Page MenuHomeFreeBSD
Differential D50968

pf: limit extra SCTP states
Needs ReviewPublic
Actions

Authored by kp on Jun 21 2025, 7:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Feb 1, 6:10 PM
Unknown Object (File)
Sun, Feb 1, 5:50 PM
Unknown Object (File)
Sun, Feb 1, 7:39 AM
Unknown Object (File)
Sun, Feb 1, 3:39 AM
Unknown Object (File)
Sat, Jan 31, 7:37 AM
Unknown Object (File)
Sun, Jan 18, 3:23 AM
Unknown Object (File)
Thu, Jan 15, 9:31 AM
Unknown Object (File)
Dec 29 2025, 4:17 AM
View All 37 Files
Subscribers
farrokhi
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
None
Group Reviewers
network
Summary

For SCTP we create states for all combinations of endpoints, to allow multihoming to work.
Malicious users could abuse this to fill our state table more easily
than they otherwise could, because we create states between all
combinations of endpoints. Limit this to no more than 8 extra endpoints
for each side of the connection.

MFC after: 2 weeks
Sponsored by: Orange Business Services

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 65013
Build 61896: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
11 lines
tests/
sys/
netpfil/
pf/
28 lines

Diff 157413

View Options

sys/netpfil/pf/pf.c

Loading...
View Options

tests/sys/netpfil/pf/sctp.py

Loading...