Date: Fri, 17 Nov 2023 22:33:58 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: a8dbbeb1c71b - main - pf: skip urpf check for sctp multihomed states Message-ID: <202311172233.3AHMXw0F027455@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a8dbbeb1c71b6f302818b8e041a2b50486b90180 commit a8dbbeb1c71b6f302818b8e041a2b50486b90180 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2023-11-16 19:55:02 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-11-17 22:33:44 +0000 pf: skip urpf check for sctp multihomed states When we create a new state for multihomed sctp connections (i.e. based on INIT/INIT_ACK or ASCONF parameters) we cannot know what interfaces we'll be seeing that traffic on. These states are floating states, i.e. on "all" interfaces. We cannot do reverse path filtering for these states, so do not do so. MFC after: 1 week Sponsored by: Orange Business Services --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index a9870ebe166b..082987d34b07 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7160,6 +7160,9 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif, if (af != AF_INET && af != AF_INET6) return (0); + if (kif == V_pfi_all) + return (1); + /* Skip checks for ipsec interfaces */ if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC) return (1);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202311172233.3AHMXw0F027455>