git: b168cac06613 - main - pf: honor quick on anchor rules
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 04 Jul 2025 09:22:34 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=b168cac06613733c56e59edc6afc8388d60e203e
commit b168cac06613733c56e59edc6afc8388d60e203e
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-06-30 12:31:24 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-04 08:31:10 +0000
pf: honor quick on anchor rules
Regression has been introduced in version 1.1024 (a 6.2 time frame).
It's been discovered and reported by Fabian Mueller-Knapp. Fair amount
of credit goes to kn@, benno@ and henning@ for pointing me to releveant
section of pf.conf(5). Fabian and kn@ also did test the patch.
OK kn@, henning@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 7e89334d42
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index accc811a12ba..04f9f7a9d67d 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -4676,10 +4676,11 @@ pf_step_into_anchor(struct pf_test_ctx *ctx, struct pf_krule *r)
} else {
rv = pf_match_rule(ctx, &r->anchor->ruleset);
/*
- * Unless there was an error inside the anchor,
- * retain its quick state.
+ * Unless errors occured, stop iff any rule matched
+ * within quick anchors.
*/
- if (rv != PF_TEST_FAIL && r->quick == PF_TEST_QUICK)
+ if (rv != PF_TEST_FAIL && r->quick == PF_TEST_QUICK &&
+ *ctx->am == r)
rv = PF_TEST_QUICK;
}