diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2022-06-04 10:38:40 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-06-18 07:29:18 +0000 |
| commit | c5203f7d418db97cc5419a7e1bafa56fdeb26563 (patch) | |
| tree | 720256764d45909965ae449a108318670760d6de | |
| parent | b8ab9651b1e407a372c81e2fb122a33484139949 (diff) | |
| download | src-c5203f7d418db97cc5419a7e1bafa56fdeb26563.tar.gz src-c5203f7d418db97cc5419a7e1bafa56fdeb26563.zip | |
pf: Improve route-to handling of pfsync'd states
When a state if pfsync’d to a different host it doesn’t get all of the
expected pointers, including the pointer to the struct pfi_kif / struct
ifnet rt_kif pointer. (I.e. the interface to route out on).
That in turn means that pf_route() ends up dropping the packet.
Use the rule's struct pfi_kif pointer so we can still route out of the
expected interface.
MFC after: 2 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 81ef217ad428c29be669aac2166d194db31817a7)
| -rw-r--r-- | sys/netpfil/pf/pf.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 3f7370e1cf12..0c5266fbbcb9 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5885,6 +5885,10 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, r->rpool.cur->kif->pfik_ifp : NULL; } else { ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? + r->rpool.cur->kif->pfik_ifp : NULL; PF_STATE_UNLOCK(s); } if (ifp == oifp) { @@ -5940,6 +5944,9 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; PF_STATE_UNLOCK(s); } + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; if (ifp == NULL) goto bad; @@ -6070,6 +6077,10 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, r->rpool.cur->kif->pfik_ifp : NULL; } else { ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? + r->rpool.cur->kif->pfik_ifp : NULL; PF_STATE_UNLOCK(s); } if (ifp == oifp) { @@ -6128,6 +6139,9 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, if (s) PF_STATE_UNLOCK(s); + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; if (ifp == NULL) goto bad; |