Page MenuHomeFreeBSD

pf: carry over rule actions from route-to rules

Authored by kp on May 30 2023, 7:28 PM.
Referenced Files
Unknown Object (File)
Aug 20 2023, 8:48 AM
Unknown Object (File)
Aug 20 2023, 6:55 AM
Unknown Object (File)
Aug 19 2023, 6:09 PM
Unknown Object (File)
Aug 17 2023, 6:25 AM
Unknown Object (File)
Jun 5 2023, 1:44 AM
Unknown Object (File)
Jun 4 2023, 5:56 AM
Unknown Object (File)
Jun 2 2023, 2:56 PM
Unknown Object (File)
Jun 2 2023, 2:56 PM



If we route-to (or dup-to/reply-to) we re-run pf_test(), which will also
create states for the connection.
This means that we may end up matching a different (i.e. not the state
that was created by the route-to rule) state, without the attributes
(such as dummynet pipes/queues) set by the route-to rule.

Address this by inheriting the pf_rule_actions from the route-to rule
while evaluating the connection again in pf_test(). That is, we set
default pf_rule_actions based on the route-to rule for the new
evaluation. The new rule may still overrule these, but if it does not
have such actions the route-to actions are applied.

Do the same for IPv6 rules in pf_test6()/pf_route6().

See also:
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

rG FreeBSD src repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

kp requested review of this revision.May 30 2023, 7:28 PM
This revision was not accepted when it landed; it landed in state Needs Review.Jun 2 2023, 2:56 PM
This revision was automatically updated to reflect the committed changes.