Date: Thu, 3 Jul 2025 12:01:16 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: fe20818673aa - main - pf: Honor quick on anchor rules Message-ID: <202507031201.563C1GJt052208@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=fe20818673aa9fa33c1abe6262a6f3fc0ef7a5e9 commit fe20818673aa9fa33c1abe6262a6f3fc0ef7a5e9 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-06-30 09:45:36 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-07-03 07:16:15 +0000 pf: Honor quick on anchor rules When evaluating the anchor's ruleset, prevent clobbering it's very own `quick' test result by blindly setting it. This makes the following pf.conf work as intended (packets would be blocked since `quick' had no effect): anchor quick { pass } block Broken since after 6.1 release as reported by Fabian Mueller-Knapp, thanks! OK henning sashan Obtained from: OpenBSD, kn <kn@openbsd.org>, b9014d31ce Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index b24bbe036141..accc811a12ba 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4675,6 +4675,12 @@ pf_step_into_anchor(struct pf_test_ctx *ctx, struct pf_krule *r) } } else { rv = pf_match_rule(ctx, &r->anchor->ruleset); + /* + * Unless there was an error inside the anchor, + * retain its quick state. + */ + if (rv != PF_TEST_FAIL && r->quick == PF_TEST_QUICK) + rv = PF_TEST_QUICK; } ctx->depth--;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202507031201.563C1GJt052208>