Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 30 Mar 2016 18:45:18 +0000 (UTC)
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r297429 - stable/10/sys/netpfil/pf
Message-ID:  <201603301845.u2UIjI6K057745@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: kp
Date: Wed Mar 30 18:45:18 2016
New Revision: 297429
URL: https://svnweb.freebsd.org/changeset/base/297429

Log:
  MFC 296932:
  pf: Improve forwarding detection
  
  When we guess the nature of the outbound packet (output vs. forwarding) we need
  to take bridges into account. When bridging the input interface does not match
  the output interface, but we're not forwarding. Similarly, it's possible for the
  interface to actually be the bridge interface itself (and not a member interface).

Modified:
  stable/10/sys/netpfil/pf/pf.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/pf/pf.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf.c	Wed Mar 30 18:40:09 2016	(r297428)
+++ stable/10/sys/netpfil/pf/pf.c	Wed Mar 30 18:45:18 2016	(r297429)
@@ -6145,11 +6145,13 @@ pf_test6(int dir, struct ifnet *ifp, str
 	 * We do need to be careful about bridges. If the
 	 * net.link.bridge.pfil_bridge sysctl is set we can be filtering on a
 	 * bridge, so if the input interface is a bridge member and the output
-	 * interface is its bridge we're not actually forwarding but bridging.
+	 * interface is its bridge or a member of the same bridge we're not
+	 * actually forwarding but bridging.
 	 */
-	if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif
-	    && (m->m_pkthdr.rcvif->if_bridge == NULL
-	        || m->m_pkthdr.rcvif->if_bridge != ifp->if_softc))
+	if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif &&
+	    (m->m_pkthdr.rcvif->if_bridge == NULL ||
+	    (m->m_pkthdr.rcvif->if_bridge != ifp->if_softc &&
+	    m->m_pkthdr.rcvif->if_bridge != ifp->if_bridge)))
 		fwdir = PF_FWD;
 
 	if (!V_pf_status.running)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603301845.u2UIjI6K057745>