From owner-svn-src-head@freebsd.org Tue Sep 1 19:04:05 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 526749C76D8; Tue, 1 Sep 2015 19:04:05 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 42F03128A; Tue, 1 Sep 2015 19:04:05 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t81J45AC053307; Tue, 1 Sep 2015 19:04:05 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t81J45CP053306; Tue, 1 Sep 2015 19:04:05 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201509011904.t81J45CP053306@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Tue, 1 Sep 2015 19:04:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r287376 - head/sys/netpfil/pf X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Sep 2015 19:04:05 -0000 Author: kp Date: Tue Sep 1 19:04:04 2015 New Revision: 287376 URL: https://svnweb.freebsd.org/changeset/base/287376 Log: pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set If net.link.bridge.pfil_bridge is set we can end up thinking we're forwarding in pf_test6() because the rcvif and the ifp (output interface) are different. In that case we're bridging though, and the rcvif the the bridge member on which the packet was received and ifp is the bridge itself. If we'd set dir to PF_FWD we'd end up calling ip6_forward() which is incorrect. Instead check if the rcvif is a member of the ifp bridge. (In other words, the if_bridge is the ifp's softc). If that's the case we're not forwarding but bridging. PR: 202351 Reviewed by: eri Differential Revision: https://reviews.freebsd.org/D3534 Modified: head/sys/netpfil/pf/pf.c Modified: head/sys/netpfil/pf/pf.c ============================================================================== --- head/sys/netpfil/pf/pf.c Tue Sep 1 18:57:57 2015 (r287375) +++ head/sys/netpfil/pf/pf.c Tue Sep 1 19:04:04 2015 (r287376) @@ -6085,7 +6085,17 @@ pf_test6(int dir, struct ifnet *ifp, str M_ASSERTPKTHDR(m); - if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif) + /* Detect packet forwarding. + * If the input interface is different from the output interface we're + * forwarding. + * We do need to be careful about bridges. If the + * net.link.bridge.pfil_bridge sysctl is set we can be filtering on a + * bridge, so if the input interface is a bridge member and the output + * interface is its bridge we're not actually forwarding but bridging. + */ + if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif + && (m->m_pkthdr.rcvif->if_bridge == NULL + || m->m_pkthdr.rcvif->if_bridge != ifp->if_softc)) fwdir = PF_FWD; if (!V_pf_status.running)