From owner-ipfilter@coombs.anu.edu.au Mon Jun 9 23:21:38 EST 1997 Received: from localhost by postbox.anu.edu.au with SMTP (1.37.109.16/16.2) id AA034962484; Mon, 9 Jun 1997 23:21:24 +1000 Received: by postbox.anu.edu.au (bulk_mailer v1.5); Mon, 9 Jun 1997 23:17:37 +1000 Received: by postbox.anu.edu.au (1.37.109.16/16.2) id AA033262255; Mon, 9 Jun 1997 23:17:35 +1000 Received: from plum.cyber.com.au by postbox.anu.edu.au with ESMTP (1.37.109.16/16.2) id AA033182246; Mon, 9 Jun 1997 23:17:26 +1000 Received: (from darrenr@localhost) by plum.cyber.com.au (8.6.12/8.6.6) id XAA05569 for ipfilter@coombs.anu.edu.au; Mon, 9 Jun 1997 23:17:24 +1000 From: Darren Reed Message-Id: <199706091317.XAA05569@plum.cyber.com.au> Subject: Patch for 3.1.11 ip_state.c To: ipfilter@coombs.anu.edu.au Date: Mon, 9 Jun 1997 23:17:23 +1000 (EST) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-ipfilter@coombs.anu.edu.au Status: O Following is a patch for ip_state.c to fix a problem with TCP RST packets which only include a non-zero SEQ # in the RST packet. The problem being that when you are using "keep state", it expects SEQ & ACK numbers to be non-zero and to be within the current window. In some cases, an RST will be returned (as a reply) but will have a missing ACK field (i.e. it will be zero) and the ACK flag will not be set. IP Filter will toss these aside as the packet is determined to not be withing the current window of operation. Thanks to Guido van Rooij for working this out and coming up with a patch! Cheers, Darren p.s. there will be another 3.2alpha RSN with this patch too, although it should apply rather cleanly. p.p.s. I'll put this on the FTP site as "3.1.11_patch1" - no idea if I will make a 3.1.12 yet. Index: ip_state.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_state.c,v retrieving revision 2.0.1.5 diff -c -r2.0.1.5 ip_state.c *** 2.0.1.5 1997/04/13 22:29:18 --- ip_state.c 1997/06/09 13:11:32 *************** *** 233,239 **** */ seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); ! if (sport == is->is_sport) { seqskew = seq - is->is_seq; ackskew = ack - is->is_ack; } else { --- 233,244 ---- */ seq = ntohl(tcp->th_seq); ack = ntohl(tcp->th_ack); ! source = (sport == is->is_sport); ! ! if (!(tcp->th_flags & TH_ACK)) /* Pretend an ack was sent */ ! ack = source ? is->is_ack : is->is_seq; ! ! if (source) { seqskew = seq - is->is_seq; ackskew = ack - is->is_ack; } else { *************** *** 259,265 **** * window size of the connection, store these values and match * the packet. */ ! if ((source = (sport == is->is_sport))) { swin = is->is_swin; dwin = is->is_dwin; } else { --- 264,270 ---- * window size of the connection, store these values and match * the packet. */ ! if (source) { swin = is->is_swin; dwin = is->is_dwin; } else {