The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c11d317a8bd60d93d3c3ced765071f468adacd69
commit c11d317a8bd60d93d3c3ced765071f468adacd69
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-02-10 09:31:32 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-02-13 12:38:43 +0000
pf: do not reset the fragment timeout each time a fragment arrives
Start the expire counter when the queue is created by the first
fragment and drop it if the packet could not be reassembled within
60 seconds.
Reported by Antonios Atlasis; OK henning@ deraadt@
Obtained from: OpenBSD, bluhm <bl...@openbsd.org>, 4697a20621
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.h | 2 +-
sys/netpfil/pf/pf_norm.c | 2 --
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index 01c1abc54602..45652f174884 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -113,7 +113,7 @@ enum {
#define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */
#define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */
#define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */
-#define PFTM_FRAG_VAL 30 /* Fragment expire */
+#define PFTM_FRAG_VAL 60 /* Fragment expire */
#define PFTM_INTERVAL_VAL 10 /* Expire interval */
#define PFTM_SRC_NODE_VAL 0 /* Source tracking */
#define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 6546f8684a68..57b9549df5e0 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -306,8 +306,6 @@ pf_find_fragment(struct pf_fragment_cmp *key, struct
pf_frag_tree *tree)
frag = RB_FIND(pf_frag_tree, tree, (struct pf_fragment *)key);
if (frag != NULL) {
- /* XXX Are we sure we want to update the timeout? */
- frag->fr_timeout = time_uptime;
TAILQ_REMOVE(&V_pf_fragqueue, frag, frag_next);
TAILQ_INSERT_HEAD(&V_pf_fragqueue, frag, frag_next);
}
