opnsense/src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-04 03:00:53 -06:00
Code Issues Packages Projects Releases Wiki Activity

pf: Force logging if pf_create_state() fails

Browse Source 
Currently packets are logged before pf_create_state() is called, so we
might log a packet as passed that is subsequently dropped due to state
creation failure.  In particular, the drop is not logged, which is
wrong.

Improve the situation a bit: force logging if state creation fails.
This isn't totally right as we'll end up logging the packet twice in
this case, but it's better than not logging the drop at all.

Add a regression test.

Discussed with:	kp, ks
Co-authored-by:	Franco Fichtner <franco@opnsense.org>
MFC after:	2 weeks
Sponsored by:	Klara, Inc.
Sponsored by:	OPNsense
Differential Revision:	https://reviews.freebsd.org/D47953

(cherry picked from commit 886396f1b1a727c642071965612e2c2c9dd11d6c)
This commit is contained in:
Mark Johnston 2025-01-16 15:44:40 +00:00 committed by Franco Fichtner
parent 7c445da3ba
commit 1a2a481caf
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sys/netpfil/pf/pf.c
View File

@ -5043,6 +5043,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum,
hdrlen, &match_rules);
if (action != PF_PASS) {
pd->act.log |= PF_LOG_FORCE;
if (action == PF_DROP &&
(r->rule_flag & PFRULE_RETURN))
pf_return(r, nr, pd, sk, off, m, th, kif,