Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Sep 2015 17:19:24 +0000 (UTC)
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r287680 - stable/10/sys/netpfil/pf
Message-ID:  <201509111719.t8BHJOYD047561@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: kp
Date: Fri Sep 11 17:19:24 2015
New Revision: 287680
URL: https://svnweb.freebsd.org/changeset/base/287680

Log:
  MFC r287376
  
  pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set
  
  If net.link.bridge.pfil_bridge is set we can end up thinking we're forwarding
  in pf_test6() because the rcvif and the ifp (output interface) are different.
  In that case we're bridging though, and the rcvif the the bridge member on
  which the packet was received and ifp is the bridge itself.
  If we'd set dir to PF_FWD we'd end up calling ip6_forward() which is
  incorrect.
  
  Instead check if the rcvif is a member of the ifp bridge. (In other words, the
  if_bridge is the ifp's softc). If that's the case we're not forwarding but
  bridging.
  
  PR:   202351

Modified:
  stable/10/sys/netpfil/pf/pf.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/pf/pf.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf.c	Fri Sep 11 17:14:58 2015	(r287679)
+++ stable/10/sys/netpfil/pf/pf.c	Fri Sep 11 17:19:24 2015	(r287680)
@@ -6082,7 +6082,17 @@ pf_test6(int dir, struct ifnet *ifp, str
 
 	M_ASSERTPKTHDR(m);
 
-	if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif)
+	/* Detect packet forwarding.
+	 * If the input interface is different from the output interface we're
+	 * forwarding.
+	 * We do need to be careful about bridges. If the
+	 * net.link.bridge.pfil_bridge sysctl is set we can be filtering on a
+	 * bridge, so if the input interface is a bridge member and the output
+	 * interface is its bridge we're not actually forwarding but bridging.
+	 */
+	if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif
+	    && (m->m_pkthdr.rcvif->if_bridge == NULL
+	        || m->m_pkthdr.rcvif->if_bridge != ifp->if_softc))
 		fwdir = PF_FWD;
 
 	if (!V_pf_status.running)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509111719.t8BHJOYD047561>