summaryrefslogtreecommitdiff
path: root/sys/net
diff options
context:
space:
mode:
authorCamiel Dobbelaar <camield@cvs.openbsd.org>2013-10-09 09:32:02 +0000
committerCamiel Dobbelaar <camield@cvs.openbsd.org>2013-10-09 09:32:02 +0000
commitbe759b8c35882bf5d34e4710d483a191c245250b (patch)
tree8f1fadc3b10596ec9c2bb28f89d27887a59ee0a2 /sys/net
parent741a2531975d37ce6b2dccac6a9f772543768eaa (diff)
Don't leak ruleitems from match rules when hitting a per-rule max state limit.
ok henning
Diffstat (limited to 'sys/net')
-rw-r--r--sys/net/pf.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 5d0370fb1ba..78d63d304d2 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.840 2013/09/27 10:20:08 bluhm Exp $ */
+/* $OpenBSD: pf.c,v 1.841 2013/10/09 09:32:01 camield Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -3416,6 +3416,12 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
goto cleanup;
}
+ if (r->max_states && (r->states_cur >= r->max_states)) {
+ pf_status.lcounters[LCNT_STATES]++;
+ REASON_SET(&reason, PFRES_MAXSTATES);
+ goto cleanup;
+ }
+
action = pf_create_state(pd, r, a, nr, &skw, &sks, &rewrite,
sm, tag, &rules, &act, sns);
@@ -3493,13 +3499,6 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
u_short reason;
u_int i;
- /* check maximums */
- if (r->max_states && (r->states_cur >= r->max_states)) {
- pf_status.lcounters[LCNT_STATES]++;
- REASON_SET(&reason, PFRES_MAXSTATES);
- return (PF_DROP);
- }
-
s = pool_get(&pf_state_pl, PR_NOWAIT | PR_ZERO);
if (s == NULL) {
REASON_SET(&reason, PFRES_MEMORY);