kern/177808: [pf] [patch] route-to rule forwarding traffic inspite of state limit

Kajetan Staszkiewicz vegeta at tuxpowered.net
Mon Nov 18 16:20:02 UTC 2013 

The following reply was made to PR kern/177808; it has been noted by GNATS.

From: Kajetan Staszkiewicz <vegeta at tuxpowered.net>
To: bug-followup at freebsd.org
Cc:  
Subject: Re: kern/177808: [pf] [patch] route-to rule forwarding traffic inspite of state limit
Date: Mon, 18 Nov 2013 17:13:24 +0100

 --Boundary-00=_kyjiSwrOkn+usgI
 Content-Type: Text/Plain;
   charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 
 The attached patch for FreeBSD 10 does basically the same thing, although in a 
 way that is easier to understand in code as it performs all actions inside 
 pf_test, instead of waiting for pf_check_in to free *m.
 
 -- 
 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
 |  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
 |        Vegeta          | www: http://vegeta.tuxpowered.net     |
 `------------------------^---------------------------------------'
 
 --Boundary-00=_kyjiSwrOkn+usgI
 Content-Type: text/x-patch;
   charset="UTF-8";
   name="drop-traffic-on-state-creation-fail.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
 	filename="drop-traffic-on-state-creation-fail.patch"
 
 # It might happen that a passing rule fails to create a state for example due
 # to hitting its state limit. A PF_DROP action is set in such case but the rule
 # already has rt filled in which causes pf_route to be called and the packet
 # to be forwarded.
 #
 # Do not call pf_route at all if action is PF_DROP.
 # 
 # kajetan.staszkiewicz at innogames.de
 # Work sponsored by InnoGames GmbH
 #
 diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
 index 12d1e9a..59a349d 100644
 --- a/sys/netpfil/pf/pf.c
 +++ b/sys/netpfil/pf/pf.c
 @@ -6009,6 +6009,10 @@ done:
  		*m0 = NULL;
  		action = PF_PASS;
  		break;
 +	case PF_DROP:
 +		m_freem(*m0);
 +		*m0 = NULL;
 +		break;
  	default:
  		/* pf_route() returns unlocked. */
  		if (r->rt) {
 @@ -6382,6 +6386,10 @@ done:
  		*m0 = NULL;
  		action = PF_PASS;
  		break;
 +	case PF_DROP:
 +		m_freem(*m0);
 +		*m0 = NULL;
 +		break;
  	default:
  		/* pf_route6() returns unlocked. */
  		if (r->rt) {
 
 --Boundary-00=_kyjiSwrOkn+usgI--

More information about the freebsd-pf mailing list