pf: 'sticky-address' requires 'keep state'
When route_to() processes a packet without state, pf_map_addr() is called for each packet. Pf_map_addr() will search for a source node and will find none since those are created only in pf_create_state(). Thus sticky address, even though requested in rule definition, will never work. Raise an error when a stateless filter rule uses sticky address to avoid confusion and to keep ruleset limitations in sync with what the pf code really does. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D46310
This commit is contained in:
committed by
Kristof Provost
parent
41e03b46da
commit
788f194f60
@@ -5388,6 +5388,10 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
|
||||
problems++;
|
||||
}
|
||||
}
|
||||
if (r->rpool.opts & PF_POOL_STICKYADDR && !r->keep_state) {
|
||||
yyerror("'sticky-address' requires 'keep state'");
|
||||
problems++;
|
||||
}
|
||||
return (-problems);
|
||||
}
|
||||
|
||||
|
||||
@@ -2207,6 +2207,11 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
|
||||
(TAILQ_FIRST(&rule->rpool.list) == NULL))
|
||||
error = EINVAL;
|
||||
|
||||
if (rule->action == PF_PASS && rule->rpool.opts & PF_POOL_STICKYADDR &&
|
||||
!rule->keep_state) {
|
||||
error = EINVAL;
|
||||
}
|
||||
|
||||
if (error) {
|
||||
pf_free_rule(rule);
|
||||
rule = NULL;
|
||||
|
||||
Reference in New Issue
Block a user