pf: 'sticky-address' requires 'keep state'

When route_to() processes a packet without state, pf_map_addr() is called for each packet. Pf_map_addr() will search for a source node and will find none since those are created only in pf_create_state(). Thus sticky address, even though requested in rule definition, will never work. Raise an error when a stateless filter rule uses sticky address to avoid confusion and to keep ruleset limitations in sync with what the pf code really does. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D46310
ayrtonm · Aug 16, 2024 · 788f194 · 788f194
1 parent 41e03b4
commit 788f194
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
@@ -5388,6 +5388,10 @@ filter_consistent(struct pfctl_rule *r, int anchor_call)
 			problems++;
 		}
 	}
+	if (r->rpool.opts & PF_POOL_STICKYADDR && !r->keep_state) {
+		yyerror("'sticky-address' requires 'keep state'");
+		problems++;
+	}
 	return (-problems);
 }
 

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
@@ -2207,6 +2207,11 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
 	    (TAILQ_FIRST(&rule->rpool.list) == NULL))
 		error = EINVAL;
 
+	if (rule->action == PF_PASS && rule->rpool.opts & PF_POOL_STICKYADDR &&
+	    !rule->keep_state) {
+		error = EINVAL;
+	}
+
 	if (error) {
 		pf_free_rule(rule);
 		rule = NULL;