Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 10 Jan 2026 10:22:50 +0000
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 71f4eb518cd9 - stable/15 - pf: don't reject route-to'd too-large packets
Message-ID:  <6962287a.238da.19dbbc55@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/15 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=71f4eb518cd9241b429afebe5333aa1d6b7b46c6

commit 71f4eb518cd9241b429afebe5333aa1d6b7b46c6
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-12-26 09:58:59 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-01-10 09:50:37 +0000

    pf: don't reject route-to'd too-large packets
    
    If we're sending a packet via pf_route()/pf_route6() we check for packet
    size and potentially generate ICMP(6) packet too big messages. If we do,
    don't consider this a rejected packet. That is, return PF_PASS and set
    the mbuf to NULL rather than returning PF_DROP.
    
    This matters for locally generated packets, because with PF_DROP we
    can end up returning EACCES to userspace, causing the connection to
    terminate. Instead, with PF_PASS and a NULL mbuf this is translated to
    PFIL_CONSUMED, which does not return an error to userspace.
    
    MFC after:      2 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 2e7699355f08258365fb5f65d11ac297e20f78de)
---
 sys/netpfil/pf/pf.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 567615acdf0c..2cd3ee535b85 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9343,7 +9343,8 @@ pf_route(struct pf_krule *r, struct ifnet *oifp,
 			   ifp->if_mtu, pd->af, r, pd->act.rtableid);
 		}
 		SDT_PROBE1(pf, ip, route_to, drop, __LINE__);
-		action = PF_DROP;
+		/* Return pass, so we return PFIL_CONSUMED to the stack. */
+		action = PF_PASS;
 		goto bad;
 	}
 
@@ -9665,7 +9666,8 @@ pf_route6(struct pf_krule *r, struct ifnet *oifp,
 				pf_send_icmp(m0, ICMP6_PACKET_TOO_BIG, 0,
 				    ifp->if_mtu, pd->af, r, pd->act.rtableid);
 		}
-		action = PF_DROP;
+		/* Return pass, so we return PFIL_CONSUMED to the stack. */
+		action = PF_PASS;
 		SDT_PROBE1(pf, ip6, route_to, drop, __LINE__);
 		goto bad;
 	}
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6962287a.238da.19dbbc55>