Importing pfSense patch dscp.RELENG_10.diff

1 files changed, 8 insertions, 1 deletions

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index f0147e8..d2faffa 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -3257,7 +3257,11 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 		/* icmp only. type always 0 in other cases */
 		else if (r->code && r->code != icmpcode + 1)
 			r = TAILQ_NEXT(r, entries);
-		else if (r->tos && !(r->tos == pd->tos))
+		else if ((r->rule_flag & PFRULE_TOS) && r->tos &&
+		    !(r->tos == pd->tos))
+			r = TAILQ_NEXT(r, entries);
+		else if ((r->rule_flag & PFRULE_DSCP) && r->tos &&
+		    !(r->tos == (pd->tos & DSCP_MASK)))
 			r = TAILQ_NEXT(r, entries);
 		else if (r->rule_flag & PFRULE_FRAGMENT)
 			r = TAILQ_NEXT(r, entries);
@@ -3726,6 +3730,9 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif,
 			r = r->skip[PF_SKIP_DST_ADDR].ptr;
 		else if (r->tos && !(r->tos == pd->tos))
 			r = TAILQ_NEXT(r, entries);
+		else if ((r->rule_flag & PFRULE_DSCP) && r->tos &&
+		    !(r->tos == (pd->tos & DSCP_MASK)))
+			r = TAILQ_NEXT(r, entries);
 		else if (r->os_fingerprint != PF_OSFP_ANY)
 			r = TAILQ_NEXT(r, entries);
 		else if (pd->proto == IPPROTO_UDP &&