kern/177808: [pf] [patch] route-to rule forwarding traffic inspite of state limit
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Mon Nov 18 16:20:02 UTC 2013
The following reply was made to PR kern/177808; it has been noted by GNATS.
From: Kajetan Staszkiewicz <vegeta at tuxpowered.net>
To: bug-followup at freebsd.org
Cc:
Subject: Re: kern/177808: [pf] [patch] route-to rule forwarding traffic inspite of state limit
Date: Mon, 18 Nov 2013 17:13:24 +0100
--Boundary-00=_kyjiSwrOkn+usgI
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
The attached patch for FreeBSD 10 does basically the same thing, although in a
way that is easier to understand in code as it performs all actions inside
pf_test, instead of waiting for pf_check_in to free *m.
--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
--Boundary-00=_kyjiSwrOkn+usgI
Content-Type: text/x-patch;
charset="UTF-8";
name="drop-traffic-on-state-creation-fail.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="drop-traffic-on-state-creation-fail.patch"
# It might happen that a passing rule fails to create a state for example due
# to hitting its state limit. A PF_DROP action is set in such case but the rule
# already has rt filled in which causes pf_route to be called and the packet
# to be forwarded.
#
# Do not call pf_route at all if action is PF_DROP.
#
# kajetan.staszkiewicz at innogames.de
# Work sponsored by InnoGames GmbH
#
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 12d1e9a..59a349d 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6009,6 +6009,10 @@ done:
*m0 = NULL;
action = PF_PASS;
break;
+ case PF_DROP:
+ m_freem(*m0);
+ *m0 = NULL;
+ break;
default:
/* pf_route() returns unlocked. */
if (r->rt) {
@@ -6382,6 +6386,10 @@ done:
*m0 = NULL;
action = PF_PASS;
break;
+ case PF_DROP:
+ m_freem(*m0);
+ *m0 = NULL;
+ break;
default:
/* pf_route6() returns unlocked. */
if (r->rt) {
--Boundary-00=_kyjiSwrOkn+usgI--
More information about the freebsd-pf
mailing list