Hi,
When pf processes a TCP packet with SYN and FIN flags set, it removes
the FIN flag and continuous processing it. I propose we change that and
let pf drop such a packet. I don't see any legit use for combining these
two flags in the same packet.
Henning added this comment 7 years ago:
XXX why clear instead of drop?
Damjan Dimitrov approached me with this. He got a request that his firewall
should drop TCP packets with SYN and FIN flags set. But with pf this can
currently not be done because the FIN flag is cleared before rule processing.
I tested the behaviour with scapy:
send(IP(dst="172.24.217.34")/TCP(dport=23,flags="SF"))
Opinions? OKs?
Remi
Index: pf_norm.c
===================================================================
RCS file: /cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.223
diff -u -p -r1.223 pf_norm.c
--- pf_norm.c 10 Mar 2021 10:21:48 -0000 1.223
+++ pf_norm.c 13 Mar 2022 15:39:42 -0000
@@ -1117,8 +1117,9 @@ pf_normalize_tcp(struct pf_pdesc *pd)
if (flags & TH_RST)
goto tcp_drop;
- if (flags & TH_FIN) /* XXX why clear instead of drop? */
- flags &= ~TH_FIN;
+ /* Illegal packet */
+ if (flags & TH_FIN)
+ goto tcp_drop;
} else {
/* Illegal packet */
if (!(flags & (TH_ACK|TH_RST)))
