Differential D52446

pf: Always skip outbound filtering for inbound af-to rules
ClosedPublic
Actions

Authored by vegeta_tuxpowered.net on Sep 9 2025, 1:20 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, Mar 26, 11:36 AM

	Unknown Object (File)
	Fri, Mar 20, 12:41 PM

	Unknown Object (File)
	Fri, Mar 20, 7:02 AM

	Unknown Object (File)
	Thu, Mar 19, 9:44 PM

	Unknown Object (File)
	Mon, Mar 2, 10:27 PM

	Unknown Object (File)
	Mar 2 2026, 10:47 AM

	Unknown Object (File)
	Feb 27 2026, 8:04 PM

	Unknown Object (File)
	Feb 10 2026, 10:27 PM

View All 39 Files

Subscribers

Details

Reviewers

Commits

rG048b8123ee87: pf: Always skip outbound filtering for inbound af-to rules
rG938ae26ffda8: pf: Always skip outbound filtering for inbound af-to rules

Summary

The af-to rules on inbound direction create a single state spanning both the
inbound and the outbound interface. Calling pf_test() for the outbound
direction in pf_route() makes the packet pass through state search, match
the existing state, never evaluate the ruleset, and increase state counters.

Check that the state comes from an af-to rule in inbound direction, and if
yes, skip outbound testing.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

vegeta_tuxpowered.net created this revision.Sep 9 2025, 1:20 PM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptSep 9 2025, 1:20 PM

vegeta_tuxpowered.net requested review of this revision.Sep 9 2025, 1:20 PM

vegeta_tuxpowered.net added a parent revision: D52445: pf: Fix interface binding for af-to with route-to.Sep 9 2025, 1:23 PM

vegeta_tuxpowered.net added a child revision: D52447: pf: Fix rule and state counters.

kp accepted this revision.Sep 24 2025, 11:31 AM

This revision is now accepted and ready to land.Sep 24 2025, 11:31 AM

Closed by commit rG938ae26ffda8: pf: Always skip outbound filtering for inbound af-to rules (authored by vegeta_tuxpowered.net). · Explain WhySep 28 2025, 5:28 PM

This revision was automatically updated to reflect the committed changes.

vegeta_tuxpowered.net added a commit: rG938ae26ffda8: pf: Always skip outbound filtering for inbound af-to rules.

vegeta_tuxpowered.net added a commit: rG048b8123ee87: pf: Always skip outbound filtering for inbound af-to rules.Oct 1 2025, 4:11 PM

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

pf/

4 lines

tests/

sys/

netpfil/

pf/

12 lines

Diff 162999

sys/netpfil/pf/pf.c

Loading...

tests/sys/netpfil/pf/nat64.sh

Loading...