svn commit: r316000 - stable/10/sys/netpfil/pf

[Kristof Provost]

Author: kp
Date: Sun Mar 26 18:12:50 2017
New Revision: 316000
URL: https://svnweb.freebsd.org/changeset/base/316000

Log:
  MFC 315529
  
  pf: Fix rule evaluation after inet6 route-to
  
  In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out
  of a different interface. pf_test6() needs to know that the packet was
  forwarded (in case it needs to refragment so it knows whether to call
  ip6_output() or ip6_forward()).
  
  This lead pf_test6() to try to evaluate rules against the PF_FWD
  direction, which isn't supported, so it needs to treat PF_FWD as PF_OUT.
  Once fwdir is set correctly the correct output/forward function will be
  called.
  
  PR:             217883
  Submitted by:   Kajetan Staszkiewicz
  Sponsored by:   InnoGames GmbH

Modified:
  stable/10/sys/netpfil/pf/pf.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/pf/pf.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf.c	Sun Mar 26 18:11:40 2017	(r315999)
+++ stable/10/sys/netpfil/pf/pf.c	Sun Mar 26 18:12:50 2017	(r316000)
@@ -6165,6 +6165,9 @@ pf_test6(int dir, struct ifnet *ifp, str
 	    m->m_pkthdr.rcvif->if_bridge != ifp->if_bridge)))
 		fwdir = PF_FWD;
 
+	if (dir == PF_FWD)
+		dir = PF_OUT;
+
 	if (!V_pf_status.running)
 		return (PF_PASS);