Diffusion FreeBSD src repository 508f9b68379f

ipfw: pmod: avoid further rule processing after tcp-mod failures
508f9b68379f
Actions

Description

ipfw: pmod: avoid further rule processing after tcp-mod failures

m_pullup() here will have freed the mbuf chain, but we pass back an
IP_FW_DENY without any signal that the outer loop should finish. Thus,
rule processing continues without an mbuf and there's a chance that we
conclude that the packet may pass (but there's no mbuf remaining)
depending on the rules that follow it.

Approved by: re (cperciva)
PR: 284606
Reviewed by: ae

(cherry picked from commit c0382512bfce872102d213b9bc2550de0bc30b67)
(cherry picked from commit 21d55ae111aada3c5426632253ad8df9103d3423)

Details

Provenance

kevans	Authored on Nov 1 2025, 5:34 PM
cperciva	Committed on Nov 5 2025, 7:36 PM

Parents

rG290b9b6b262b: id: Fix WITHOUT_AUDIT build

Branches

Unknown

Tags

Unknown

Event Timeline

cperciva committed rG508f9b68379f: ipfw: pmod: avoid further rule processing after tcp-mod failures (authored by kevans).Nov 5 2025, 7:36 PM

Changes (1)

Path

Size

sys/

netpfil/

ipfw/

pmod/

tcpmod.c

rG508f9b68379f

View Options

sys/netpfil/ipfw/pmod/tcpmod.c