From 782a7300cedfa5b9fbe695306bf6e9733e9ff3bb Mon Sep 17 00:00:00 2001 From: Stuart Henderson Date: Thu, 2 Jun 2011 22:03:31 +0000 Subject: Don't destroy a non-persistent table if referenced by src_nodes. Fixes a crash if max-src-* options are triggered both before and after a ruleset reload, when the rules are overloading to a non-persistent table. Discovered by and fix from Martin Pelikan. --- sys/net/pf_ioctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sys/net/pf_ioctl.c') diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index effc6b586c4..4b1d4f3b9ca 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.239 2011/04/19 21:58:03 chl Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.240 2011/06/02 22:03:30 sthen Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -263,7 +263,7 @@ void pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule) { if (rulequeue != NULL) { - if (rule->states_cur <= 0) { + if (rule->states_cur <= 0 && rule->src_nodes <= 0) { /* * XXX - we need to remove the table *before* detaching * the rule to make sure the table code does not delete -- cgit v1.2.3