diff options
author | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2013-10-09 09:32:02 +0000 |
---|---|---|
committer | Camiel Dobbelaar <camield@cvs.openbsd.org> | 2013-10-09 09:32:02 +0000 |
commit | be759b8c35882bf5d34e4710d483a191c245250b (patch) | |
tree | 8f1fadc3b10596ec9c2bb28f89d27887a59ee0a2 /sys/net | |
parent | 741a2531975d37ce6b2dccac6a9f772543768eaa (diff) |
Don't leak ruleitems from match rules when hitting a per-rule max state limit.
ok henning
Diffstat (limited to 'sys/net')
-rw-r--r-- | sys/net/pf.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 5d0370fb1ba..78d63d304d2 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.840 2013/09/27 10:20:08 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.841 2013/10/09 09:32:01 camield Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3416,6 +3416,12 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, goto cleanup; } + if (r->max_states && (r->states_cur >= r->max_states)) { + pf_status.lcounters[LCNT_STATES]++; + REASON_SET(&reason, PFRES_MAXSTATES); + goto cleanup; + } + action = pf_create_state(pd, r, a, nr, &skw, &sks, &rewrite, sm, tag, &rules, &act, sns); @@ -3493,13 +3499,6 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a, u_short reason; u_int i; - /* check maximums */ - if (r->max_states && (r->states_cur >= r->max_states)) { - pf_status.lcounters[LCNT_STATES]++; - REASON_SET(&reason, PFRES_MAXSTATES); - return (PF_DROP); - } - s = pool_get(&pf_state_pl, PR_NOWAIT | PR_ZERO); if (s == NULL) { REASON_SET(&reason, PFRES_MEMORY); |