>Number: 177808
>Category: kern
>Synopsis: route-to rule forwarding traffic inspite of state limit
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Apr 12 13:50:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Kajetan Staszkiewicz
>Release: FreeBSD 9.1-RELEASE
>Organization:
InnoGames GmbH
>Environment:
FreeBSD xxxxxxx 9.1-RELEASE FreeBSD 9.1-RELEASE #10 r247265M: Mon Feb 25
14:58:39 CET 2013 root@xxxxxxx:/usr/obj/usr/src/sys/IGLB3 amd64
>Description:
When a route-to rule is configured with a limit of states is hit, according to
manual "further packets that would create state will not match this rule until
existing states time out." This is only partially true. State is not created,
src-node is not created, rule's action is PF_DROP. But if no next rule changes
the routing behavior (e.g. if current rule is "quick"), the packet still gets
forwarded according to route definition in this rule (so it was "matched").
>How-To-Repeat:
Feed a quick route-to rule with state limit with some traffic, it still is
forwarded by pf.
>Fix:
--- pf.c.10 2013-04-04 16:56:04.000000000 +0200
+++ pf.c.11 2013-04-12 15:41:53.000000000 +0200
@@ -7148,7 +7148,7 @@
break;
default:
/* pf_route can free the mbuf causing *m0 to become NULL */
- if (r->rt)
+ if (action == PF_PASS && r->rt)
pf_route(m0, r, dir, kif->pfik_ifp, s, &pd);
break;
}
@@ -7655,7 +7655,7 @@
break;
default:
/* pf_route6 can free the mbuf causing *m0 to become NULL */
- if (r->rt)
+ if (action == PF_PASS && r->rt)
pf_route6(m0, r, dir, kif->pfik_ifp, s, &pd);
break;
}
That's a quick and dirty hack, I have it tested only with a "quick" rule.
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
