweb.freebsd.org/changeset/base/339470

Log:
  pf synproxy will do the 3WHS on behalf of the target machine, and once
  the 3WHS is completed, establish the backend connection. The trigger
  for "3WHS completed" is the reception of the first ACK. However, we
  should not proceed if that ACK also has RST or FIN set.

  PR:		197484
  Obtained from:	OpenBSD
  MFC after:	2 weeks

Changes:
  head/sys/netpfil/pf/pf.c

Comment 3 commit-hook freebsd_committer

2018-11-18 10:48:35 UTC

A commit references this bug:

Author: kp
Date: Sun Nov 18 10:47:37 UTC 2018
New revision: 340558
URL: https://svnweb.freebsd.org/changeset/base/340558

Log:
  MFC r339470:

  pf synproxy will do the 3WHS on behalf of the target machine, and once
  the 3WHS is completed, establish the backend connection. The trigger
  for "3WHS completed" is the reception of the first ACK. However, we
  should not proceed if that ACK also has RST or FIN set.

  PR:		197484
  Obtained from:	OpenBSD

Changes:
_U  stable/12/
  stable/12/sys/netpfil/pf/pf.c

Comment 4 commit-hook freebsd_committer

2018-11-18 10:48:38 UTC

A commit references this bug:

Author: kp
Date: Sun Nov 18 10:47:51 UTC 2018
New revision: 340559
URL: https://svnweb.freebsd.org/changeset/base/340559

Log:
  MFC r339470:

  pf synproxy will do the 3WHS on behalf of the target machine, and once
  the 3WHS is completed, establish the backend connection. The trigger
  for "3WHS completed" is the reception of the first ACK. However, we
  should not proceed if that ACK also has RST or FIN set.

  PR:		197484
  Obtained from:	OpenBSD

Changes:
_U  stable/11/
  stable/11/sys/netpfil/pf/pf.c