svn commit: r201046 - head/sys/netinet/ipfw
Luigi Rizzo
luigi at FreeBSD.org
Sun Dec 27 10:19:11 UTC 2009
Author: luigi
Date: Sun Dec 27 10:19:10 2009
New Revision: 201046
URL: http://svn.freebsd.org/changeset/base/201046
Log:
diverted packet must re-enter _after_ the matching rule,
or we create loops.
The divert cookie (that can be set from userland too)
contains the matching rule nr, so we must start from nr+1.
Reported by: Joe Marcus Clarke
Modified:
head/sys/netinet/ipfw/ip_fw2.c
Modified: head/sys/netinet/ipfw/ip_fw2.c
==============================================================================
--- head/sys/netinet/ipfw/ip_fw2.c Sun Dec 27 10:13:31 2009 (r201045)
+++ head/sys/netinet/ipfw/ip_fw2.c Sun Dec 27 10:19:10 2009 (r201046)
@@ -1173,7 +1173,7 @@ do { \
IPFW_RUNLOCK(chain);
return (IP_FW_DENY); /* invalid */
}
- f_pos = ipfw_find_rule(chain, skipto, 0);
+ f_pos = ipfw_find_rule(chain, skipto+1, 0);
}
}
/* reset divert rule to avoid confusion later */
More information about the svn-src-all
mailing list