kern/177808: route-to rule forwarding traffic inspite of state limit
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Fri Apr 12 13:50:01 UTC 2013
>Number: 177808
>Category: kern
>Synopsis: route-to rule forwarding traffic inspite of state limit
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Apr 12 13:50:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Kajetan Staszkiewicz
>Release: FreeBSD 9.1-RELEASE
>Organization:
InnoGames GmbH
>Environment:
FreeBSD xxxxxxx 9.1-RELEASE FreeBSD 9.1-RELEASE #10 r247265M: Mon Feb 25 14:58:39 CET 2013 root at xxxxxxx:/usr/obj/usr/src/sys/IGLB3 amd64
>Description:
When a route-to rule is configured with a limit of states is hit, according to manual "further packets that would create state will not match this rule until existing states time out." This is only partially true. State is not created, src-node is not created, rule's action is PF_DROP. But if no next rule changes the routing behavior (e.g. if current rule is "quick"), the packet still gets forwarded according to route definition in this rule (so it was "matched").
>How-To-Repeat:
Feed a quick route-to rule with state limit with some traffic, it still is forwarded by pf.
>Fix:
--- pf.c.10 2013-04-04 16:56:04.000000000 +0200
+++ pf.c.11 2013-04-12 15:41:53.000000000 +0200
@@ -7148,7 +7148,7 @@
break;
default:
/* pf_route can free the mbuf causing *m0 to become NULL */
- if (r->rt)
+ if (action == PF_PASS && r->rt)
pf_route(m0, r, dir, kif->pfik_ifp, s, &pd);
break;
}
@@ -7655,7 +7655,7 @@
break;
default:
/* pf_route6 can free the mbuf causing *m0 to become NULL */
- if (r->rt)
+ if (action == PF_PASS && r->rt)
pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);
break;
}
That's a quick and dirty hack, I have it tested only with a "quick" rule.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list