diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2023-09-29 07:23:43 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2023-10-02 08:51:44 +0000 |
| commit | 0ca691ad161253a123d9dac9e65953fe382920a5 (patch) | |
| tree | cfa4505f8febe5998cfd618c1c8a34e80fb4f898 /sys/netpfil | |
| parent | cf9e678c1a8460531f42997de38c5639f6247194 (diff) | |
| download | src-0ca691ad161253a123d9dac9e65953fe382920a5.tar.gz src-0ca691ad161253a123d9dac9e65953fe382920a5.zip | |
pf: only create sctp multihome states if we pass the packet
If we've decided to drop the packet we shouldn't create additional
states based off it.
MFC after: 3 days
Sponsored by: Orange Business Services
(cherry picked from commit 480f62ccd8d998e4db9dc13c354a60f8f5e32a33)
Diffstat (limited to 'sys/netpfil')
| -rw-r--r-- | sys/netpfil/pf/pf.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 5f94379d58fa..501d9eef57cd 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -291,7 +291,7 @@ static int pf_test_state_icmp(struct pf_kstate **, int, struct pfi_kkif *, struct mbuf *, int, void *, struct pf_pdesc *, u_short *); static void pf_sctp_multihome_delayed(struct pf_pdesc *, int, - struct pfi_kkif *, struct pf_kstate *); + struct pfi_kkif *, struct pf_kstate *, int); static int pf_test_state_sctp(struct pf_kstate **, struct pfi_kkif *, struct mbuf *, int, void *, struct pf_pdesc *, u_short *); @@ -5343,10 +5343,10 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif, static void pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off, struct pfi_kkif *kif, - struct pf_kstate *s) + struct pf_kstate *s, int action) { struct pf_sctp_multihome_job *j, *tmp; - int action;; + int ret __unused;; struct pf_kstate *sm = NULL; struct pf_krule *ra = NULL; struct pf_krule *r = &V_pf_default_rule; @@ -5355,11 +5355,14 @@ pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off, struct pfi_kkif *kif, PF_RULES_RLOCK_TRACKER; TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) { + if (s == NULL || action != PF_PASS) + goto free; + switch (j->op) { case SCTP_ADD_IP_ADDRESS: { j->pd.sctp_flags |= PFDESC_SCTP_ADD_IP; PF_RULES_RLOCK(); - action = pf_test_rule(&r, &sm, pd->dir, kif, + ret = pf_test_rule(&r, &sm, pd->dir, kif, j->m, off, &j->pd, &ra, &rs, NULL); PF_RULES_RUNLOCK(); SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->m, action); @@ -5408,6 +5411,7 @@ pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off, struct pfi_kkif *kif, } } +free: free(j, M_PFTEMP); } } @@ -7310,7 +7314,7 @@ done: PF_STATE_UNLOCK(s); out: - pf_sctp_multihome_delayed(&pd, off, kif, s); + pf_sctp_multihome_delayed(&pd, off, kif, s, action); return (action); } @@ -7803,7 +7807,7 @@ done: out: SDT_PROBE4(pf, ip, test6, done, action, reason, r, s); - pf_sctp_multihome_delayed(&pd, off, kif, s); + pf_sctp_multihome_delayed(&pd, off, kif, s, action); return (action); } |