ipf - RST packet w. sequence num.

[rudolf <netbsd%eq.cz@localhost>]

Hi,

i think i've found one disagreement about what our tcp stack thinks 
belongs to communication session and what ipf thinks belongs to the 
session ("keep state").

Situation:

my_comp ----- Internet ----- other_comp

on other_comp:
================
- port 18000 is closed

# tcpdump -n -p -vvv tcp port 18000
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 
bytes
14:05:19.645888 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto 
TCP (6), length 64) IP0.65351 > IP1.18000: S, cksum 0x8a20 (correct), 
3076040396:3076040396(0) win 32768 <mss 1380,nop,wscale 
3,sackOK,nop,nop,nop,nop,timestamp 1 0>
14:05:19.646079 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
TCP (6), length 40) IP1.18000 > IP0.65351: R, cksum 0x83a3 (correct), 
0:0(0) ack 3076040397 win 0

on my_comp:
=============
# ipfstat -io
block out all
pass out quick on lo0 all
pass out quick on rtk0 proto tcp from any to any keep state
pass out quick on rtk0 proto udp from any to any keep state
pass out quick on rtk0 proto icmp from any to any keep state
block in all
pass in quick on lo0 all

# tcpdump -n -p -vvv tcp port 18000
tcpdump: listening on rtk0, link-type EN10MB (Ethernet), capture size 96 
bytes
20:09:20.158824 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
TCP (6), length 64) IP0.65351 > IP1.18000: S, cksum 0xbda7 (correct), 
2102555286:2102555286(0) win 32768 <mss 1460,nop,wscale 
3,sackOK,nop,nop,nop,nop,timestamp 1 0>
20:09:20.451227 IP (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto 
TCP (6), length 40) IP1.18000 > IP0.65351: R, cksum 0xa7f2 (correct), 
810606391:810606391(0) ack 2102555287 win 0

(launched "telnet IP1 18000" on my_comp)

Although the other_comp is sending the RST packet with sequence number 0 
(which is correct, if i read the RFC0793/STD0007 paper right (3.4; Reset 
Generation; 1.): "If the incoming segment has an ACK field, the reset 
takes its sequence number from the ACK field of the segment, otherwise 
the reset has sequence number zero and ..."), it reaches my_comp with 
sequence number set to 810606391 (there may be some Cisco ASA between 
the computers, i am not sure).

The problem is, that with the aforementioned ipf rules the packet is not 
being recognized as being part of the "communication session" and is 
dropped by the ipf. Thus the telnet is trying to send another SYNs and 
eventually times out. If i remove all ipf rules, the RST packet is 
recognized by the tcp stack as correct and is returned to telnet and it 
immediately reports, that the connection was refused.

I am no expert and i am not sure, if i read all the info correctly. 
Anyway, I am curious:
1) why do we recognize this RST to be correct in our stack (iiuc, this 
packet violates the mentioned rfc/standard?)
2) if there are reasons allowing such packets, why does the ipf not 
recognize them as correct?

This is on netbsd-5,
# ipf -V
ipf: IP Filter: v4.1.29 (396)
Kernel: IP Filter: v4.1.29
[...]

(btw. if the RST packet has seq. num. 0, it is correctly recognized by 
the ipf "keep state" rule as part of the session)

Thanks,

r.