HomeFreeBSD
Diffusion FreeBSD src repository 9925aee0aaec

pf: carry over rule actions from route-to rules
9925aee0aaec
Actions

Description

pf: carry over rule actions from route-to rules

If we route-to (or dup-to/reply-to) we re-run pf_test(), which will also
create states for the connection.
This means that we may end up matching a different (i.e. not the state
that was created by the route-to rule) state, without the attributes
(such as dummynet pipes/queues) set by the route-to rule.

Address this by inheriting the pf_rule_actions from the route-to rule
while evaluating the connection again in pf_test(). That is, we set
default pf_rule_actions based on the route-to rule for the new
evaluation. The new rule may still overrule these, but if it does not
have such actions the route-to actions are applied.

Do the same for IPv6 rules in pf_test6()/pf_route6().

See also: https://redmine.pfsense.org/issues/14039
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D40340

Details

Provenance
kpAuthored on May 30 2023, 7:17 PM
Differential Revision
D40340: pf: carry over rule actions from route-to rules
Parents
rGcaf98b9d13b6: dumpon: Request the OpenSSL 1.1 API
Branches
Unknown
Tags
Unknown

Changes (3)

PathSize
sys/
net/
netpfil/
pf/

rG9925aee0aaec

View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...
View Options

sys/netpfil/pf/pf_ioctl.c

Loading...