git: b09707abf932 - main - pf: synproxy should be processing incoming SYN packets only.

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 15 Jul 2025 10:07:50 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=b09707abf932d3fea37aa7ef8bab0e9631fb7529

commit b09707abf932d3fea37aa7ef8bab0e9631fb7529
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-07 14:47:42 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-15 07:55:28 +0000

    pf: synproxy should be processing incoming SYN packets only.
    
    issue noticed by sthen@. fix discussed with bluhm@ and procter@
    
    OK bluhm@, kn@, procter@
    
    Obtained from:  OpenBSD, sashan <sashan@openbsd.org>, 4e62cf09d9
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y       | 4 ++++
 share/man/man5/pf.conf.5 | 1 +
 sys/netpfil/pf/pf.c      | 2 +-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 9a917d1d8464..4286b6149ac6 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -5324,6 +5324,10 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
 		    "synproxy state or modulate state");
 		problems++;
 	}
+	if ((r->keep_state == PF_STATE_SYNPROXY) && (r->direction != PF_IN))
+		fprintf(stderr, "%s:%d: warning: "
+		    "synproxy used for inbound rules only, "
+		    "ignored for outbound\n", file->name, yylval.lineno);
 	if (r->rule_flag & PFRULE_AFTO && r->rt) {
 		if (r->rt != PF_ROUTETO && r->rt != PF_REPLYTO) {
 			yyerror("dup-to "
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index b5843d67e106..a51fde500367 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -2574,6 +2574,7 @@ will not work if
 .Xr pf 4
 operates on a
 .Xr bridge 4 .
+Also they act on incoming SYN packets only.
 .Pp
 Example:
 .Bd -literal -offset indent
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index a410fe570c39..ac05cad7d4c8 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6219,7 +6219,7 @@ pf_create_state(struct pf_krule *r, struct pf_test_ctx *ctx,
 	if (ctx->tag > 0)
 		s->tag = ctx->tag;
 	if (pd->proto == IPPROTO_TCP && (tcp_get_flags(th) & (TH_SYN|TH_ACK)) ==
-	    TH_SYN && r->keep_state == PF_STATE_SYNPROXY) {
+	    TH_SYN && r->keep_state == PF_STATE_SYNPROXY && pd->dir == PF_IN) {
 		pf_set_protostate(s, PF_PEER_SRC, PF_TCPS_PROXY_SRC);
 		pf_undo_nat(ctx->nr, pd, bip_sum);
 		s->src.seqhi = arc4random();