kern/83186: pfsync in RELENG_5 does not work correctly with nat rules

Martin Matuska martin at matuska.org
Sat Jul 9 15:00:36 GMT 2005 

>Number:         83186
>Category:       kern
>Synopsis:       pfsync in RELENG_5 does not work correctly with nat rules
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 09 15:00:34 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Martin Matuska
>Release:        FreeBSD 5-STABLE i386
>Organization:
>Environment:
>Description:
pfsync in RELENG_5 does not work correcly with nat and anchor rules

Comments from OpenBSD cvslog for src/sys/net/if_pfsync.c 1.38:
Clean up reference counting wrt state creation and destruction. Fixes
problems with adaptive timeouts, max-states limits, and rules not being
freed from memory.

Diff from Chris Pascoe.
ok henning@ dhartmei@

Comments from OpenBSD cvslog for src/sys/net/if_pfsync.c 1.37:
Increment the states reference counter in the rule attached to the state
being inserted, so that the counter does not wrap back when the state
is removed. This fixes pfsync setups with adaptive timeouts.

>From Chris Pascoe
ok canacar@ dhartmei@ henning@ deraadt@

>How-To-Repeat:
>Fix:
fixed in OpenBSD: src/sys/net/if_pfsync.c rev. 1.37 and 1.38
already included in HEAD
please MFC to RELENG_5 the following patches from HEAD:

--- src/sys/contrib/pf/net/if_pfsync.c.orig	Sat Jul  9 15:31:31 2005
+++ src/sys/contrib/pf/net/if_pfsync.c	Sat Jul  9 15:56:51 2005
@@ -336,6 +336,9 @@
 	st->rule.ptr = r;
 	/* XXX get pointers to nat_rule and anchor */
 
+	/* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */
+	r->states++;
+
 	/* fill in the rest of the state entry */
 	pf_state_host_ntoh(&sp->lan, &st->lan);
 	pf_state_host_ntoh(&sp->gwy, &st->gwy);
@@ -367,6 +370,8 @@
 
 	if (pf_insert_state(kif, st)) {
 		pfi_maybe_destroy(kif);
+		/* XXX when we have nat_rule/anchors, use STATE_DEC_COUNTERS */
+		r->states--;
 		pool_put(&pf_state_pl, st);
 		return (EINVAL);
 	}
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list