The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=480f62ccd8d998e4db9dc13c354a60f8f5e32a33
commit 480f62ccd8d998e4db9dc13c354a60f8f5e32a33
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2023-09-29 07:23:43 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2023-09-29 22:10:32 +0000
pf: only create sctp multihome states if we pass the packet
If we've decided to drop the packet we shouldn't create additional
states based off it.
MFC after: 3 days
Sponsored by: Orange Business Services
---
sys/netpfil/pf/pf.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index baa34b16f487..3e1c8d32add9 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -310,7 +310,7 @@ static int pf_test_state_icmp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
static void pf_sctp_multihome_delayed(struct pf_pdesc *, int,
- struct pfi_kkif *, struct pf_kstate *);
+ struct pfi_kkif *, struct pf_kstate *, int);
static int pf_test_state_sctp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
@@ -5921,10 +5921,10 @@ pf_test_state_sctp(struct pf_kstate **state, struct
pfi_kkif *kif,
static void
pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off, struct pfi_kkif *kif,
- struct pf_kstate *s)
+ struct pf_kstate *s, int action)
{
struct pf_sctp_multihome_job *j, *tmp;
- int action __unused;
+ int ret __unused;;
struct pf_kstate *sm = NULL;
struct pf_krule *ra = NULL;
struct pf_krule *r = &V_pf_default_rule;
@@ -5933,11 +5933,14 @@ pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off,
struct pfi_kkif *kif,
PF_RULES_RLOCK_TRACKER;
TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) {
+ if (s == NULL || action != PF_PASS)
+ goto free;
+
switch (j->op) {
case SCTP_ADD_IP_ADDRESS: {
j->pd.sctp_flags |= PFDESC_SCTP_ADD_IP;
PF_RULES_RLOCK();
- action = pf_test_rule(&r, &sm, kif,
+ ret = pf_test_rule(&r, &sm, kif,
j->m, off, &j->pd, &ra, &rs, NULL);
PF_RULES_RUNLOCK();
SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->m,
action);
@@ -5986,6 +5989,7 @@ pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off,
struct pfi_kkif *kif,
}
}
+free:
free(j, M_PFTEMP);
}
}
@@ -8154,7 +8158,7 @@ done:
PF_STATE_UNLOCK(s);
out:
- pf_sctp_multihome_delayed(&pd, off, kif, s);
+ pf_sctp_multihome_delayed(&pd, off, kif, s, action);
return (action);
}
@@ -8711,7 +8715,7 @@ done:
out:
SDT_PROBE4(pf, ip, test6, done, action, reason, r, s);
- pf_sctp_multihome_delayed(&pd, off, kif, s);
+ pf_sctp_multihome_delayed(&pd, off, kif, s, action);
return (action);
}
