Importing pfSense patch pf_reply-to.enahnce.diff

4 files changed, 21 insertions, 14 deletions

diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 837b617..b6c37a9 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -185,7 +185,7 @@ static int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *, int);
 	}\
     } while (/*CONSTCOND*/ 0)
 
-static void
+void
 in6_delayed_cksum(struct mbuf *m, uint32_t plen, u_short offset)
 {
 	u_short csum;
diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h
index 70e487e..0d72b37 100644
--- a/sys/netinet6/ip6_var.h
+++ b/sys/netinet6/ip6_var.h
@@ -445,6 +445,7 @@ int	rip6_usrreq(struct socket *,
 int	dest6_input(struct mbuf **, int *, int);
 int	none_input(struct mbuf **, int *, int);
 
+void	in6_delayed_cksum(struct mbuf *, uint32_t, u_short);
 int	in6_selectsrc(struct sockaddr_in6 *, struct ip6_pktopts *,
 	struct inpcb *inp, struct route_in6 *, struct ucred *cred,
 	struct ifnet **, struct in6_addr *);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 1eb4352..e3b5602 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -335,11 +335,9 @@ do {							\
 		}           						\
 		if ((d) == PF_OUT &&					\
 		    (((s)->rule.ptr->rt == PF_ROUTETO &&		\
-		    (s)->rule.ptr->direction == PF_OUT) ||		\
-		    ((s)->rule.ptr->rt == PF_REPLYTO &&			\
-		    (s)->rule.ptr->direction == PF_IN)) &&		\
-		    (s)->rt_kif != NULL &&				\
-		    (s)->rt_kif != (i))					\
+		    (s)->rule.ptr->direction == PF_OUT)) &&		\
+		    (s)->rt_kif != NULL &&                              \
+		    (s)->rt_kif != (i))                                 \
 			return (PF_PASS);				\
 	} while (0)
 
@@ -5664,7 +5662,12 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
 	else if (r->rt == PF_ROUTETO && r->direction == dir && in_localip(ip->ip_dst))
 		return;
 
-	if (oifp != ifp) {
+	if (s != NULL && r->rt == PF_REPLYTO) {
+		/*
+		 * Send it out since it came from state recorded ifp(rt_addr).
+		 * Routing table lookup might have chosen not correct interface!
+		 */
+	} else if (oifp != ifp) {
 		if (in_broadcast(ip->ip_dst, oifp)) /* XXX: LOCKING of address list?! */
 			return;
 
@@ -5903,7 +5906,12 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
        } else if (r->rt == PF_ROUTETO && r->direction == dir && in6_localaddr(&ip6->ip6_dst))
 	       return;
 
-	if (oifp != ifp) {
+	if (s != NULL && r->rt == PF_REPLYTO) {
+		/*
+		 * Send it out since it came from state recorded ifp(rt_addr).
+		 * Routing table lookup might have chosen not correct interface!
+		 */
+	} else if (oifp != ifp) {
 
 		if (s && r->rt == PF_ROUTETO && pd->nat_rule != NULL &&
 			r->direction == PF_OUT && r->direction == dir && pd->pf_mtag->routed < 2) {
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index dbd92f9..7deaaf5 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -72,6 +72,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet/in.h>
 #include <netinet/ip.h>
 #include <netinet/ip_var.h>
+#include <netinet6/ip6_var.h>
 #include <netinet/ip_icmp.h>
 
 #ifdef INET6
@@ -3690,12 +3691,9 @@ pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
 	int chk;
 
 	/* We need a proper CSUM before we start (s. OpenBSD ip_output) */
-	if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
-#ifdef INET
-		/* XXX-BZ copy&paste error from r126261? */
-		in_delayed_cksum(*m);
-#endif
-		(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
+	if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
+		in6_delayed_cksum(*m, (*m)->m_pkthdr.len - sizeof(struct ip6_hdr), sizeof(struct ip6_hdr));
+		(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
 	}
 	CURVNET_SET(ifp->if_vnet);
 	chk = pf_test6(PF_OUT, ifp, m, inp);