git: ad57a81170fc - stable/14 - pf: sctp heartbeats confirm a connection
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 24 Nov 2023 14:10:49 UTC
The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=ad57a81170fce9f638a6d57d60cb46362363dd1d commit ad57a81170fce9f638a6d57d60cb46362363dd1d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2023-11-17 12:52:34 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-11-24 09:20:45 +0000 pf: sctp heartbeats confirm a connection When we create a new state for multihomed sctp connections (i.e. based on INIT/INIT_ACK or ASCONF parameters) the new connection will never see a COOKIE/COOKIE_ACK exchange. We should consider HEARTBEAT_ACK to be a confirmation that the connection is established. This ensures that such connections do not time out earlier than expected. MFC after: 1 week Sponsored by: Orange Business Services (cherry picked from commit 7093414c63b08864dd9348f63e67b39a70c8b1be) --- sys/net/pfvar.h | 17 ++++++++++------- sys/netpfil/pf/pf.c | 2 +- sys/netpfil/pf/pf_norm.c | 10 +++++++++- 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 15fa671ddcbe..27428ad161f8 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1580,13 +1580,16 @@ struct pf_pdesc { #define PFDESC_SCTP_INIT 0x0001 #define PFDESC_SCTP_INIT_ACK 0x0002 #define PFDESC_SCTP_COOKIE 0x0004 -#define PFDESC_SCTP_ABORT 0x0008 -#define PFDESC_SCTP_SHUTDOWN 0x0010 -#define PFDESC_SCTP_SHUTDOWN_COMPLETE 0x0020 -#define PFDESC_SCTP_DATA 0x0040 -#define PFDESC_SCTP_ASCONF 0x0080 -#define PFDESC_SCTP_OTHER 0x0100 -#define PFDESC_SCTP_ADD_IP 0x0200 +#define PFDESC_SCTP_COOKIE_ACK 0x0008 +#define PFDESC_SCTP_ABORT 0x0010 +#define PFDESC_SCTP_SHUTDOWN 0x0020 +#define PFDESC_SCTP_SHUTDOWN_COMPLETE 0x0040 +#define PFDESC_SCTP_DATA 0x0080 +#define PFDESC_SCTP_ASCONF 0x0100 +#define PFDESC_SCTP_HEARTBEAT 0x0200 +#define PFDESC_SCTP_HEARTBEAT_ACK 0x0400 +#define PFDESC_SCTP_OTHER 0x0800 +#define PFDESC_SCTP_ADD_IP 0x1000 u_int16_t sctp_flags; u_int32_t sctp_initiate_tag; diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 082987d34b07..84bd75276af7 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5932,7 +5932,7 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, dst->scrub->pfss_v_tag = pd->sctp_initiate_tag; } - if (pd->sctp_flags & PFDESC_SCTP_COOKIE) { + if (pd->sctp_flags & (PFDESC_SCTP_COOKIE | PFDESC_SCTP_HEARTBEAT_ACK)) { if (src->state < SCTP_ESTABLISHED) { pf_set_protostate(*state, psrc, SCTP_ESTABLISHED); (*state)->timeout = PFTM_SCTP_ESTABLISHED; diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 5f2b8e9d36ff..2625966a0278 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -2115,12 +2115,20 @@ pf_scan_sctp(struct mbuf *m, int ipoff, int off, struct pf_pdesc *pd, pd->sctp_flags |= PFDESC_SCTP_SHUTDOWN_COMPLETE; break; case SCTP_COOKIE_ECHO: - case SCTP_COOKIE_ACK: pd->sctp_flags |= PFDESC_SCTP_COOKIE; break; + case SCTP_COOKIE_ACK: + pd->sctp_flags |= PFDESC_SCTP_COOKIE_ACK; + break; case SCTP_DATA: pd->sctp_flags |= PFDESC_SCTP_DATA; break; + case SCTP_HEARTBEAT_REQUEST: + pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT; + break; + case SCTP_HEARTBEAT_ACK: + pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT_ACK; + break; case SCTP_ASCONF: pd->sctp_flags |= PFDESC_SCTP_ASCONF;