svn commit: r336575 - stable/11/sys/netpfil/pf
Kristof Provost
kp at FreeBSD.org
Sat Jul 21 07:00:22 UTC 2018
Author: kp
Date: Sat Jul 21 07:00:21 2018
New Revision: 336575
URL: https://svnweb.freebsd.org/changeset/base/336575
Log:
MFC r336275:
pf: Fix synproxy
Synproxy was accidentally broken by r335569. The 'return (action)' must be
executed for every non-PF_PASS result, but the error packet (TCP RST or ICMP
error) should only be sent if the packet was dropped (i.e. PF_DROP) and the
return flag is set.
PR: 229477
Submitted by: Andre Albsmeier <mail AT fbsd.e4m.org>
Modified:
stable/11/sys/netpfil/pf/pf.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netpfil/pf/pf.c
==============================================================================
--- stable/11/sys/netpfil/pf/pf.c Sat Jul 21 02:14:13 2018 (r336574)
+++ stable/11/sys/netpfil/pf/pf.c Sat Jul 21 07:00:21 2018 (r336575)
@@ -3544,9 +3544,11 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm
action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, off,
sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum,
hdrlen);
- if (action != PF_PASS && r->rule_flag & PFRULE_RETURN) {
- pf_return(r, nr, pd, sk, off, m, th, kif,
- bproto_sum, bip_sum, hdrlen, &reason);
+ if (action != PF_PASS) {
+ if (action == PF_DROP &&
+ (r->rule_flag & PFRULE_RETURN))
+ pf_return(r, nr, pd, sk, off, m, th, kif,
+ bproto_sum, bip_sum, hdrlen, &reason);
return (action);
}
} else {
More information about the svn-src-stable
mailing list