[src/netbsd-2-0]: src/sys/netinet Pullup rev 1.69-1.70+patch (requested by jd...

[jmc <jmc%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ebf7f02a80e4
branches:  netbsd-2-0
changeset: 562755:ebf7f02a80e4
user:      jmc <jmc%NetBSD.org@localhost>
date:      Mon Oct 04 06:04:25 2004 +0000

description:
Pullup rev 1.69-1.70+patch (requested by jdolecek in ticket #888)

Do not allow packets flagged with "out-of-window" (oow) to match "keep state"
rules and try to prevent such rules ("keep state with oow") from being loaded
into the kernel. PR#26581

diffstat:

 sys/netinet/fil.c |  22 ++++++++++++++++++++--
 1 files changed, 20 insertions(+), 2 deletions(-)

diffs (50 lines):

diff -r 009759b7544c -r ebf7f02a80e4 sys/netinet/fil.c
--- a/sys/netinet/fil.c Mon Oct 04 05:26:20 2004 +0000
+++ b/sys/netinet/fil.c Mon Oct 04 06:04:25 2004 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: fil.c,v 1.61.2.7 2004/08/23 06:05:51 tron Exp $        */
+/*     $NetBSD: fil.c,v 1.61.2.8 2004/10/04 06:04:25 jmc Exp $ */
 
 /*
  * Copyright (C) 1993-2003 by Darren Reed.
@@ -135,7 +135,7 @@
 #if !defined(lint)
 #if defined(__NetBSD__)
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.61.2.7 2004/08/23 06:05:51 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: fil.c,v 1.61.2.8 2004/10/04 06:04:25 jmc Exp $");
 #else
 static const char sccsid[] = "@(#)fil.c        1.36 6/5/96 (C) 1993-2000 Darren Reed";
 static const char rcsid[] = "@(#)Id: fil.c,v 2.243.2.25 2004/06/30 11:26:08 darrenr Exp";
@@ -1767,6 +1767,15 @@
                passt = fr->fr_flags;
 
                /*
+                * Allowing a rule with the "keep state" flag set to match
+                * packets that have been tagged "out of window" by the TCP
+                * state tracking is foolish as the attempt to add a new
+                * state entry to the table will fail.
+                */
+               if ((passt & FR_KEEPSTATE) && (fin->fin_flx & FI_OOW))
+                       continue;
+
+               /*
                 * If the rule is a "call now" rule, then call the function
                 * in the rule, if it exists and use the results from that.
                 * If the function pointer is bad, just make like we ignore
@@ -3999,6 +4008,15 @@
        }
 
        /*
+        * Allowing a rule with both "keep state" and "with oow" is
+        * pointless because adding a state entry to the table will
+        * fail with the out of window (oow) flag set.
+        */
+       if ((fp->fr_flags & FR_KEEPSTATE)
+           && fp->fr_dun.fru_ipf != NULL && (fp->fr_flx & FI_OOW))
+               return EINVAL;
+
+       /*
         * If the rule is being loaded from user space, i.e. we had to copy it
         * into kernel space, then do not trust the function pointer in the
         * rule.