aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2021-07-14 10:17:03 +0000
committerKristof Provost <kp@FreeBSD.org>2021-07-17 12:28:07 +0000
commit2c0d115bbc8f8ee3f011a5c4a69bcbf58c4b721f (patch)
tree20c65aae53fc02363bc88bf7afb1adfb0554c9d9
parent295f2d939d960e2bdf5c1499da3eb41618be05e6 (diff)
downloadsrc-2c0d115bbc8f8ee3f011a5c4a69bcbf58c4b721f.tar.gz
src-2c0d115bbc8f8ee3f011a5c4a69bcbf58c4b721f.zip
pf: locally originating connections with 'route-to' fail
Similar to the REPLY_TO shortcut (6d786845cf) we also can't shortcut ROUTE_TO. If we do we will fail to apply transformations or update the state, which can lead to premature termination of the connections. PR: 257106 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31177
-rw-r--r--sys/netpfil/pf/pf.c6
1 files changed, 0 insertions, 6 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 29b3f6b8d94d..51b26350d0bb 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -346,12 +346,6 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
return (PF_DROP); \
if (PACKET_LOOPED(pd)) \
return (PF_PASS); \
- if ((d) == PF_OUT && \
- (s)->rule.ptr->rt == PF_ROUTETO && \
- (s)->rule.ptr->direction == PF_OUT && \
- (s)->rt_kif != NULL && \
- (s)->rt_kif != (i)) \
- return (PF_PASS); \
} while (0)
#define BOUND_IFACE(r, k) \