git: 9565df4e7fa9 - main - pf: fix 'quick' for match rules
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 13 Feb 2025 12:39:02 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=9565df4e7fa9348d4200e2607e84f1a4bea54f8d
commit 9565df4e7fa9348d4200e2607e84f1a4bea54f8d
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-10 13:32:27 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-13 12:38:43 +0000
pf: fix 'quick' for match rules
In pf_test_rule, when dealing with a match rule, obey the match rule's quick
flag to decide wether to abort ruleset eval instead of the last matching rule's
one. Makes "match quick" abort ruleset evaluation with the current block/pass
state. From Maxim Khitrov <max at mxcrypt.com>, ok bluhm mikeb
Obtained from: OpenBSD, henning <henning@openbsd.org>, c5611d5b70
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 5c99cde4a9f4..76f508b43750 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5825,7 +5825,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm,
PFLOG_PACKET(r->action, PFRES_MATCH, r,
a, ruleset, pd, 1);
}
- if ((*rm)->quick)
+ if (r->quick)
break;
r = TAILQ_NEXT(r, entries);
} else