Date: Mon, 18 Nov 2013 16:20:01 GMT From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@FreeBSD.org Subject: Re: kern/177808: [pf] [patch] route-to rule forwarding traffic inspite of state limit Message-ID: <201311181620.rAIGK1Ve084969@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/177808; it has been noted by GNATS. From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: bug-followup@freebsd.org Cc: Subject: Re: kern/177808: [pf] [patch] route-to rule forwarding traffic inspite of state limit Date: Mon, 18 Nov 2013 17:13:24 +0100 --Boundary-00=_kyjiSwrOkn+usgI Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit The attached patch for FreeBSD 10 does basically the same thing, although in a way that is easier to understand in code as it performs all actions inside pf_test, instead of waiting for pf_check_in to free *m. -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --Boundary-00=_kyjiSwrOkn+usgI Content-Type: text/x-patch; charset="UTF-8"; name="drop-traffic-on-state-creation-fail.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="drop-traffic-on-state-creation-fail.patch" # It might happen that a passing rule fails to create a state for example due # to hitting its state limit. A PF_DROP action is set in such case but the rule # already has rt filled in which causes pf_route to be called and the packet # to be forwarded. # # Do not call pf_route at all if action is PF_DROP. # # kajetan.staszkiewicz@innogames.de # Work sponsored by InnoGames GmbH # diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 12d1e9a..59a349d 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6009,6 +6009,10 @@ done: *m0 = NULL; action = PF_PASS; break; + case PF_DROP: + m_freem(*m0); + *m0 = NULL; + break; default: /* pf_route() returns unlocked. */ if (r->rt) { @@ -6382,6 +6386,10 @@ done: *m0 = NULL; action = PF_PASS; break; + case PF_DROP: + m_freem(*m0); + *m0 = NULL; + break; default: /* pf_route6() returns unlocked. */ if (r->rt) { --Boundary-00=_kyjiSwrOkn+usgI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201311181620.rAIGK1Ve084969>