HomeFreeBSD
Diffusion FreeBSD src repository 048b8123ee87

pf: Always skip outbound filtering for inbound af-to rules
048b8123ee87
Actions

Description

pf: Always skip outbound filtering for inbound af-to rules

The af-to rules on inbound direction create a single state spanning both
the inbound and the outbound interface. Calling pf_test() for the
outbound direction in pf_route() makes the packet pass through state
search, match the existing state, never evaluate the ruleset, and increase
state counters.

Check that the state comes from an af-to rule in inbound direction, and
if yes, skip outbound testing.

Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D52446

(cherry picked from commit 938ae26ffda81fd42c235eaa3223dae51331e4eb)

Details

Provenance
vegeta_tuxpowered.netAuthored on Sep 7 2025, 1:59 PM
Reviewer
kp
Differential Revision
D52446: pf: Always skip outbound filtering for inbound af-to rules
Parents
rGf12dba5d1746: pf: Fix interface binding for af-to with route-to
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
sys/
netpfil/
pf/
tests/
sys/
netpfil/
pf/

rG048b8123ee87

View Options

sys/netpfil/pf/pf.c

Loading...
View Options

tests/sys/netpfil/pf/nat64.sh

Loading...