git: 4775399b4e87 - stable/15 - pf: Rationalize the ip_divert_ptr test

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Mon, 09 Feb 2026 18:04:27 UTC
The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=4775399b4e87a01f6448a68e8ff13fba8e69876b

commit 4775399b4e87a01f6448a68e8ff13fba8e69876b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-01-26 17:23:33 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-02-09 18:03:43 +0000

    pf: Rationalize the ip_divert_ptr test
    
    If a rule has a divert port set, then we can reasonably predict that
    ipdivert.ko is loaded, and in particular that ip_divert_ptr is set.
    
    Moreover, in this case, if ipdivert.ko is not loaded we should just drop
    the packet instead of ignoring the divert rule.
    
    Reviewed by:    igoro, kp, glebius
    MFC after:      2 weeks
    Sponsored by:   OPNsense
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D54845
    
    (cherry picked from commit 39878d24a690feb4da3fc223649c6a5fd166d09d)
---
 sys/netpfil/pf/pf.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 2cd3ee535b85..dee02d296f1f 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -11232,11 +11232,11 @@ done:
 	    pf_is_loopback(af, pd.dst))
 		pd.m->m_flags |= M_SKIP_FIREWALL;
 
-	if (af == AF_INET && __predict_false(ip_divert_ptr != NULL) &&
-	    action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) {
+	if (af == AF_INET && action == PF_PASS && r->divert.port &&
+	    !PACKET_LOOPED(&pd)) {
 		mtag = m_tag_alloc(MTAG_PF_DIVERT, 0,
 		    sizeof(struct pf_divert_mtag), M_NOWAIT | M_ZERO);
-		if (mtag != NULL) {
+		if (__predict_true(mtag != NULL && ip_divert_ptr != NULL)) {
 			((struct pf_divert_mtag *)(mtag+1))->port =
 			    ntohs(r->divert.port);
 			((struct pf_divert_mtag *)(mtag+1))->idir =
@@ -11265,15 +11265,20 @@ done:
 			}
 			ip_divert_ptr(*m0, dir == PF_IN);
 			*m0 = NULL;
-
 			return (action);
-		} else {
+		} else if (mtag == NULL) {
 			/* XXX: ipfw has the same behaviour! */
 			action = PF_DROP;
 			REASON_SET(&reason, PFRES_MEMORY);
 			pd.act.log = PF_LOG_FORCE;
 			DPFPRINTF(PF_DEBUG_MISC,
 			    "pf: failed to allocate divert tag");
+		} else {
+			action = PF_DROP;
+			REASON_SET(&reason, PFRES_MATCH);
+			pd.act.log = PF_LOG_FORCE;
+			DPFPRINTF(PF_DEBUG_MISC,
+			    "pf: divert(4) is not loaded");
 		}
 	}
 	/* XXX: Anybody working on it?! */