Page MenuHomeFreeBSD
Differential D50968

pf: limit extra SCTP states
Needs ReviewPublic
Actions

Authored by kp on Jun 21 2025, 7:19 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 6, 12:16 PM
Unknown Object (File)
Thu, Nov 6, 12:16 PM
Unknown Object (File)
Mon, Nov 3, 9:26 PM
Unknown Object (File)
Mon, Nov 3, 4:13 AM
Unknown Object (File)
Oct 25 2025, 1:18 AM
Unknown Object (File)
Oct 23 2025, 10:01 PM
Unknown Object (File)
Oct 18 2025, 9:55 AM
Unknown Object (File)
Oct 6 2025, 4:30 PM
View All 27 Files
Subscribers
farrokhi
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
None
Group Reviewers
network
Summary

For SCTP we create states for all combinations of endpoints, to allow multihoming to work.
Malicious users could abuse this to fill our state table more easily
than they otherwise could, because we create states between all
combinations of endpoints. Limit this to no more than 8 extra endpoints
for each side of the connection.

MFC after: 2 weeks
Sponsored by: Orange Business Services

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 65013
Build 61896: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
11 lines
tests/
sys/
netpfil/
pf/
28 lines

Diff 157413

View Options

sys/netpfil/pf/pf.c

Loading...
View Options

tests/sys/netpfil/pf/sctp.py

Loading...