Re: pf misfeature

Mon, 12 Nov 2007 19:01:48 -0800 

On Monday 12 November 2007, Daniel Hartmeier wrote:
> On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote:
> > Daniel, do you spot anything strange with these skip steps (or
> > otherwise)?
>
> The problem is the lack of IP reassembly in this configuration.
>
> In pf_test_fragment(), a rule with r->flagset ("flags S/SA") is
> skipped.

Ah, I missed that one.  Wouldn't it make sense to conditionalize these 
tests on the protocol?  The attached can probably be optimized, but you 
get the general idea.

It seems wrong that an explicit udp-rule behaves differently than an 
implied one.

> Generally, stateful filtering _requires_ IP reassembly. As long as no
> fragmentation occurs, it works even without reassembly. I suspect your
> UDP NFS traffic is fragmented.
>
> Try adding
>
>   scrub in on $if all fragment reassemble
>
> at the top.


-- 
/"\  Best regards,                      | [EMAIL PROTECTED]
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Index: pf.c
===================================================================
RCS file: /home/ncvs/src/sys/contrib/pf/net/pf.c,v
retrieving revision 1.50
diff -u -r1.50 pf.c
--- pf.c	28 Oct 2007 17:12:46 -0000	1.50
+++ pf.c	13 Nov 2007 02:58:31 -0000
@@ -4560,9 +4560,17 @@
 			r = r->skip[PF_SKIP_DST_ADDR].ptr;
 		else if (r->tos && !(r->tos == pd->tos))
 			r = TAILQ_NEXT(r, entries);
-		else if (r->src.port_op || r->dst.port_op ||
-		    r->flagset || r->type || r->code ||
-		    r->os_fingerprint != PF_OSFP_ANY)
+		else if (r->os_fingerprint != PF_OSFP_ANY)
+			r = TAILQ_NEXT(r, entries);
+		else if (pd->proto == IPPROTO_UDP &&
+		    (r->src.port_op || r->dst.port_op))
+			r = TAILQ_NEXT(r, entries);
+		else if (pd->proto == IPPROTO_TCP &&
+		    (r->src.port_op || r->dst.port_op || r->flagset))
+			r = TAILQ_NEXT(r, entries);
+		else if ((pd->proto == IPPROTO_ICMP ||
+		    pd->proto == IPPROTO_ICMPV6) &&
+		    (r->type || r->code))
 			r = TAILQ_NEXT(r, entries);
 		else if (r->prob && r->prob <= arc4random())
 			r = TAILQ_NEXT(r, entries);

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to