Hi,
The behaviour of the PFRULE_SRCTRACK and max_states check was
unintentionally changed by this commit.
----------------------------
revision 1.964
date: 2016/01/25 18:49:57; author: sashan; state: Exp; lines: +18 -10;
commitid: KeemoLxcm7FS1oYy;
- plugging massive pf_state_key leak
OK mpi@ dlg@ sthen@
----------------------------
If we do not create a state after some limit was reached, pf still
passes the packet. We can restore the old behavior by setting
action later, after the checks.
ok?
bluhm
Index: net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.1186
diff -u -p -r1.1186 pf.c
--- net/pf.c 8 Sep 2023 13:40:52 -0000 1.1186
+++ net/pf.c 9 Oct 2023 22:37:14 -0000
@@ -4467,8 +4467,6 @@ pf_test_rule(struct pf_pdesc *pd, struct
goto cleanup;
}
- action = PF_PASS;
-
if (pd->virtual_proto != PF_VPROTO_FRAGMENT
&& !ctx.state_icmp && r->keep_state) {
@@ -4511,6 +4509,8 @@ pf_test_rule(struct pf_pdesc *pd, struct
#endif /* INET6 */
} else {
+ action = PF_PASS;
+
while ((ctx.ri = SLIST_FIRST(&ctx.rules))) {
SLIST_REMOVE_HEAD(&ctx.rules, entry);
pool_put(&pf_rule_item_pl, ctx.ri);
