On 21 June 2016 at 00:14, Alexander Bluhm <alexander.bl...@gmx.net> wrote: > Hi, > > I have seen a problem with pf divert when the dynamic port in a nat > rule got reused. The function pf_state_key_attach() reused the > state as it was in TCPS_FIN_WAIT_2. The corresponding socket was > not reused, as the the TCPS_TIME_WAIT case in tcp_input() has > additional checks for timestamps and sequence numbers. When I port > the condition SEQ_GT(th->th_seq, tp->rcv_nxt) from the stack to pf, > the socket and state are kept in sync. Then divert works fine. > > ok? > > bluhm >
So pf reused the port while some TCP segments were still in flight? But this is key_attach stage not port allocation... isn't that too late? When we fail the state key attachment we drop the connection. I'm ok to add this safeguard, but can't we apply additional logic into the port allocation code to do a better job? Does this port get allocated via pf_get_sport or is it a static port assignment that clashes with the port range NAT uses?
