Differential D52446

pf: Always skip outbound filtering for inbound af-to rules
ClosedPublic
Actions

Authored by vegeta_tuxpowered.net on Sep 9 2025, 1:20 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Sat, Oct 11, 5:22 AM

	Unknown Object (File)
	Sat, Oct 11, 5:22 AM

	Unknown Object (File)
	Sat, Oct 11, 5:22 AM

	Unknown Object (File)
	Fri, Oct 10, 10:09 PM

	Unknown Object (File)
	Fri, Oct 3, 10:04 AM

	Unknown Object (File)
	Tue, Sep 30, 11:02 PM

	Unknown Object (File)
	Sat, Sep 27, 7:20 PM

	Unknown Object (File)
	Fri, Sep 26, 11:42 PM

View All 17 Files

Subscribers

Details

Reviewers

Commits

rG048b8123ee87: pf: Always skip outbound filtering for inbound af-to rules
rG938ae26ffda8: pf: Always skip outbound filtering for inbound af-to rules

Summary

The af-to rules on inbound direction create a single state spanning both the
inbound and the outbound interface. Calling pf_test() for the outbound
direction in pf_route() makes the packet pass through state search, match
the existing state, never evaluate the ruleset, and increase state counters.

Check that the state comes from an af-to rule in inbound direction, and if
yes, skip outbound testing.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

vegeta_tuxpowered.net created this revision.Sep 9 2025, 1:20 PM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptSep 9 2025, 1:20 PM

vegeta_tuxpowered.net requested review of this revision.Sep 9 2025, 1:20 PM

vegeta_tuxpowered.net added a parent revision: D52445: pf: Fix interface binding for af-to with route-to.Sep 9 2025, 1:23 PM

vegeta_tuxpowered.net added a child revision: D52447: pf: Fix rule and state counters.

kp accepted this revision.Wed, Sep 24, 11:31 AM

This revision is now accepted and ready to land.Wed, Sep 24, 11:31 AM

Closed by commit rG938ae26ffda8: pf: Always skip outbound filtering for inbound af-to rules (authored by vegeta_tuxpowered.net). · Explain WhySun, Sep 28, 5:28 PM

This revision was automatically updated to reflect the committed changes.

vegeta_tuxpowered.net added a commit: rG938ae26ffda8: pf: Always skip outbound filtering for inbound af-to rules.

vegeta_tuxpowered.net added a commit: rG048b8123ee87: pf: Always skip outbound filtering for inbound af-to rules.Wed, Oct 1, 4:11 PM

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

pf/

4 lines

tests/

sys/

netpfil/

pf/

12 lines

Diff 162999

sys/netpfil/pf/pf.c

Loading...

tests/sys/netpfil/pf/nat64.sh

Loading...