From 89860f872aa418b0d4a11598306a3c65a1dae396 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Tue, 10 Oct 2023 16:26:06 +0000
Subject: [PATCH] pf(4) must not pass packet if state cannot be created.

The behavior of the PFRULE_SRCTRACK and max_states check was
unintentionally changed by commit revision 1.964.  If the state was
not created due to some limit had been reached, pf still passed the
packet.  Restore the old logic by setting action to pass later,
after the checks.  In pf_test_rule() action is initialized to drop.

OK sashan@
---
 sys/net/pf.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/net/pf.c b/sys/net/pf.c
index dfbac2bbb97..9984c8aae9d 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.1187 2023/10/10 11:25:31 bluhm Exp $ */
+/*	$OpenBSD: pf.c,v 1.1188 2023/10/10 16:26:06 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -4467,8 +4467,6 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 		goto cleanup;
 	}
 
-	action = PF_PASS;
-
 	if (pd->virtual_proto != PF_VPROTO_FRAGMENT
 	    && !ctx.state_icmp && r->keep_state) {
 
@@ -4511,6 +4509,8 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 #endif /* INET6 */
 
 	} else {
+		action = PF_PASS;
+
 		while ((ctx.ri = SLIST_FIRST(&ctx.rules))) {
 			SLIST_REMOVE_HEAD(&ctx.rules, entry);
 			pool_put(&pf_rule_item_pl, ctx.ri);
-- 
2.20.1