git: 592b4f93632a - stable/12 - pf: Improve route-to handling of pfsync'd states
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 18 Jun 2022 13:08:07 UTC
The branch stable/12 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=592b4f93632aa1e0bfd9f28ccfd4ab46ecc99bf4
commit 592b4f93632aa1e0bfd9f28ccfd4ab46ecc99bf4
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-06-04 10:38:40 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-06-18 07:29:56 +0000
pf: Improve route-to handling of pfsync'd states
When a state if pfsync’d to a different host it doesn’t get all of the
expected pointers, including the pointer to the struct pfi_kif / struct
ifnet rt_kif pointer. (I.e. the interface to route out on).
That in turn means that pf_route() ends up dropping the packet.
Use the rule's struct pfi_kif pointer so we can still route out of the
expected interface.
MFC after: 2 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 81ef217ad428c29be669aac2166d194db31817a7)
---
sys/netpfil/pf/pf.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 906a32fbac2d..452abcb5723a 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6052,6 +6052,9 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
PF_STATE_UNLOCK(s);
}
+ /* If pfsync'd */
+ if (ifp == NULL)
+ ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
if (ifp == NULL)
goto bad;
@@ -6221,6 +6224,9 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
if (s)
PF_STATE_UNLOCK(s);
+ /* If pfsync'd */
+ if (ifp == NULL)
+ ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
if (ifp == NULL)
goto bad;