Attachment #10550 for bug #21118

View | Details | Raw Unified | Return to bug 21118
Collapse All | Expand All

Lines 735-738 Link Here

(-)sys/netinet/ip_fw.c (-10 / +61 lines)
735	break ;	735	break ;
736	default:	736	case TH_RST \| (TH_RST << 8) :
737	#if 0
738	/*	737	/*
Lines 741-747 Link Here
741	*/	740	*/
742	if ( (q->state & ((TH_RST << 8)\|TH_RST)) == 0)	741	printf("invalid state: 0x%x\n", q->state);
743	printf("invalid state: 0x%x\n", q->state);
744	#endif
745	q->expire = time_second + dyn_rst_lifetime ;	742	q->expire = time_second + dyn_rst_lifetime ;
746	break ;	743	break ;
		744	default:
		745	/*
		746	* A TCP packet found in unknown state, drop it.
		747	*/
		748	DEB(printf("packet should be dropped (state: 0x%x)\n", q->state));
		749	old_q = q ;
		750	if (prev != NULL)
		751	prev->next = q = q->next ;
		752	else
		753	ipfw_dyn_v[i] = q = q->next ;
		754	dyn_count-- ;
		755	free(old_q, M_IPFW);
		756	break ;
747	}	757	}
Lines 838-841 Link Here
838	}	848	}
839	if (dyn_count >= dyn_max) /* try remove old ones... */	849	/*
840	remove_dyn_rule(NULL, 0 /* expire */);	850	* Unconditionally remove expired states.
		851	*/
		852	remove_dyn_rule(NULL, 0 /* expire */);
		853
841	if (dyn_count >= dyn_max) {	854	if (dyn_count >= dyn_max) {
Lines 1277-1280 Link Here
1277	*/	1290	*/
1278	if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S)	1291	if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S) {
1279	install_state(chain);	1292	/*
		1293	* Instead of unconditionally adding a new state,
		1294	* check the protocol and flags, and add a new state
		1295	* or ignore packet.
		1296	*/
		1297	switch(proto) {
		1298	case IPPROTO_TCP:
		1299	if (flags & TH_SYN) {
		1300	DEB(printf("-- installing state for TCP packet\n"));
		1301	install_state(chain);
		1302	} else {
		1303	DEB(printf("-- invalid TCP connection state\n"));
		1304	}
		1305	break;
		1306	case IPPROTO_UDP:
		1307	DEB(printf("-- installing state for UDP packet\n"));
		1308	install_state(chain);
		1309	break;
		1310	case IPPROTO_ICMP:
		1311	if (is_icmp_query(ip)) {
		1312	DEB(printf("-- installing state for ICMP packet\n"));
		1313	install_state(chain);
		1314	} else {
		1315	DEB(printf("-- invalid ICMP connection state\n"));
		1316	}
		1317	break;
		1318	default:
		1319	/*
		1320	* Unknown packet, if default is to accept all
		1321	* packets, add a new state, otherwise ignore.
		1322	*/
		1323	#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
		1324	DEB(printf("-- installing state for unknown packet\n"));
		1325	install_state(chain);
		1326	#else
		1327	DEB(printf("invalid unknown protocol connection state\n"));
		1328	#endif
		1329	break;
		1330	}
		1331	}
1280	#endif	1332	#endif
1281	- snip --

Return to bug 21118