[patch] outgoing states are not killed by authpf
olli hauer
ohauer at gmx.de
Tue Feb 2 22:21:02 UTC 2010
>Submitter-Id: current-users
>Originator: olli hauer <ohauer at gmx.de>
>Organization:
>Confidential: no
>Synopsis: [patch] outgoing states are not killed by authpf
>Severity: non-critical
>Priority: low
>Category: kern
>Class: sw-bug
>Release: FreeBSD 7.2-RELEASE-p6 i386
>Environment: System: FreeBSD 7.2-RELEASE-p6
>Description:
Outgoing states are not killed by authpf, since psk.psk_af is
overridden in authpf_kill_states with the No. of killed states
for incoming ipsrc.
Patch is only needed until code from OpenBSD >=200811 is merged
to FreeBSD since OpenBSD_4.4+ returns No. off killed states in
psk.psk_killed.
The OpenBSD change is not documented in man page at the moment,
but you can find it out in the source (net/pfvar.h).
I found it this way by hacking snortsam.
Please see additional my PR 140369 to correct the man page for FreeBSD
>From man (4) pf:
DIOCKILLSTATES struct pfioc_state_kill *psk
Remove matching entries from the state table. This ioctl returns
the number of killed states in psk_af.
Here are the structs from FreeBSD and OpenBSD
FreeBSD:
struct pfioc_state_kill {
/* XXX returns the number of states killed in psk_af */
sa_family_t psk_af;
int psk_proto;
struct pf_rule_addr psk_src;
struct pf_rule_addr psk_dst;
char psk_ifname[IFNAMSIZ];
};
OpenBSD_4.4/4.5:
struct pfioc_state_kill {
struct pf_state_cmp psk_pfcmp;
sa_family_t psk_af;
int psk_proto;
struct pf_rule_addr psk_src;
struct pf_rule_addr psk_dst;
char psk_ifname[IFNAMSIZ];
char psk_label[PF_RULE_LABEL_SIZE];
u_int psk_killed;
};
>How-To-Repeat:
>Fix:
The following patch safes the sa_family into a variable 'saf' and restores
psk.psk_af to this family after killing states from incoming ipsrc.
--- patch_authpf.c begins here ---
Index: base/stable/7/contrib/pf/authpf/authpf.c
===================================================================
--- base/stable/7/contrib/pf/authpf/authpf.c (revision 203401)
+++ base/stable/7/contrib/pf/authpf/authpf.c (working copy)
@@ -788,14 +788,15 @@ authpf_kill_states(void)
{
struct pfioc_state_kill psk;
struct pf_addr target;
+ sa_family_t saf; /* safe AF_INET family */
memset(&psk, 0, sizeof(psk));
memset(&target, 0, sizeof(target));
if (inet_pton(AF_INET, ipsrc, &target.v4) == 1)
- psk.psk_af = AF_INET;
+ psk.psk_af = saf = AF_INET;
else if (inet_pton(AF_INET6, ipsrc, &target.v6) == 1)
- psk.psk_af = AF_INET6;
+ psk.psk_af = saf = AF_INET6;
else {
syslog(LOG_ERR, "inet_pton(%s) failed", ipsrc);
return;
@@ -809,6 +810,9 @@ authpf_kill_states(void)
if (ioctl(dev, DIOCKILLSTATES, &psk))
syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)");
+ /* restore AF_INET, since it contains now the Nr. of killed states */
+ psk.psk_af = saf;
+
/* Kill all states to ipsrc */
memset(&psk.psk_src, 0, sizeof(psk.psk_src));
memcpy(&psk.psk_dst.addr.v.a.addr, &target,
--- patch_authpf.c ends here ---
More information about the freebsd-pf
mailing list