pf: 'sticky-address' requires 'keep state'

When route_to() processes a packet without state, pf_map_addr() is called for
each packet. Pf_map_addr() will search for a source node and will find none
since those are created only in pf_create_state(). Thus sticky address,
even though requested in rule definition, will never work.

Raise an error when a stateless filter rule uses sticky address to avoid
confusion and to keep ruleset limitations in sync with what the pf code
really does.

Reviewed by:	kp
Differential Revision:	https://reviews.freebsd.org/D46310
This commit is contained in:
Kajetan Staszkiewicz
2024-08-16 10:08:16 +02:00
committed by Kristof Provost
parent 41e03b46da
commit 788f194f60
2 changed files with 9 additions and 0 deletions
+4
View File
@@ -5388,6 +5388,10 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
problems++;
}
}
if (r->rpool.opts & PF_POOL_STICKYADDR && !r->keep_state) {
yyerror("'sticky-address' requires 'keep state'");
problems++;
}
return (-problems);
}
+5
View File
@@ -2207,6 +2207,11 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
(TAILQ_FIRST(&rule->rpool.list) == NULL))
error = EINVAL;
if (rule->action == PF_PASS && rule->rpool.opts & PF_POOL_STICKYADDR &&
!rule->keep_state) {
error = EINVAL;
}
if (error) {
pf_free_rule(rule);
rule = NULL;