Date: Sun, 27 Dec 2009 10:19:11 +0000 (UTC) From: Luigi Rizzo <luigi@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r201046 - head/sys/netinet/ipfw Message-ID: <200912271019.nBRAJBI4052234@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: luigi Date: Sun Dec 27 10:19:10 2009 New Revision: 201046 URL: http://svn.freebsd.org/changeset/base/201046 Log: diverted packet must re-enter _after_ the matching rule, or we create loops. The divert cookie (that can be set from userland too) contains the matching rule nr, so we must start from nr+1. Reported by: Joe Marcus Clarke Modified: head/sys/netinet/ipfw/ip_fw2.c Modified: head/sys/netinet/ipfw/ip_fw2.c ============================================================================== --- head/sys/netinet/ipfw/ip_fw2.c Sun Dec 27 10:13:31 2009 (r201045) +++ head/sys/netinet/ipfw/ip_fw2.c Sun Dec 27 10:19:10 2009 (r201046) @@ -1173,7 +1173,7 @@ do { \ IPFW_RUNLOCK(chain); return (IP_FW_DENY); /* invalid */ } - f_pos = ipfw_find_rule(chain, skipto, 0); + f_pos = ipfw_find_rule(chain, skipto+1, 0); } } /* reset divert rule to avoid confusion later */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912271019.nBRAJBI4052234>