upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-11 09:41:03 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pf: Do not short-circuit processing for REPLY_TO

Browse source 
When we find a state for packets that was created by a reply-to rule we
still need to process the packet. The state may require us to modify the
packet (e.g. in rdr or nat cases), which we won't do with the shortcut.

MFC after:	2 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 6d786845cf)
This commit is contained in:
Kristof Provost 2021-04-07 15:46:44 +02:00
parent 8601d1baf1
commit 1a4fc03222
1 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
sys/netpfil/pf/pf.c
View file

@ -342,10 +342,8 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
if (PACKET_LOOPED(pd)) \
return (PF_PASS); \
if ((d) == PF_OUT && \
(((s)->rule.ptr->rt == PF_ROUTETO && \
(s)->rule.ptr->direction == PF_OUT) || \
((s)->rule.ptr->rt == PF_REPLYTO && \
(s)->rule.ptr->direction == PF_IN)) && \
(s)->rule.ptr->rt == PF_ROUTETO && \
(s)->rule.ptr->direction == PF_OUT && \
(s)->rt_kif != NULL && \
(s)->rt_kif != (i)) \
return (PF_PASS); \