git: aab8c844b91a - main - tcp/ipfw: fix "ipfw fwd localaddr,port"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 05 Jan 2023 22:40:46 UTC
The branch main has been updated by glebius:
URL: https://cgit.FreeBSD.org/src/commit/?id=aab8c844b91a74f9b0e9ccc3b5dbc9be4007e293
commit aab8c844b91a74f9b0e9ccc3b5dbc9be4007e293
Author: Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2023-01-05 22:34:50 +0000
Commit: Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2023-01-05 22:34:50 +0000
tcp/ipfw: fix "ipfw fwd localaddr,port"
The ipfw(4) feature of forwarding to local address without modifying
a packet was broken. The first lookup needs always be a non-wildcard
one, cause its goal is to find an already existing socket. Otherwise
a local wildcard listener with the same port number may match resulting
in the connection being forwared to wrong port.
Reported by: Pavel Polyakov <bsd kobyla.org>
Fixes: d88eb4654f372d0451139a1dbf525a8f2cad1cf8
---
sys/netinet/tcp_input.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 5141903522bf..606f6649d73d 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -834,7 +834,7 @@ findpcb:
*/
inp = in6_pcblookup_mbuf(&V_tcbinfo,
&ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport,
- lookupflag, m->m_pkthdr.rcvif, m);
+ lookupflag & ~INPLOOKUP_WILDCARD, m->m_pkthdr.rcvif, m);
if (!inp) {
/*
* It's new. Try to find the ambushing socket.
@@ -865,7 +865,8 @@ findpcb:
* already got one like this?
*/
inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport,
- ip->ip_dst, th->th_dport, lookupflag, m->m_pkthdr.rcvif, m);
+ ip->ip_dst, th->th_dport, lookupflag & ~INPLOOKUP_WILDCARD,
+ m->m_pkthdr.rcvif, m);
if (!inp) {
/*
* It's new. Try to find the ambushing socket.