Packets redirected to ourselves should be flagged with M_FASTFWD_OURS and not M_SKIP_FIREWALL.

Ticket #7050 (cherry picked from commit 994e779f035e9ed49909936d5773f930adfc4075)
author: Luiz Otavio O Souza <luiz@netgate.com> 2017-01-08 13:17:29 -0600
committer: Luiz Souza <luiz@netgate.com> 2017-07-17 21:46:27 -0500
commit: db510ad553807b1f3c37ed7f55ac752879ff341b (patch)
tree: a8bdbde78248b4beacf03dfa5c2e61f32bbe668f
parent: 4d41b1d2f5d1b27e2e2cd93e82e59161919f1694 (diff)
download: FreeBSD-src-db510ad553807b1f3c37ed7f55ac752879ff341b.zip
FreeBSD-src-db510ad553807b1f3c37ed7f55ac752879ff341b.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 06b67bb..b8ebdc5 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6508,7 +6508,7 @@ done:
 continueprocessing:
 
 	/*
-	 * connections redirected to loopback should not match sockets
+	 * Connections redirected to loopback should match sockets
 	 * bound specifically to loopback due to security implications,
 	 * see tcp_input() and in_pcblookup_listen().
 	 */
@@ -6517,7 +6517,7 @@ continueprocessing:
 	    (s->nat_rule.ptr->action == PF_RDR ||
 	    s->nat_rule.ptr->action == PF_BINAT) &&
 	    (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
-		m->m_flags |= M_SKIP_FIREWALL;
+		m->m_flags |= M_FASTFWD_OURS;
 
 	if (action == PF_PASS && r->divert.port && ip_divert_ptr != NULL &&
 	    !PACKET_LOOPED(&pd)) {
author	Luiz Otavio O Souza <luiz@netgate.com>	2017-01-08 13:17:29 -0600
committer	Luiz Souza <luiz@netgate.com>	2017-07-17 21:46:27 -0500
commit	db510ad553807b1f3c37ed7f55ac752879ff341b (patch)
tree	a8bdbde78248b4beacf03dfa5c2e61f32bbe668f
parent	4d41b1d2f5d1b27e2e2cd93e82e59161919f1694 (diff)
download	FreeBSD-src-db510ad553807b1f3c37ed7f55ac752879ff341b.zip FreeBSD-src-db510ad553807b1f3c37ed7f55ac752879ff341b.tar.gz