pf: sctp heartbeats confirm a connection

When we create a new state for multihomed sctp connections (i.e. based on INIT/INIT_ACK or ASCONF parameters) the new connection will never see a COOKIE/COOKIE_ACK exchange. We should consider HEARTBEAT_ACK to be a confirmation that the connection is established. This ensures that such connections do not time out earlier than expected. MFC after: 1 week Sponsored by: Orange Business Services
2026-06-09 00:32:25 -04:00 · 2023-11-17 13:52:34 +01:00 · 2023-11-17 13:52:34 +01:00 · 7093414c63
commit 7093414c63
parent a8dbbeb1c7
3 changed files with 20 additions and 9 deletions
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@ -1580,13 +1580,16 @@ struct pf_pdesc {
 #define PFDESC_SCTP_INIT	0x0001
 #define PFDESC_SCTP_INIT_ACK	0x0002
 #define PFDESC_SCTP_COOKIE	0x0004
-#define PFDESC_SCTP_ABORT	0x0008
-#define PFDESC_SCTP_SHUTDOWN	0x0010
-#define PFDESC_SCTP_SHUTDOWN_COMPLETE	0x0020
-#define PFDESC_SCTP_DATA	0x0040
-#define PFDESC_SCTP_ASCONF	0x0080
-#define PFDESC_SCTP_OTHER	0x0100
-#define PFDESC_SCTP_ADD_IP	0x0200
+#define PFDESC_SCTP_COOKIE_ACK	0x0008
+#define PFDESC_SCTP_ABORT	0x0010
+#define PFDESC_SCTP_SHUTDOWN	0x0020
+#define PFDESC_SCTP_SHUTDOWN_COMPLETE	0x0040
+#define PFDESC_SCTP_DATA	0x0080
+#define PFDESC_SCTP_ASCONF	0x0100
+#define PFDESC_SCTP_HEARTBEAT	0x0200
+#define PFDESC_SCTP_HEARTBEAT_ACK	0x0400
+#define PFDESC_SCTP_OTHER	0x0800
+#define PFDESC_SCTP_ADD_IP	0x1000
 	u_int16_t	 sctp_flags;
 	u_int32_t	 sctp_initiate_tag;

--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@ -5932,7 +5932,7 @@ pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
 			dst->scrub->pfss_v_tag = pd->sctp_initiate_tag;
 	}

-	if (pd->sctp_flags & PFDESC_SCTP_COOKIE) {
+	if (pd->sctp_flags & (PFDESC_SCTP_COOKIE | PFDESC_SCTP_HEARTBEAT_ACK)) {
 		if (src->state < SCTP_ESTABLISHED) {
 			pf_set_protostate(*state, psrc, SCTP_ESTABLISHED);
 			(*state)->timeout = PFTM_SCTP_ESTABLISHED;
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@ -2126,12 +2126,20 @@ pf_scan_sctp(struct mbuf *m, int ipoff, int off, struct pf_pdesc *pd,
 			pd->sctp_flags |= PFDESC_SCTP_SHUTDOWN_COMPLETE;
 			break;
 		case SCTP_COOKIE_ECHO:
-		case SCTP_COOKIE_ACK:
 			pd->sctp_flags |= PFDESC_SCTP_COOKIE;
 			break;
+		case SCTP_COOKIE_ACK:
+			pd->sctp_flags |= PFDESC_SCTP_COOKIE_ACK;
+			break;
 		case SCTP_DATA:
 			pd->sctp_flags |= PFDESC_SCTP_DATA;
 			break;
+		case SCTP_HEARTBEAT_REQUEST:
+			pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT;
+			break;
+		case SCTP_HEARTBEAT_ACK:
+			pd->sctp_flags |= PFDESC_SCTP_HEARTBEAT_ACK;
+			break;
 		case SCTP_ASCONF:
 			pd->sctp_flags |= PFDESC_SCTP_ASCONF;