From e3e03bc159e39793621bebd16795b633bb960dd3 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Thu, 23 Jan 2020 22:13:41 +0000 Subject: [PATCH] pf: Apply kif flags to new group members If we have a 'set skip on ' rule this flag it set on the group kif, but must also be set on all members. pfctl does this when the rules are set, but if groups are added afterwards we must also apply the flags to the new member. If not, new group members will not be skipped until the rules are reloaded. Reported by: dvl@ Reviewed by: glebius@ Differential Revision: https://reviews.freebsd.org/D23254 --- sys/netpfil/pf/pf_if.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c index 62653c87712..98033991670 100644 --- a/sys/netpfil/pf/pf_if.c +++ b/sys/netpfil/pf/pf_if.c @@ -477,7 +477,9 @@ static void pfi_kif_update(struct pfi_kif *kif) { struct ifg_list *ifgl; + struct ifg_member *ifgm; struct pfi_dynaddr *p; + struct pfi_kif *tmpkif; NET_EPOCH_ASSERT(); PF_RULES_WASSERT(); @@ -486,6 +488,18 @@ pfi_kif_update(struct pfi_kif *kif) TAILQ_FOREACH(p, &kif->pfik_dynaddrs, entry) pfi_dynaddr_update(p); + /* Apply group flags to new members. */ + if (kif->pfik_group != NULL) { + CK_STAILQ_FOREACH(ifgm, &kif->pfik_group->ifg_members, + ifgm_next) { + tmpkif = (struct pfi_kif *)ifgm->ifgm_ifp->if_pf_kif; + if (tmpkif == NULL) + continue; + + tmpkif->pfik_flags |= kif->pfik_flags; + } + } + /* again for all groups kif is member of */ if (kif->pfik_ifp != NULL) { CK_STAILQ_FOREACH(ifgl, &kif->pfik_ifp->if_groups, ifgl_next)