Adding filtering for TCP flags (E)CE and C(W)R

al1x · Sep 19, 2012, 5:37 AM

There seems to be no way to include TCP flags ECE and CWR to filter rules. I'm curious as to why they were left out and–barring any objections--would like to submit patches* for inclusion.

*My PHP-fu is weak as I've picked up the language only recently while reviewing the pfSense sources.

--- /etc/inc/globals.inc Tue Sep 18 23:56:11 2012
+++ /etc/inc/globals.inc Tue Sep 18 23:56:02 2012
@@ -102,3 +102,3 @@
/* TCP flags */
-$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg");
+$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");

--- /etc/inc/filter.inc Wed Sep 19 00:13:36 2012
+++ /etc/inc/filter.inc Wed Sep 19 00:13:33 2012
@@ -2201,13 +2201,19 @@
if (!empty($rule['tcpflags1'])) {
$flags1 = explode(",", $rule['tcpflags1']);
foreach ($flags1 as $flag1)

$aline['flags'] .= strtoupper($flag1[0]);

if($flag1[0] == "c")
$aline['flags'] .= "W";
else
$aline['flags'] .= strtoupper($flag1[0]);
}
$aline['flags'] .= "/";
if (!empty($rule['tcpflags2'])) {
$flags2 = explode(",", $rule['tcpflags2']);
foreach ($flags2 as $flag2)

$aline['flags'] .= strtoupper($flag2[0]);

if($flag2[0] == "c")
$aline['flags'] .= "W";
else
$aline['flags'] .= strtoupper($flag2[0]);
}
$aline['flags'] .= " ";
} else

–- /usr/local/www/guiconfig.inc Wed Sep 19 00:27:47 2012
+++ /usr/local/www/guiconfig.new.txt Wed Sep 19 00:28:58 2012
@@ -221,3 +221,3 @@
/* TCP flags */
-$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
+$tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");

...haven't tested it yet but that seems to cover it. It's late here so I'm going to turn in. I'll take a look at this in the morning and test it out. For now I figure it's worth posting what I have so far in case--for whatever reason--this functionality was deliberately left out and there is no desire for its inclusion.

eri-- · Sep 20, 2012, 8:24 AM

Is this supported by pf(4) ?

al1x · Sep 21, 2012, 8:41 PM

@ermal:

Is this supported by pf(4) ?

Indeed!

http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5

flags < a > / < b > | / < b > | any
This rule only applies to TCP packets that have the flags <a>set
out of set < b >. Flags not specified in < b > are ignored. For
stateful connections, the default is flags S/SA. To indicate that
flags should not be checked at all, specify flags any. The flags
are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.</a>

al1x · Sep 28, 2012, 7:29 PM

I'm wondering if there was any specific reason the order of the tcpflags was rearranged in guiconfig.inc as compared to globals.inc and the pf.conf man page. If so I guess the appropriate patch would be:

–- /usr/local/www/guiconfig.inc Wed Sep 19 00:27:47 2012
+++ /usr/local/www/guiconfig.new.txt Wed Sep 19 00:28:58 2012
@@ -221,3 +221,3 @@
/* TCP flags */
-$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg");
+$tcpflags = array("fin", "syn", "rst", "psh", "ack", "urg", "ece", "cwr");

bardelot · Oct 1, 2012, 1:07 PM

I made this patch into a pull request on github.
https://github.com/bsdperimeter/pfsense/pull/233

yon · Nov 6, 2012, 2:48 AM

I am need this .

because I wan to try crack Country Firewall block.

http://www.certmag.com/read.php?start=0&in=3906