'Patch for 3.1.11 ip_state.c'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Patch for 3.1.11 ip_state.c
From:       Darren Reed <darrenr () cyber ! com ! au>
Date:       1997-06-09 13:17:23
[Download RAW message or body]


Following is a patch for ip_state.c to fix a problem with TCP RST packets
which only include a non-zero SEQ # in the RST packet.  The problem being
that when you are using "keep state", it expects SEQ & ACK numbers to be
non-zero and to be within the current window.  In some cases, an RST will
be returned (as a reply) but will have a missing ACK field (i.e. it will be
zero) and the ACK flag will not be set.  IP Filter will toss these aside
as the packet is determined to not be withing the current window of
operation.  Thanks to Guido van Rooij for working this out and coming up
with a patch!

Cheers,
Darren

p.s. there will be another 3.2alpha RSN with this patch too, although it
should apply rather cleanly.
p.p.s. I'll put this on the FTP site as "3.1.11_patch1" - no idea if I
will make a 3.1.12 yet.

Index: ip_state.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_state.c,v
retrieving revision 2.0.1.5
diff -c -r2.0.1.5 ip_state.c
*** 2.0.1.5     1997/04/13 22:29:18
--- ip_state.c  1997/06/09 13:11:32
***************
*** 233,239 ****
  	 */
  	seq = ntohl(tcp->th_seq);
  	ack = ntohl(tcp->th_ack);
! 	if (sport == is->is_sport) {
  		seqskew = seq - is->is_seq;
  		ackskew = ack - is->is_ack;
  	} else {
--- 233,244 ----
  	 */
  	seq = ntohl(tcp->th_seq);
  	ack = ntohl(tcp->th_ack);
! 	source = (sport == is->is_sport);
! 
! 	if (!(tcp->th_flags & TH_ACK))  /* Pretend an ack was sent */
! 		ack = source ? is->is_ack : is->is_seq;
! 
! 	if (source) {
  		seqskew = seq - is->is_seq;
  		ackskew = ack - is->is_ack;
  	} else {
***************
*** 259,265 ****
  	 * window size of the connection, store these values and match
  	 * the packet.
  	 */
! 	if ((source = (sport == is->is_sport))) {
  		swin = is->is_swin;
  		dwin = is->is_dwin;
  	} else {
--- 264,270 ----
  	 * window size of the connection, store these values and match
  	 * the packet.
  	 */
! 	if (source) {
  		swin = is->is_swin;
  		dwin = is->is_dwin;
  	} else {


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic