From nobody Sun Oct 5 20:51:47 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cfvhh1SqGz6BfPq; Sun, 05 Oct 2025 20:51:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4cfvhg6HX5z3vxW; Sun, 05 Oct 2025 20:51:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759697507; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OOWie0OtHf3hVRKDQM2LybxEwhYbZCb7M52D/iJlFMg=; b=iq0BjbOxIsAcpgOREQH7nerOInMnTkZ3gEGTctawYKgoRZTyxP/qXxOPb/u7AdK1Yvt5Pt xSPSFgBR1eQHSMHp0HVYsop0B61qbEd3Y142HcXXuG9963z+5HS++hvfKxDj4YZ4iHEJw7 L/DT80RkxXSC2wPmDS7nrGwhN23fdTYx76br0MW4QtiPR24ac/dRtnIvmSQT/lTta5Htnj UtY6Rb8ElhXsr7DssN+Ve+Qspl45gylYfK/GaHNWCUas9TxBXzCNaCoWIl6HNkLivwUvx2 cgF/RjnBl1e6Twf4LNS9n0dt3Der26QZ8yDx72NQiLpOrcO3L8PDCQKk8wfC6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759697507; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OOWie0OtHf3hVRKDQM2LybxEwhYbZCb7M52D/iJlFMg=; b=U68Gn9Cq1qPsKKGe758wbAcVXyoB/vNsytJRgk6o5um8w5my72aWHAbvgtovSdOMO+Wlqa ySkgjDa5Bdv0DNdGYFBdLITJIXdf8D0meSZVRo0k0DSCgnnevQME9A+ooebQLdcfC11dzM GrcJdsF+6hJ89Yk1DrK4d1d1/RfFeeZoxeYlvL78yokSLO/Vsd3nnuAV5fQOjMaBlQWLMP Wx7azL0lg6akqEE2AYkzTN8tRIzIROnPH9SXWlqck0+x258wnMsFI7mDoAZ0ugZI2zjlhI axXx9dBxxEd3SFIfDcPy9WtofWI4ohRAgl8piCDrZwzxi9RsZilKQlOHcdNqaA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759697507; a=rsa-sha256; cv=none; b=RtrwjXefxbYPIE3gHfJ5GFGqgMkUMINAS7B2TBGB/K57/jppC/W4KkivVsQlMchGx7EX+K trNpFW/Us1Sn0mYdogcri6B/WF4PA1Kjz+EOwrnwxK5tdij8AfzuVCJLly+J6KGlEGpX54 EWDPAxs2DK72q+T7OTdj4nGIbH5t9GJJokfAP3tkAOMIozKhxgLISrrLfdC5LzJKQuM/Vr gNnqDEC9VLD9b58ZiUQ/zJLR6i1hC6zTEEn0n7+6Zetjf6tbIuCCZmlw1eOT4AOQH7vyJz l7XpP4CwEs4n6X2ranZyx7u767SkW9OsHs2VOiSsfQHjgnFW4+dIWOjEKcisLA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cfvhg5cNHzCLb; Sun, 05 Oct 2025 20:51:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 595KpliG039940; Sun, 5 Oct 2025 20:51:47 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 595Kploo039937; Sun, 5 Oct 2025 20:51:47 GMT (envelope-from git) Date: Sun, 5 Oct 2025 20:51:47 GMT Message-Id: <202510052051.595Kploo039937@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: dd4095f11b1e - stable/15 - pf: return PF_PASS/PF_DROP from pf_setup_pdesc() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: dd4095f11b1ea1305775e7595b0d3ed5efe1179c Auto-Submitted: auto-generated The branch stable/15 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=dd4095f11b1ea1305775e7595b0d3ed5efe1179c commit dd4095f11b1ea1305775e7595b0d3ed5efe1179c Author: Kristof Provost AuthorDate: 2025-10-02 14:55:07 +0000 Commit: Kristof Provost CommitDate: 2025-10-05 20:47:34 +0000 pf: return PF_PASS/PF_DROP from pf_setup_pdesc() We returned 'PF_DROP' instead of '-1' in one case, which would lead to us continuing the processing for an invalid packet. This also aligns us closer to OpenBSD, and reduces the odds of future similar mixups. MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 5d210f396e3f00698caa45077330dea8ffe979b5) --- sys/netpfil/pf/pf.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 8f151e3167f6..9637c25f7a76 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -10391,28 +10391,28 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, __func__); *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } h = mtod(pd->m, struct ip *); if (pd->m->m_pkthdr.len < ntohs(h->ip_len)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } if (pf_normalize_ip(reason, pd) != PF_PASS) { /* We do IP header normalization and packet reassembly here */ *m0 = pd->m; *action = PF_DROP; - return (-1); + return (PF_DROP); } *m0 = pd->m; h = mtod(pd->m, struct ip *); if (pf_walk_header(pd, h, reason) != PF_PASS) { *action = PF_DROP; - return (-1); + return (PF_DROP); } pd->src = (struct pf_addr *)&h->ip_src; @@ -10442,7 +10442,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, ", pullup failed", __func__); *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } h = mtod(pd->m, struct ip6_hdr *); @@ -10450,7 +10450,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, sizeof(struct ip6_hdr) + ntohs(h->ip6_plen)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } /* @@ -10459,12 +10459,12 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, */ if (htons(h->ip6_plen) == 0) { *action = PF_DROP; - return (-1); + return (PF_DROP); } if (pf_walk_header6(pd, h, reason) != PF_PASS) { *action = PF_DROP; - return (-1); + return (PF_DROP); } h = mtod(pd->m, struct ip6_hdr *); @@ -10486,13 +10486,13 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, PF_PASS) { *m0 = pd->m; *action = PF_DROP; - return (-1); + return (PF_DROP); } *m0 = pd->m; if (pd->m == NULL) { /* packet sits in reassembly queue, no error */ *action = PF_PASS; - return (-1); + return (PF_DROP); } /* Update pointers into the packet. */ @@ -10504,7 +10504,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, if (pf_walk_header6(pd, h, reason) != PF_PASS) { *action = PF_DROP; - return (-1); + return (PF_DROP); } if (m_tag_find(pd->m, PACKET_TAG_PF_REASSEMBLED, NULL) != NULL) { @@ -10534,7 +10534,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } pd->hdrlen = sizeof(*th); pd->p_len = pd->tot_len - pd->off - (th->th_off << 2); @@ -10550,7 +10550,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } pd->hdrlen = sizeof(*uh); if (uh->uh_dport == 0 || @@ -10558,7 +10558,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, ntohs(uh->uh_ulen) < sizeof(struct udphdr)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } pd->sport = &uh->uh_sport; pd->dport = &uh->uh_dport; @@ -10570,7 +10570,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } pd->hdrlen = sizeof(pd->hdr.sctp); pd->p_len = pd->tot_len - pd->off; @@ -10580,7 +10580,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, if (pd->hdr.sctp.src_port == 0 || pd->hdr.sctp.dest_port == 0) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } /* @@ -10595,7 +10595,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, if (pf_scan_sctp(pd) != PF_PASS) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } break; } @@ -10604,7 +10604,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } pd->pcksum = &pd->hdr.icmp.icmp_cksum; pd->hdrlen = ICMP_MINLEN; @@ -10618,7 +10618,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } /* ICMP headers we look further into to match state */ switch (pd->hdr.icmp6.icmp6_type) { @@ -10644,7 +10644,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, action, reason, af)) { *action = PF_DROP; REASON_SET(reason, PFRES_SHORT); - return (-1); + return (PF_DROP); } pd->hdrlen = icmp_hlen; pd->pcksum = &pd->hdr.icmp6.icmp6_cksum; @@ -10667,7 +10667,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0, MPASS(pd->pcksum != NULL); - return (0); + return (PF_PASS); } static __inline void @@ -10929,7 +10929,7 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0 PF_RULES_RLOCK(); if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason, - kif, default_actions) == -1) { + kif, default_actions) != PF_PASS) { if (action != PF_PASS) pd.act.log |= PF_LOG_FORCE; goto done;