Merge branch 'stable/10' into devel

author: Renato Botelho <renato@netgate.com> 2015-09-11 15:21:16 -0300
committer: Renato Botelho <renato@netgate.com> 2015-09-11 15:21:16 -0300
commit: 8400c0790e456038fbca4995d032d4e3d44c3d31 (patch)
tree: f83f0b852f452a91d21059a9a70ff02f129eafa6 /sys/netpfil
parent: b05262eae8651c5f280c6fadf2e22f70af66d6ca (diff)
parent: 6561e98b4c105596a44efb53466ecf8be2a3bbf3 (diff)
download: FreeBSD-src-8400c0790e456038fbca4995d032d4e3d44c3d31.zip
FreeBSD-src-8400c0790e456038fbca4995d032d4e3d44c3d31.tar.gz
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index be603b7..4a809c8 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6653,7 +6653,17 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
 
 	M_ASSERTPKTHDR(m);
 
-	if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif)
+	/* Detect packet forwarding.
+	 * If the input interface is different from the output interface we're
+	 * forwarding.
+	 * We do need to be careful about bridges. If the
+	 * net.link.bridge.pfil_bridge sysctl is set we can be filtering on a
+	 * bridge, so if the input interface is a bridge member and the output
+	 * interface is its bridge we're not actually forwarding but bridging.
+	 */
+	if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif
+	    && (m->m_pkthdr.rcvif->if_bridge == NULL
+	        || m->m_pkthdr.rcvif->if_bridge != ifp->if_softc))
 		fwdir = PF_FWD;
 
 	if (!V_pf_status.running)
author	Renato Botelho <renato@netgate.com>	2015-09-11 15:21:16 -0300
committer	Renato Botelho <renato@netgate.com>	2015-09-11 15:21:16 -0300
commit	8400c0790e456038fbca4995d032d4e3d44c3d31 (patch)
tree	f83f0b852f452a91d21059a9a70ff02f129eafa6 /sys/netpfil
parent	b05262eae8651c5f280c6fadf2e22f70af66d6ca (diff)
parent	6561e98b4c105596a44efb53466ecf8be2a3bbf3 (diff)
download	FreeBSD-src-8400c0790e456038fbca4995d032d4e3d44c3d31.zip FreeBSD-src-8400c0790e456038fbca4995d032d4e3d44c3d31.tar.gz