diff options
author | Kristof Provost <kp@FreeBSD.org> | 2024-12-16 15:02:18 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2024-12-17 20:33:11 +0000 |
commit | f25d7ff3037e26286d5a7479e9bf39bd1bb85e4c (patch) | |
tree | 08405e06aa50af7eac723b56899a9fc7c89ffac1 | |
parent | 01eb1261443dddcb50a3a278f1278fffdfb0d36e (diff) |
pf: SCTP abort messages fully close the connection
As per RFC (RFC4960 section 3.3.7) an ABORT terminates the connection fully. We
should mode the state to CLOSED rather than CLOSING.
Suggested by: Oliver Thomas
See also: https://redmine.pfsense.org/issues/15924
Sponsored by: Rubicon Communications, LLC ("Netgate")
-rw-r--r-- | sys/netpfil/pf/pf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 11d37747b3a0..695ecfc0269d 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7181,14 +7181,14 @@ pf_test_state_sctp(struct pf_kstate **state, struct pf_pdesc *pd, (*state)->timeout = PFTM_SCTP_ESTABLISHED; } } - if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN | PFDESC_SCTP_ABORT | + if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN | PFDESC_SCTP_SHUTDOWN_COMPLETE)) { if (src->state < SCTP_SHUTDOWN_PENDING) { pf_set_protostate(*state, psrc, SCTP_SHUTDOWN_PENDING); (*state)->timeout = PFTM_SCTP_CLOSING; } } - if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE)) { + if (pd->sctp_flags & (PFDESC_SCTP_SHUTDOWN_COMPLETE | PFDESC_SCTP_ABORT)) { pf_set_protostate(*state, psrc, SCTP_CLOSED); (*state)->timeout = PFTM_SCTP_CLOSED; } |