From a0fbeab2a8ad062da54fea8016ebd64a9760f62a Mon Sep 17 00:00:00 2001 From: kp Date: Sun, 26 Mar 2017 18:11:40 +0000 Subject: MFC 315529 pf: Fix rule evaluation after inet6 route-to In pf_route6() we re-run the ruleset with PF_FWD if the packet goes out of a different interface. pf_test6() needs to know that the packet was forwarded (in case it needs to refragment so it knows whether to call ip6_output() or ip6_forward()). This lead pf_test6() to try to evaluate rules against the PF_FWD direction, which isn't supported, so it needs to treat PF_FWD as PF_OUT. Once fwdir is set correctly the correct output/forward function will be called. PR: 217883 Submitted by: Kajetan Staszkiewicz Sponsored by: InnoGames GmbH --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2d32b7a..64cea2f 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6259,6 +6259,9 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) m->m_pkthdr.rcvif->if_bridge != ifp->if_bridge))) fwdir = PF_FWD; + if (dir == PF_FWD) + dir = PF_OUT; + if (!V_pf_status.running) return (PF_PASS); -- cgit v1.1