Bug 143504

Summary: outgoing states are not killed by authpf(8)
Product: Base System Reporter: Olli Hauer <ohauer>
Component: binAssignee: freebsd-pf (Nobody) <pf>
Status: Open ---    
Severity: Affects Only Me CC: Alexander88207, pf
Priority: Normal    
Version: 7.2-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch_authpf.c none

Description Olli Hauer 2010-02-02 22:30:01 UTC 
Outgoing states are not killed by authpf, since psk.psk_af is
overridden in authpf_kill_states with the No. of killed states
for incoming ipsrc.

Patch is only needed until code from OpenBSD >=200811 is merged
to FreeBSD since OpenBSD_4.4+ returns No. off killed states in 
psk.psk_killed.

The OpenBSD change is not documented in man page at the moment,
but you can find it out in the source (net/pfvar.h).
I found it this way by hacking snortsam.

Please see additional my PR 140369 to correct the man page for FreeBSD

From man (4) pf:

DIOCKILLSTATES struct pfioc_state_kill *psk
     Remove matching entries from the state table. This ioctl returns
     the number of killed states in psk_af.


Here are the structs from FreeBSD and OpenBSD

FreeBSD:
struct pfioc_state_kill {
        /* XXX returns the number of states killed in psk_af */
        sa_family_t             psk_af;
        int                     psk_proto;
        struct pf_rule_addr     psk_src;
        struct pf_rule_addr     psk_dst;
        char                    psk_ifname[IFNAMSIZ];
};

OpenBSD_4.4/4.5:
struct pfioc_state_kill {
        struct pf_state_cmp     psk_pfcmp;
        sa_family_t             psk_af;
        int                     psk_proto;
        struct pf_rule_addr     psk_src;
        struct pf_rule_addr     psk_dst;
        char                    psk_ifname[IFNAMSIZ];
        char                    psk_label[PF_RULE_LABEL_SIZE];
        u_int                   psk_killed;
};

Fix: The following patch safes the sa_family into a variable 'saf' and restores
psk.psk_af to this family after killing states from incoming ipsrc.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2010-02-02 22:41:40 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-pf

Over to maintainer(s).
Comment 2 Olli Hauer 2010-12-19 18:29:16 UTC 
Any change to get this trivial fixes into
FreeBSD_7_4/8_2 or become any feedback?

http://www.freebsd.org/cgi/query-pr.cgi?pr=140369
http://www.freebsd.org/cgi/query-pr.cgi?pr=143504

--
Regards,
olli
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:06 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 4 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:39:35 UTC 
Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>