diff options
| author | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:33:03 -0600 |
|---|---|---|
| committer | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:33:03 -0600 |
| commit | 61b011d6bc2990ebdd75ff06619c32fb7a60e333 (patch) | |
| tree | 6f679d88bedac909465d1fb9fcc56599f452f6aa | |
| parent | a79fef75fc2cbd928b85ddb9aaa4034e2794d233 (diff) | |
| download | FreeBSD-src-61b011d6bc2990ebdd75ff06619c32fb7a60e333.zip FreeBSD-src-61b011d6bc2990ebdd75ff06619c32fb7a60e333.tar.gz | |
Importing pfSense patch redmine_4310.diff
| -rw-r--r-- | sys/netpfil/pf/if_pfsync.c | 15 | ||||
| -rw-r--r-- | sys/netpfil/pf/pf.c | 22 |
2 files changed, 15 insertions, 22 deletions
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index d411197..8bddaab 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -1773,7 +1773,7 @@ pfsync_undefer_state(struct pf_state *st, int drop) } } - panic("%s: unable to find deferred state", __func__); + if (V_pf_status.debug >= PF_DEBUG_MISC) printf("%s: unable to find deferred state", __func__); } static void @@ -2219,11 +2219,14 @@ pfsyncintr(void *arg) */ if (m->m_flags & M_SKIP_FIREWALL) ip_output(m, NULL, NULL, 0, NULL, NULL); - else if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, - NULL) == 0) - V_pfsyncstats.pfsyncs_opackets++; - else - V_pfsyncstats.pfsyncs_oerrors++; + else { + m->m_flags |= M_SKIP_FIREWALL; + if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, + NULL) == 0) + V_pfsyncstats.pfsyncs_opackets++; + else + V_pfsyncstats.pfsyncs_oerrors++; + } } CURVNET_RESTORE(); } diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 6bc2dda..0ae4502 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6230,8 +6230,6 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6262,8 +6260,6 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) } action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6285,8 +6281,6 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6308,8 +6302,6 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) default: action = pf_test_state_other(&s, dir, kif, m, off, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6511,6 +6503,9 @@ continueprocessing: pd.pf_mtag->flags &= ~PF_PACKET_LOOPED; + if (action == PF_PASS && s != NULL && pfsync_update_state_ptr != NULL) + pfsync_update_state_ptr(s); + if (log) { struct pf_rule *lr; @@ -6784,8 +6779,6 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6816,8 +6809,6 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) } action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6846,8 +6837,6 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6860,8 +6849,6 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) default: action = pf_test_state_other(&s, dir, kif, m, off, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6986,6 +6973,9 @@ done: pd.pf_mtag->flags &= ~PF_PACKET_LOOPED; continueprocessing6: + if (action == PF_PASS && s != NULL && pfsync_update_state_ptr != NULL) + pfsync_update_state_ptr(s); + if (dir == PF_IN && action == PF_PASS && (pd.proto == IPPROTO_TCP || pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && (s->nat_rule.ptr->action == PF_RDR || |
