git: a0fb8e16fe3d - stable/13 - pf: skip urpf check for sctp multihomed states

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 24 Nov 2023 14:10:48 UTC
The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=a0fb8e16fe3d43445c1ac312ddcf38ceb50f23d1

commit a0fb8e16fe3d43445c1ac312ddcf38ceb50f23d1
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-11-16 19:55:02 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-11-24 09:20:36 +0000

    pf: skip urpf check for sctp multihomed states
    
    When we create a new state for multihomed sctp connections (i.e.
    based on INIT/INIT_ACK or ASCONF parameters) we cannot know what
    interfaces we'll be seeing that traffic on. These states are floating
    states, i.e. on "all" interfaces. We cannot do reverse path filtering
    for these states, so do not do so.
    
    MFC after:      1 week
    Sponsored by:   Orange Business Services
    
    (cherry picked from commit a8dbbeb1c71b6f302818b8e041a2b50486b90180)
---
 sys/netpfil/pf/pf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 84ff1fea7731..278c1db118cf 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6570,6 +6570,9 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif,
 	if (af != AF_INET && af != AF_INET6)
 		return (0);
 
+	if (kif == V_pfi_all)
+		return (1);
+
 	/* Skip checks for ipsec interfaces */
 	if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC)
 		return (1);