diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2022-05-05 07:21:32 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-05-05 07:21:32 +0000 |
| commit | 27407a6adc793bdfaef8a86ece32fb1b461429f0 (patch) | |
| tree | 5da76264c71b27e9091dc4c167777a014d352ffa | |
| parent | a85fea31c5cb8ed8f1f5ac9ec3572866ff0ea49d (diff) | |
| download | src-27407a6adc793bdfaef8a86ece32fb1b461429f0.tar.gz src-27407a6adc793bdfaef8a86ece32fb1b461429f0.zip | |
pf: clear PF_TAG_DUMMYNET for dummynet fast path
ip_dn_io_ptr() (i.e. dummynet_io()) can return the mbuf immediately (as
opposed to owning it and later passing it through dummynet_send(), which
returns it to pf_test()). In that case we must clear the PF_TAG_DUMMYNET
flag to ensure we don't skip any subsequent firewall passes.
This can happen if we process a packet in PFIL_IN, set PF_TAG_DUMMYNET
on it, pass it to ip_dn_io_ptr() but have it returned immediately. The
packet continues its normal path, eventually hitting
pf_test(dir=PFIL_OUT), where we'd skip when we're not supposed to.
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sys/netpfil/pf/pf.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 5eee9dcf5b91..b0d8d8c6e017 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7300,6 +7300,8 @@ done: ip_dn_io_ptr(m0, &dnflow); if (*m0 == NULL) action = PF_DROP; + else + pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET; } } break; @@ -7758,6 +7760,8 @@ done: ip_dn_io_ptr(m0, &dnflow); if (*m0 == NULL) action = PF_DROP; + else + pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET; } } break; |