Bug 143504 - outgoing states are not killed by authpf(8)
Summary: outgoing states are not killed by authpf(8)
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 7.2-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-pf (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-02-02 22:30 UTC by Olli Hauer
Modified: 2024-10-28 19:50 UTC (History)
2 users (show)

See Also:

Attachments
patch_authpf.c (1.09 KB, patch)
2010-02-02 22:30 UTC, Olli Hauer 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Olli Hauer 2010-02-02 22:30:01 UTC 
Outgoing states are not killed by authpf, since psk.psk_af is
overridden in authpf_kill_states with the No. of killed states
for incoming ipsrc.

Patch is only needed until code from OpenBSD >=200811 is merged
to FreeBSD since OpenBSD_4.4+ returns No. off killed states in 
psk.psk_killed.

The OpenBSD change is not documented in man page at the moment,
but you can find it out in the source (net/pfvar.h).
I found it this way by hacking snortsam.

Please see additional my PR 140369 to correct the man page for FreeBSD

From man (4) pf:

DIOCKILLSTATES struct pfioc_state_kill *psk
     Remove matching entries from the state table. This ioctl returns
     the number of killed states in psk_af.


Here are the structs from FreeBSD and OpenBSD

FreeBSD:
struct pfioc_state_kill {
        /* XXX returns the number of states killed in psk_af */
        sa_family_t             psk_af;
        int                     psk_proto;
        struct pf_rule_addr     psk_src;
        struct pf_rule_addr     psk_dst;
        char                    psk_ifname[IFNAMSIZ];
};

OpenBSD_4.4/4.5:
struct pfioc_state_kill {
        struct pf_state_cmp     psk_pfcmp;
        sa_family_t             psk_af;
        int                     psk_proto;
        struct pf_rule_addr     psk_src;
        struct pf_rule_addr     psk_dst;
        char                    psk_ifname[IFNAMSIZ];
        char                    psk_label[PF_RULE_LABEL_SIZE];
        u_int                   psk_killed;
};

Fix: The following patch safes the sa_family into a variable 'saf' and restores
psk.psk_af to this family after killing states from incoming ipsrc.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2010-02-02 22:41:40 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-pf

Over to maintainer(s).
Comment 2 Olli Hauer 2010-12-19 18:29:16 UTC 
Any change to get this trivial fixes into
FreeBSD_7_4/8_2 or become any feedback?

http://www.freebsd.org/cgi/query-pr.cgi?pr=140369
http://www.freebsd.org/cgi/query-pr.cgi?pr=143504

--
Regards,
olli
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:06 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 4 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:39:35 UTC 
Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>