git: ad57a81170fc - stable/14 - pf: sctp heartbeats confirm a connection

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 24 Nov 2023 14:10:49 UTC
The branch stable/14 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=ad57a81170fce9f638a6d57d60cb46362363dd1d

commit ad57a81170fce9f638a6d57d60cb46362363dd1d
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-11-17 12:52:34 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-11-24 09:20:45 +0000

    pf: sctp heartbeats confirm a connection
    
    When we create a new state for multihomed sctp connections (i.e.
    based on INIT/INIT_ACK or ASCONF parameters) the new connection will
    never see a COOKIE/COOKIE_ACK exchange. We should consider HEARTBEAT_ACK
    to be a confirmation that the connection is established.
    
    This ensures that such connections do not time out earlier than
    expected.
    
    MFC after:      1 week
    Sponsored by:   Orange Business Services
    
    (cherry picked from commit 7093414c63b08864dd9348f63e67b39a70c8b1be)
---
 sys/net/pfvar.h          | 17 ++++++++++-------
 sys/netpfil/pf/pf.c      |  2 +-
 sys/netpfil/pf/pf_norm.c | 10 +++++++++-
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 15fa671ddcbe..27428ad161f8 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1580,13 +1580,16 @@ struct pf_pdesc {
 #define PFDESC_SCTP_INIT	0x0001
 #define PFDESC_SCTP_INIT_ACK	0x0002
 #define PFDESC_SCTP_COOKIE	0x0004
-#define PFDESC_SCTP_ABORT	0x0008
-#define PFDESC_SCTP_SHUTDOWN	0x0010
-#define PFDESC_SCTP_SHUTDOWN_COMPLETE	0x0020
-#define PFDESC_SCTP_DATA	0x0040
-#define PFDESC_SCTP_ASCONF	0x0080
-#define PFDESC_SCTP_OTHER	0x0100
-#define PFDESC_SCTP_ADD_IP	0x0200
+#define PFDESC_SCTP_COOKIE_ACK	0x0008
+#define PFDESC_SCTP_ABORT	0x0010
+#define PFDESC_SCTP_SHUTDOWN	0x0020
+#define PFDESC_SCTP_SHUTDOWN_COMPLETE	0x0040
+#define PFDESC_SCTP_DATA	0x0080
+#define PFDESC_SCTP_ASCONF	0x0100
+#define PFDESC_SCTP_HEARTBEAT	0x0200
+#define PFDESC_SCTP_HEARTBEAT_ACK	0x0400
+#define PFDESC_SCTP_OTHER	0x0800
+#define PFDESC_SCTP_ADD_IP	0x1000
 	u_int16_t	 sctp_flags;
 	u_int32_t	 sctp_initiate_tag;
 
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 082987d34b07..84bd75276af7 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5932,7 +5932,7 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
 			dst->scrub->pfss_v_tag = pd->sctp_initiate_tag;
 	}
 
-	if (pd->sctp_flags & PFDESC_SCTP_COOKIE) {
+	if (pd->sctp_flags & (PFDESC_SCTP_COOKIE | PFDESC_SCTP_HEARTBEAT_ACK)) {
 		if (src->state < SCTP_ESTABLISHED) {
 			pf_set_protostate(*state, psrc, SCTP_ESTABLISHED);
 			(*state)->timeout = PFTM_SCTP_ESTABLISHED;
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 5f2b8e9d36ff..2625966a0278 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -2115,12 +2115,20 @@ pf_scan_sctp(struct mbuf *m, int ipoff, int off, struct pf_pdesc *pd,
 			pd->sctp_flags |= PFDESC_SCTP_SHUTDOWN_COMPLETE;
 			break;
 		case SCTP_COOKIE_ECHO:
-		case SCTP_COOKIE_ACK:
 			pd->sctp_flags |= PFDESC_SCTP_COOKIE;
 			break;
+		case SCTP_COOKIE_ACK:
+			pd->sctp_flags |= PFDESC_SCTP_COOKIE_ACK;
+			break;
 		case SCTP_DATA:
 			pd->sctp_flags |= PFDESC_SCTP_DATA;
 			break;
+		case SCTP_HEARTBEAT_REQUEST:
+			pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT;
+			break;
+		case SCTP_HEARTBEAT_ACK:
+			pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT_ACK;
+			break;
 		case SCTP_ASCONF:
 			pd->sctp_flags |= PFDESC_SCTP_ASCONF;