From ohauer@gmx.de  Tue Feb  2 22:21:03 2010
Return-Path: <ohauer@gmx.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4857410656F5
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  2 Feb 2010 22:21:03 +0000 (UTC)
	(envelope-from ohauer@gmx.de)
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20])
	by mx1.freebsd.org (Postfix) with SMTP id 2E7798FC15
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  2 Feb 2010 22:20:58 +0000 (UTC)
Received: (qmail invoked by alias); 02 Feb 2010 22:20:56 -0000
Received: from u18-124.dsl.vianetworks.de (EHLO u18-124.dsl.vianetworks.de) [194.231.39.124]
  by mail.gmx.net (mp015) with SMTP; 02 Feb 2010 23:20:56 +0100
Received: by u18-124.dsl.vianetworks.de (Postfix, from userid 1100)
	id C2F2526183; Tue,  2 Feb 2010 23:20:44 +0100 (CET)
Message-Id: <20100202222044.C2F2526183@u18-124.dsl.vianetworks.de>
Date: Tue,  2 Feb 2010 23:20:44 +0100 (CET)
From: olli hauer <ohauer@gmx.de>
Reply-To: olli hauer <ohauer@gmx.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc: <freebsd-pf@freebsd.org>, <ohauer@gmx.de>
Subject: [patch] outgoing states are not killed by authpf
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         143504
>Category:       bin
>Synopsis:       [patch] outgoing states are not killed by authpf(8)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 02 22:30:01 UTC 2010
>Closed-Date:    
>Last-Modified:  Sun Dec 19 18:30:10 UTC 2010
>Originator:     olli hauer <ohauer@gmx.de>
>Release:        FreeBSD 7.2-RELEASE-p6 i386
>Organization:
>Environment:
System: FreeBSD 7.2-RELEASE-p6


>Description:
Outgoing states are not killed by authpf, since psk.psk_af is
overridden in authpf_kill_states with the No. of killed states
for incoming ipsrc.

Patch is only needed until code from OpenBSD >=200811 is merged
to FreeBSD since OpenBSD_4.4+ returns No. off killed states in 
psk.psk_killed.

The OpenBSD change is not documented in man page at the moment,
but you can find it out in the source (net/pfvar.h).
I found it this way by hacking snortsam.

Please see additional my PR 140369 to correct the man page for FreeBSD

From man (4) pf:

DIOCKILLSTATES struct pfioc_state_kill *psk
     Remove matching entries from the state table. This ioctl returns
     the number of killed states in psk_af.


Here are the structs from FreeBSD and OpenBSD

FreeBSD:
struct pfioc_state_kill {
        /* XXX returns the number of states killed in psk_af */
        sa_family_t             psk_af;
        int                     psk_proto;
        struct pf_rule_addr     psk_src;
        struct pf_rule_addr     psk_dst;
        char                    psk_ifname[IFNAMSIZ];
};

OpenBSD_4.4/4.5:
struct pfioc_state_kill {
        struct pf_state_cmp     psk_pfcmp;
        sa_family_t             psk_af;
        int                     psk_proto;
        struct pf_rule_addr     psk_src;
        struct pf_rule_addr     psk_dst;
        char                    psk_ifname[IFNAMSIZ];
        char                    psk_label[PF_RULE_LABEL_SIZE];
        u_int                   psk_killed;
};


>How-To-Repeat:
>Fix:
The following patch safes the sa_family into a variable 'saf' and restores
psk.psk_af to this family after killing states from incoming ipsrc.



--- patch_authpf.c begins here ---
Index: base/stable/7/contrib/pf/authpf/authpf.c
===================================================================
--- base/stable/7/contrib/pf/authpf/authpf.c	(revision 203401)
+++ base/stable/7/contrib/pf/authpf/authpf.c	(working copy)
@@ -788,14 +788,15 @@ authpf_kill_states(void)
 {
 	struct pfioc_state_kill	psk;
 	struct pf_addr target;
+	sa_family_t saf;        /* safe AF_INET family */
 
 	memset(&psk, 0, sizeof(psk));
 	memset(&target, 0, sizeof(target));
 
 	if (inet_pton(AF_INET, ipsrc, &target.v4) == 1)
-		psk.psk_af = AF_INET;
+		psk.psk_af = saf = AF_INET;
 	else if (inet_pton(AF_INET6, ipsrc, &target.v6) == 1)
-		psk.psk_af = AF_INET6;
+		psk.psk_af = saf = AF_INET6;
 	else {
 		syslog(LOG_ERR, "inet_pton(%s) failed", ipsrc);
 		return;
@@ -809,6 +810,9 @@ authpf_kill_states(void)
 	if (ioctl(dev, DIOCKILLSTATES, &psk))
 		syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)");
 
+	/* restore AF_INET, since it contains now the Nr. of killed states */
+	psk.psk_af = saf;
+
 	/* Kill all states to ipsrc */
 	memset(&psk.psk_src, 0, sizeof(psk.psk_src));
 	memcpy(&psk.psk_dst.addr.v.a.addr, &target,
--- patch_authpf.c ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Feb 2 22:41:40 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=143504 

From: olli hauer <ohauer@gmx.de>
To: bug-followup@FreeBSD.org, freebsd-pf@freebsd.org
Cc:  
Subject: Re: bin/143504: [patch] outgoing states are not killed by authpf(8)
Date: Sun, 19 Dec 2010 19:29:16 +0100

 Any change to get this trivial fixes into
 FreeBSD_7_4/8_2 or become any feedback?
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=140369
 http://www.freebsd.org/cgi/query-pr.cgi?pr=143504
 
 --
 Regards,
 olli
>Unformatted:
