upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-13 01:29:35 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/sys/net
History
Kristof Provost 14f52003bd pf: fix syncookies in conjunction with tcp fast port reuse 
Basic scenario: we have a closed connection (In TCPS_FIN_WAIT_2), and
get a new connection (i.e. SYN) re-using the tuple.

Without syncookies we look at the SYN, and completely unlink the old,
closed state on the SYN.
With syncookies we send a generated SYN|ACK back, and drop the SYN,
never looking at the state table.

So when the ACK (i.e. the third step in the three way handshake for
connection setup) turns up, we’ve not actually removed the old state, so
we find it, and don’t do the syncookie dance, or allow the new
connection to get set up.

Explicitly check for this in pf_test_state_tcp(). If we find a state in
TCPS_FIN_WAIT_2 and the syncookie is valid we delete the existing state
so we can set up the new state.
Note that when we verify the syncookie in pf_test_state_tcp() we don't
decrement the number of half-open connections to avoid an incorrect
double decrement.

MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D37919

(cherry picked from commit 9c041b450d)
2023-01-28 02:34:38 +01:00
..
altq altq: improve pfctl config time for large numbers of queues 2022-08-18 09:12:13 +02:00
route nhop: hash ifnet pointer instead of if_index 2023-01-23 22:10:07 +00:00
bpf.c bpf: Fix BIOCPROMISC locking 2022-08-19 07:54:04 -04:00
bpf.h bpf: Correct a comment 2022-06-27 10:11:20 -04:00
bpf_buffer.c Add an external mbuf buffer type that holds multiple unmapped pages. 2019-06-29 00:48:33 +00:00
bpf_buffer.h
bpf_filter.c bpf(3): Grammar fix for a source code comment 2022-09-07 09:31:16 +02:00
bpf_jitter.c Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) 2020-02-26 14:26:36 +00:00
bpf_jitter.h Make UMA and malloc(9) return non-executable memory in most cases. 2018-06-13 17:04:41 +00:00
bpf_zerocopy.c Change synchonization rules for vm_page reference counting. 2019-09-09 21:32:42 +00:00
bpf_zerocopy.h
bpfdesc.h bpf: Add an ioctl to set the VLAN Priority on packets sent by bpf 2021-08-02 16:50:32 +02:00
bridgestp.c bridgestp: validate timer values in config BPDU 2021-05-18 12:00:38 +02:00
bridgestp.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
debugnet.c debugnet: remove spurious message on boot 2023-01-23 08:50:12 -05:00
debugnet.h debugnet: Fix a typo in a source code comment 2022-08-10 14:22:10 +02:00
debugnet_inet.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
debugnet_int.h Implement NetGDB(4) 2019-10-17 21:33:01 +00:00
dlt.h net(4): Fix a typo in a source code comment 2022-04-09 08:16:21 +02:00
ethernet.h net(3): Fix a typo in a source code comment 2022-04-09 08:09:25 +02:00
firewire.h
ieee8023ad_lacp.c LACP: Do not wait response for marker messages not sent 2022-06-07 05:57:29 +02:00
ieee8023ad_lacp.h lacp: short timeout erroneously declares link-flapping 2022-05-01 12:16:18 -07:00
ieee_oui.h Remove "All Rights Reserved" from FreeBSD Foundation sys/ copyrights 2022-02-08 15:00:55 -05:00
if.c Add device and ifnet logging methods, similar to device_printf / if_printf 2023-01-23 20:42:53 -08:00
if.h netlink: add interface notification on link status / flags change. 2023-01-23 22:04:03 +00:00
if_arp.h Improve ARP logging. 2019-03-09 01:12:59 +00:00
if_bridge.c Introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro 2023-01-11 18:35:59 +08:00
if_bridgevar.h bridge: fix STP roles and protos strings 2021-02-04 15:22:45 +01:00
if_clone.c if_clone: rework cloning KPI 2023-01-23 22:10:07 +00:00
if_clone.h if_clone: rework cloning KPI 2023-01-23 22:10:07 +00:00
if_dead.c This adds the third step in getting BBR into the tree. BBR and 2019-08-01 14:17:31 +00:00
if_debug.c
if_disc.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-09-07 21:25:06 +00:00
if_dl.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
if_edsc.c if_edsc: generate an arbitrary MAC address 2020-03-02 02:45:57 +00:00
if_enc.c Consistently include opt_ipsec.h for consumers of <netipsec/ipsec.h>. 2020-05-29 19:22:40 +00:00
if_enc.h
if_epair.c epair: unbind prior to returning to userspace 2022-05-14 11:10:47 +02:00
if_ethersubr.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-09-07 21:25:06 +00:00
if_fwsubr.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-09-07 21:25:06 +00:00
if_gif.c if_gif: fix vnet shutdown panic 2021-11-29 15:44:39 +01:00
if_gif.h gif_transmit() must always be called in the network epoch. 2020-01-15 06:18:32 +00:00
if_gre.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-09-07 21:25:06 +00:00
if_gre.h Add GRE-in-UDP encapsulation support as defined in RFC8086. 2019-04-24 09:05:45 +00:00
if_infiniband.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-09-07 21:25:06 +00:00
if_ipsec.c if_ipsec(4): handle situations where there are no policy or SADB entry for if 2023-01-22 11:18:09 +02:00
if_ipsec.h
if_lagg.c Fix unused variable warning in if_lagg.c 2022-07-24 13:00:09 +02:00
if_lagg.h Fix for IPoIB over lagg(4). 2020-12-29 17:35:06 +01:00
if_llatbl.c if_llatbl: Fix a typo in a debug statement 2022-06-10 14:27:33 +02:00
if_llatbl.h routing: Add unified level-based logging support for the routing subsystem. 2022-03-28 08:48:12 +00:00
if_llc.h
if_loop.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-09-07 21:25:06 +00:00
if_me.c if_me: Use dedicated network privilege 2023-01-11 18:35:59 +08:00
if_media.c if_media.c SIOCGMEDIAX handler: improve loop 2020-11-03 14:33:04 +00:00
if_media.h if_media: definitions for 40GE LM4 ethernet media type 2020-09-16 14:45:16 +00:00
if_mib.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
if_mib.h
if_pflog.h pflog: align header to 4 bytes, not 8 2022-02-09 10:40:58 +01:00
if_pfsync.h pfsync: Expose PFSYNCF_OK flag to userspace 2021-05-10 21:45:57 +02:00
if_sppp.h
if_spppfr.c
if_spppsubr.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-09-07 21:25:06 +00:00
if_stf.c if_stf: style(9) pass 2021-12-01 16:53:19 +01:00
if_tap.h tap: add support for virtio-net offloads 2019-10-18 21:53:27 +00:00
if_tun.h if_tuntap(4): Add TUNGIFNAME 2019-07-25 22:23:34 +00:00
if_tuntap.c routing: Allow using IPv6 next-hops for IPv4 routes (RFC 5549). 2021-09-07 21:25:06 +00:00
if_types.h Import the WireGuard driver from zx2c4.com. 2022-11-11 13:44:11 -08:00
if_var.h Add device and ifnet logging methods, similar to device_printf / if_printf 2023-01-23 20:42:53 -08:00
if_vlan.c if_vlan: avoid hash table thrashing when adding and removing entries 2022-08-05 13:54:25 +02:00
if_vlan_var.h vlan: deduplicate bpf_setpcp() and pf_ieee8021q_setpcp() 2021-08-02 16:50:32 +02:00
if_vxlan.c if_vxlan(4): Correct the statistic for output bytes 2023-01-11 18:35:59 +08:00
if_vxlan.h if_vxlan(4): add support for hardware assisted checksumming, TSO, and RSS. 2020-09-18 02:37:57 +00:00
ifdi_if.m iflib: Stop interface before (un)registering VLAN 2020-04-27 22:02:44 +00:00
iflib.c iflib: Introduce v2 of TX Queue Select Functionality 2022-10-19 16:38:09 -07:00
iflib.h iflib: Introduce v2 of TX Queue Select Functionality 2022-10-19 16:38:09 -07:00
iflib_clone.c Create wrapper for Giant taken for newbus 2022-06-21 17:13:20 +02:00
iflib_private.h - Replace unused and only ever written to members of public iflib(9) 2019-06-15 11:07:41 +00:00
ifq.h Make net/ifq.h C++ friendly 2020-11-20 14:45:45 +00:00
infiniband.h Factor out generic IP over infiniband, IPoIB, definitions and code 2020-10-22 09:09:53 +00:00
mp_ring.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
mp_ring.h mp_ring: avoid items offset difference between iflib and mp_ring 2019-01-03 23:06:05 +00:00
mppc.h
mppcc.c kernel: provide panicky version of __unreachable 2020-05-13 18:07:37 +00:00
mppcd.c
netisr.c netisr(9): Fix a typo in a source code comment 2022-09-06 07:39:57 +02:00
netisr.h
netisr_internal.h
netmap.h netmap: several typo fixes 2022-12-31 14:46:29 +00:00
netmap_legacy.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
netmap_user.h netmap: several typo fixes 2022-12-31 14:46:29 +00:00
netmap_virt.h netmap: disable passthrough with no hypervisor support 2020-01-13 21:47:23 +00:00
paravirt.h
pfil.c Since now drivers that support pfil run their interrupts in the network 2020-01-23 01:49:22 +00:00
pfil.h Most Ethernet drivers that potentially can run a pfil(9) hook with 2019-03-10 17:20:09 +00:00
pfkeyv2.h Add SADB_SAFLAGS_ESN flag 2020-10-16 11:22:29 +00:00
pfvar.h pf: fix syncookies in conjunction with tcp fast port reuse 2023-01-28 02:34:38 +01:00
ppp_defs.h
radix.c net: constantify radix.c functions 2023-01-13 21:24:11 +00:00
radix.h net: constantify radix.c functions 2023-01-13 21:24:11 +00:00
raw_cb.c Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) 2020-02-26 14:26:36 +00:00
raw_cb.h
raw_usrreq.c socket: Implement SO_RERROR 2021-08-10 18:54:00 -07:00
rndis.h Hyper-V: hn: Enable vSwitch RSC support in hn netvsc driver 2021-03-29 03:20:03 -07:00
route.c netlink: add interface notification on link status / flags change. 2023-01-23 22:04:03 +00:00
route.h netlink: add interface notification on link status / flags change. 2023-01-23 22:04:03 +00:00
rss_config.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
rss_config.h
rtsock.c netlink: add interface notification on link status / flags change. 2023-01-23 22:04:03 +00:00
sff8436.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
sff8472.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
slcompress.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
slcompress.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
toeplitz.c
toeplitz.h
vnet.c Widen ifnet_detach_sxlock coverage 2021-02-17 14:12:54 +01:00
vnet.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00