Alexander Bluhm(alexander.bl...@gmx.net) on 2016.06.21 00:14:19 +0200:
> Hi,
>
> I have seen a problem with pf divert when the dynamic port in a nat
> rule got reused. The function pf_state_key_attach() reused the
> state as it was in TCPS_FIN_WAIT_2. The corresponding socket was
> not reused, as the the TCPS_TIME_WAIT case in tcp_input() has
> additional checks for timestamps and sequence numbers. When I port
> the condition SEQ_GT(th->th_seq, tp->rcv_nxt) from the stack to pf,
> the socket and state are kept in sync. Then divert works fine.
sounds convincing
> ok?
ok
>
> bluhm
>
> Index: net/pf.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
> retrieving revision 1.977
> diff -u -p -r1.977 pf.c
> --- net/pf.c 15 Jun 2016 11:49:34 -0000 1.977
> +++ net/pf.c 20 Jun 2016 21:18:53 -0000
> @@ -671,7 +671,8 @@ pf_state_key_attach(struct pf_state_key
> si->s->direction != s->direction))) {
> if (sk->proto == IPPROTO_TCP &&
> si->s->src.state >= TCPS_FIN_WAIT_2 &&
> - si->s->dst.state >= TCPS_FIN_WAIT_2) {
> + si->s->dst.state >= TCPS_FIN_WAIT_2 &&
> + SEQ_GT(s->src.seqlo, si->s->src.seqlo)) {
> si->s->src.state = si->s->dst.state =
> TCPS_CLOSED;
> /* remove late or sks can go away */
>
--
