On Wed, Dec 02, 2020 at 12:43:28AM +0100, Alexandr Nedvedicky wrote:
> the fix is to apply synproxy action on inbound packets only. Diff below
> does that exactly. Furthermore it also makes pfctl(8) to emit warning,
> when synproxy is being used in outbound/unbound rule:
Sounds reasonable.
> lumpy$ echo 'pass proto tcp from any to any port = 80 synproxy state'
> |./pfctl -nf -
> warning (stdin:1): synproxy acts on inbound packets only
> synproxy action is ignored for outbound packets
Just a style nit. Other errors do not put stdin:1 in brackes. One
line per error. In pf.conf the rule direction matters. What about
stdin:1 warning: synproxy used for inbound rules only, ignored for outbound
> OK?
OK bluhm@
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
> index f06171158cb..d052b5b9a0e 100644
> --- a/sbin/pfctl/parse.y
> +++ b/sbin/pfctl/parse.y
> @@ -4042,6 +4042,13 @@ rule_consistent(struct pf_rule *r)
> "synproxy state or modulate state");
> problems++;
> }
> +
> + if ((r->keep_state == PF_STATE_SYNPROXY) && (r->direction != PF_IN))
> + fprintf(stderr, "warning (%s:%d): "
> + "synproxy acts on inbound packets only\n"
> + " synproxy action is ignored for outbound packets\n",
> + file->name, yylval.lineno);
> +
> if ((r->nat.addr.type != PF_ADDR_NONE ||
> r->rdr.addr.type != PF_ADDR_NONE) &&
> r->action != PF_MATCH && !r->keep_state) {
> diff --git a/sys/net/pf.c b/sys/net/pf.c
> index 823fdc22133..986ee57bff9 100644
> --- a/sys/net/pf.c
> +++ b/sys/net/pf.c
> @@ -4161,7 +4161,7 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r,
> struct pf_rule *a,
> s->tag = tag;
> }
> if (pd->proto == IPPROTO_TCP && (th->th_flags & (TH_SYN|TH_ACK)) ==
> - TH_SYN && r->keep_state == PF_STATE_SYNPROXY) {
> + TH_SYN && r->keep_state == PF_STATE_SYNPROXY && pd->dir == PF_IN) {
> int rtid = pd->rdomain;
> if (act->rtableid >= 0)
> rtid = act->rtableid;
