diff options
| author | kp <kp@FreeBSD.org> | 2017-03-26 18:11:40 +0000 |
|---|---|---|
| committer | kp <kp@FreeBSD.org> | 2017-03-26 18:11:40 +0000 |
| commit | a0fbeab2a8ad062da54fea8016ebd64a9760f62a (patch) | |
| tree | 8628833f31783ebadbcf9219e477b00d44c604c5 | |
| parent | 4be21fbbcf3d04ffd327955cf2de3dcdc2ae0bf9 (diff) | |
| download | FreeBSD-src-a0fbeab2a8ad062da54fea8016ebd64a9760f62a.zip FreeBSD-src-a0fbeab2a8ad062da54fea8016ebd64a9760f62a.tar.gz | |
MFC 315529
pf: Fix rule evaluation after inet6 route-to
In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out
of a different interface. pf_test6() needs to know that the packet was
forwarded (in case it needs to refragment so it knows whether to call
ip6_output() or ip6_forward()).
This lead pf_test6() to try to evaluate rules against the PF_FWD
direction, which isn't supported, so it needs to treat PF_FWD as PF_OUT.
Once fwdir is set correctly the correct output/forward function will be
called.
PR: 217883
Submitted by: Kajetan Staszkiewicz
Sponsored by: InnoGames GmbH
| -rw-r--r-- | sys/netpfil/pf/pf.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2d32b7a..64cea2f 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6259,6 +6259,9 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) m->m_pkthdr.rcvif->if_bridge != ifp->if_bridge))) fwdir = PF_FWD; + if (dir == PF_FWD) + dir = PF_OUT; + if (!V_pf_status.running) return (PF_PASS); |
