git: 6d786845cf63 - main - pf: Do not short-circuit processing for REPLY_TO
Kristof Provost
kp at FreeBSD.org
Wed Apr 7 15:03:37 UTC 2021
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=6d786845cf63c8bf57174e3e43b0b5c5eca75be3
commit 6d786845cf63c8bf57174e3e43b0b5c5eca75be3
Author: Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-04-07 13:46:44 +0000
Commit: Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-04-07 15:03:17 +0000
pf: Do not short-circuit processing for REPLY_TO
When we find a state for packets that was created by a reply-to rule we
still need to process the packet. The state may require us to modify the
packet (e.g. in rdr or nat cases), which we won't do with the shortcut.
MFC after: 2 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 4b11122df544..e4bc6447b0d1 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -342,10 +342,8 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
if (PACKET_LOOPED(pd)) \
return (PF_PASS); \
if ((d) == PF_OUT && \
- (((s)->rule.ptr->rt == PF_ROUTETO && \
- (s)->rule.ptr->direction == PF_OUT) || \
- ((s)->rule.ptr->rt == PF_REPLYTO && \
- (s)->rule.ptr->direction == PF_IN)) && \
+ (s)->rule.ptr->rt == PF_ROUTETO && \
+ (s)->rule.ptr->direction == PF_OUT && \
(s)->rt_kif != NULL && \
(s)->rt_kif != (i)) \
return (PF_PASS); \
More information about the dev-commits-src-all
mailing list