diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2021-04-07 13:46:44 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2021-04-07 15:03:17 +0000 |
| commit | 6d786845cf63c8bf57174e3e43b0b5c5eca75be3 (patch) | |
| tree | a00a014d7f92d7e7a2eeea66896dbd3f3f23fdc2 /sys/netpfil | |
| parent | ab8d25880ebc9ddca1ae6af938680036349edf3f (diff) | |
| download | src-6d786845cf63c8bf57174e3e43b0b5c5eca75be3.tar.gz src-6d786845cf63c8bf57174e3e43b0b5c5eca75be3.zip | |
pf: Do not short-circuit processing for REPLY_TO
When we find a state for packets that was created by a reply-to rule we
still need to process the packet. The state may require us to modify the
packet (e.g. in rdr or nat cases), which we won't do with the shortcut.
MFC after: 2 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Diffstat (limited to 'sys/netpfil')
| -rw-r--r-- | sys/netpfil/pf/pf.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 4b11122df544..e4bc6447b0d1 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -342,10 +342,8 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]); if (PACKET_LOOPED(pd)) \ return (PF_PASS); \ if ((d) == PF_OUT && \ - (((s)->rule.ptr->rt == PF_ROUTETO && \ - (s)->rule.ptr->direction == PF_OUT) || \ - ((s)->rule.ptr->rt == PF_REPLYTO && \ - (s)->rule.ptr->direction == PF_IN)) && \ + (s)->rule.ptr->rt == PF_ROUTETO && \ + (s)->rule.ptr->direction == PF_OUT && \ (s)->rt_kif != NULL && \ (s)->rt_kif != (i)) \ return (PF_PASS); \ |