diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2023-11-29 18:06:31 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2023-12-05 18:25:58 +0000 |
| commit | 0415f0554b72b93a1986292d28f679594f6ce6a6 (patch) | |
| tree | e304b9cc22984b15e1660ca0e425a6b4698de815 | |
| parent | 2e6541b943efb785aa6e04957e511a83b452b240 (diff) | |
| download | src-0415f0554b72b93a1986292d28f679594f6ce6a6.tar.gz src-0415f0554b72b93a1986292d28f679594f6ce6a6.zip | |
pf: remove incorrect fragmentation check
We do not need to check PFDESC_IP_REAS while tracking TCP state.
Moreover, this check incorrectly considers no-data packets (e.g. RST) to
be in-window when this flag is not set.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Approved by: so
Security: FreeBSD-SA-23:17.pf
(cherry picked from commit 6284d5f76d6bd2d97fe287c5adabf59c79688eda)
| -rw-r--r-- | sys/netpfil/pf/pf.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index fbc6c9640f43..b9fb9ce7b1e4 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4601,8 +4601,7 @@ pf_tcp_track_full(struct pf_kstate **state, struct pfi_kkif *kif, (ackskew <= (MAXACKWINDOW << sws)) && /* Acking not more than one window forward */ ((th->th_flags & TH_RST) == 0 || orig_seq == src->seqlo || - (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo) || - (pd->flags & PFDESC_IP_REAS) == 0)) { + (orig_seq == src->seqlo + 1) || (orig_seq + 1 == src->seqlo))) { /* Require an exact/+1 sequence match on resets when possible */ if (dst->scrub || src->scrub) { |