diff options
author | Kristof Provost <kp@FreeBSD.org> | 2023-09-01 11:33:56 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2023-09-07 17:05:01 +0000 |
commit | 51a78dd2764beabfd19a58b8a8b04387a547f02e (patch) | |
tree | 88d83e1fbd7407cb325e4a184ee3c3f47bfcf304 /sys/net/pfvar.h | |
parent | 1a28d5fea7edf200c37d14f7ed5865910664ec3d (diff) | |
download | src-51a78dd2764beabfd19a58b8a8b04387a547f02e.tar.gz src-51a78dd2764beabfd19a58b8a8b04387a547f02e.zip |
pf: improve SCTP state validation
Only create new states for INIT chunks, or when we're creating a
secondary state for a multihomed association.
Store and verify verification tag.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Diffstat (limited to 'sys/net/pfvar.h')
-rw-r--r-- | sys/net/pfvar.h | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index a131ba925013..d63a7bb1afb2 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -900,7 +900,10 @@ struct pf_state_scrub { #define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */ u_int8_t pfss_ttl; /* stashed TTL */ u_int8_t pad; - u_int32_t pfss_ts_mod; /* timestamp modulation */ + union { + u_int32_t pfss_ts_mod; /* timestamp modulation */ + u_int32_t pfss_v_tag; /* SCTP verification tag */ + }; }; struct pf_state_host { @@ -1583,6 +1586,7 @@ struct pf_pdesc { #define PFDESC_SCTP_DATA 0x0040 #define PFDESC_SCTP_ASCONF 0x0080 #define PFDESC_SCTP_OTHER 0x0100 +#define PFDESC_SCTP_ADD_IP 0x0200 u_int16_t sctp_flags; u_int32_t sctp_initiate_tag; @@ -2297,6 +2301,8 @@ int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, u_short *, struct tcphdr *, struct pf_kstate *, struct pf_state_peer *, struct pf_state_peer *, int *); +int pf_normalize_sctp_init(struct mbuf *, int, struct pf_pdesc *, + struct pf_state_peer *, struct pf_state_peer *); int pf_normalize_sctp(int, struct pfi_kkif *, struct mbuf *, int, int, void *, struct pf_pdesc *); u_int32_t |