diff options
| author | luigi <luigi@FreeBSD.org> | 2009-12-27 10:19:10 +0000 |
|---|---|---|
| committer | luigi <luigi@FreeBSD.org> | 2009-12-27 10:19:10 +0000 |
| commit | 19c9e43f091ac957dbd65e6e4026581e442204e4 (patch) | |
| tree | dc7b1591b2f0f4d3c83db71a23fa4b5c99c4ea62 /sys/netinet/ipfw | |
| parent | 5826e20488112aa7103a784067f9a4c2aaef2714 (diff) | |
| download | FreeBSD-src-19c9e43f091ac957dbd65e6e4026581e442204e4.zip FreeBSD-src-19c9e43f091ac957dbd65e6e4026581e442204e4.tar.gz | |
diverted packet must re-enter _after_ the matching rule,
or we create loops.
The divert cookie (that can be set from userland too)
contains the matching rule nr, so we must start from nr+1.
Reported by: Joe Marcus Clarke
Diffstat (limited to 'sys/netinet/ipfw')
| -rw-r--r-- | sys/netinet/ipfw/ip_fw2.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netinet/ipfw/ip_fw2.c b/sys/netinet/ipfw/ip_fw2.c index 14fecaf..719ed6c 100644 --- a/sys/netinet/ipfw/ip_fw2.c +++ b/sys/netinet/ipfw/ip_fw2.c @@ -1173,7 +1173,7 @@ do { \ IPFW_RUNLOCK(chain); return (IP_FW_DENY); /* invalid */ } - f_pos = ipfw_find_rule(chain, skipto, 0); + f_pos = ipfw_find_rule(chain, skipto+1, 0); } } /* reset divert rule to avoid confusion later */ |
