Date: Sat, 21 Jul 2018 07:00:22 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r336575 - stable/11/sys/netpfil/pf Message-ID: <201807210700.w6L70Mwc009576@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Sat Jul 21 07:00:21 2018 New Revision: 336575 URL: https://svnweb.freebsd.org/changeset/base/336575 Log: MFC r336275: pf: Fix synproxy Synproxy was accidentally broken by r335569. The 'return (action)' must be executed for every non-PF_PASS result, but the error packet (TCP RST or ICMP error) should only be sent if the packet was dropped (i.e. PF_DROP) and the return flag is set. PR: 229477 Submitted by: Andre Albsmeier <mail AT fbsd.e4m.org> Modified: stable/11/sys/netpfil/pf/pf.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netpfil/pf/pf.c ============================================================================== --- stable/11/sys/netpfil/pf/pf.c Sat Jul 21 02:14:13 2018 (r336574) +++ stable/11/sys/netpfil/pf/pf.c Sat Jul 21 07:00:21 2018 (r336575) @@ -3544,9 +3544,11 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, off, sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum, hdrlen); - if (action != PF_PASS && r->rule_flag & PFRULE_RETURN) { - pf_return(r, nr, pd, sk, off, m, th, kif, - bproto_sum, bip_sum, hdrlen, &reason); + if (action != PF_PASS) { + if (action == PF_DROP && + (r->rule_flag & PFRULE_RETURN)) + pf_return(r, nr, pd, sk, off, m, th, kif, + bproto_sum, bip_sum, hdrlen, &reason); return (action); } } else {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807210700.w6L70Mwc009576>