Page MenuHomeFreeBSD

pf: Fix endless loop on NAT exhaustion with sticky-address
ClosedPublic

Authored by kp on Dec 8 2018, 3:06 PM.
Tags
None
Referenced Files
F80211680: D18483.id51928.diff
Fri, Mar 29, 7:11 AM
Unknown Object (File)
Sun, Mar 17, 1:36 AM
Unknown Object (File)
Sun, Mar 10, 3:51 PM
Unknown Object (File)
Feb 21 2024, 1:24 AM
Unknown Object (File)
Feb 3 2024, 5:30 AM
Unknown Object (File)
Jan 25 2024, 8:54 PM
Unknown Object (File)
Jan 18 2024, 8:18 AM
Unknown Object (File)
Dec 23 2023, 11:12 AM
Subscribers

Details

Summary

When we try to find a source port in pf_get_sport() it's possible that
all available source ports will be in use. In that case we call
pf_map_addr() to try to find a new source IP to try from. If there are
no more available source IPs pf_map_addr() will return 1 and we stop
trying.

However, if sticky-address is set we'll always return the same IP
address, even if we've already tried that one.
We need to check the supplied address, because if that's the one we'd
set it means pf_get_sport() has already tried it, and we should error
out rather than keep trying.

PR: 233867

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 21444

Event Timeline

Tested and can confirm this resolves the issue of endless loop with PF_POOL_STICKYADDR when all available ephemeral ports are exhausted.

This revision is now accepted and ready to land.Dec 9 2018, 8:40 AM
This revision was automatically updated to reflect the committed changes.