Date: Mon, 19 Apr 2021 19:21:48 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: a19dad31b150 - stable/12 - pf: Do not short-circuit processing for REPLY_TO Message-ID: <202104191921.13JJLmmX012990@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a19dad31b1503e0ee512e5f1cd21b671143bf5c8 commit a19dad31b1503e0ee512e5f1cd21b671143bf5c8 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-04-07 13:46:44 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-04-19 08:20:22 +0000 pf: Do not short-circuit processing for REPLY_TO When we find a state for packets that was created by a reply-to rule we still need to process the packet. The state may require us to modify the packet (e.g. in rdr or nat cases), which we won't do with the shortcut. MFC after: 2 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 6d786845cf63c8bf57174e3e43b0b5c5eca75be3) --- sys/netpfil/pf/pf.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2666fd1155ab..a02c9254c714 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -343,10 +343,8 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]); if (PACKET_LOOPED(pd)) \ return (PF_PASS); \ if ((d) == PF_OUT && \ - (((s)->rule.ptr->rt == PF_ROUTETO && \ - (s)->rule.ptr->direction == PF_OUT) || \ - ((s)->rule.ptr->rt == PF_REPLYTO && \ - (s)->rule.ptr->direction == PF_IN)) && \ + (s)->rule.ptr->rt == PF_ROUTETO && \ + (s)->rule.ptr->direction == PF_OUT && \ (s)->rt_kif != NULL && \ (s)->rt_kif != (i)) \ return (PF_PASS); \
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104191921.13JJLmmX012990>