diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-12-05 10:45:49 -0600 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-12-05 10:54:28 -0600 |
commit | 54cf5d1b6607c1e6f2cbf32784c33720517bce49 (patch) | |
tree | 0f0bc812468bf83f2bb6759fed17e2d8d4e80ab3 /sys/netpfil | |
parent | a6d8d2727d0b1f6c635c4a3744592e2eac6a7452 (diff) | |
download | FreeBSD-src-54cf5d1b6607c1e6f2cbf32784c33720517bce49.zip FreeBSD-src-54cf5d1b6607c1e6f2cbf32784c33720517bce49.tar.gz |
Improve bridge detection in pf.
This fixes a problem where v6 multicast packets are forwarded instead of bridged.
Kristof is working in a better fix for this whole issue, but meanwhile we are safe with these fixes.
Ticket #5428
Obtained from: kp@FreeBSD.org
Diffstat (limited to 'sys/netpfil')
-rw-r--r-- | sys/netpfil/pf/pf.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index e037298..eed1ac8 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6715,11 +6715,13 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) * We do need to be careful about bridges. If the * net.link.bridge.pfil_bridge sysctl is set we can be filtering on a * bridge, so if the input interface is a bridge member and the output - * interface is its bridge we're not actually forwarding but bridging. + * interface is its bridge or a member of the same bridge we're not + * actually forwarding but bridging. */ - if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif - && (m->m_pkthdr.rcvif->if_bridge == NULL - || m->m_pkthdr.rcvif->if_bridge != ifp->if_softc)) + if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif && + (m->m_pkthdr.rcvif->if_bridge == NULL || + (m->m_pkthdr.rcvif->if_bridge != ifp->if_softc && + m->m_pkthdr.rcvif->if_bridge != ifp->if_bridge))) fwdir = PF_FWD; if (!V_pf_status.running) |