upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 08:43:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pf: skip urpf check for sctp multihomed states

Browse source 
When we create a new state for multihomed sctp connections (i.e.
based on INIT/INIT_ACK or ASCONF parameters) we cannot know what
interfaces we'll be seeing that traffic on. These states are floating
states, i.e. on "all" interfaces. We cannot do reverse path filtering
for these states, so do not do so.

MFC after:	1 week
Sponsored by:	Orange Business Services
This commit is contained in:
Kristof Provost 2023-11-16 20:55:02 +01:00
parent 0fe663b2a8
commit a8dbbeb1c7
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
sys/netpfil/pf/pf.c
View file

@ -7160,6 +7160,9 @@ pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif,
if (af != AF_INET && af != AF_INET6)
return (0);
if (kif == V_pfi_all)
return (1);
/* Skip checks for ipsec interfaces */
if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC)
return (1);