Date: Mon, 09 Feb 2026 18:04:27 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 4775399b4e87 - stable/15 - pf: Rationalize the ip_divert_ptr test Message-ID: <698a21ab.27da6.1df8c3ac@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=4775399b4e87a01f6448a68e8ff13fba8e69876b commit 4775399b4e87a01f6448a68e8ff13fba8e69876b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2026-01-26 17:23:33 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-02-09 18:03:43 +0000 pf: Rationalize the ip_divert_ptr test If a rule has a divert port set, then we can reasonably predict that ipdivert.ko is loaded, and in particular that ip_divert_ptr is set. Moreover, in this case, if ipdivert.ko is not loaded we should just drop the packet instead of ignoring the divert rule. Reviewed by: igoro, kp, glebius MFC after: 2 weeks Sponsored by: OPNsense Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D54845 (cherry picked from commit 39878d24a690feb4da3fc223649c6a5fd166d09d) --- sys/netpfil/pf/pf.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 2cd3ee535b85..dee02d296f1f 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -11232,11 +11232,11 @@ done: pf_is_loopback(af, pd.dst)) pd.m->m_flags |= M_SKIP_FIREWALL; - if (af == AF_INET && __predict_false(ip_divert_ptr != NULL) && - action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) { + if (af == AF_INET && action == PF_PASS && r->divert.port && + !PACKET_LOOPED(&pd)) { mtag = m_tag_alloc(MTAG_PF_DIVERT, 0, sizeof(struct pf_divert_mtag), M_NOWAIT | M_ZERO); - if (mtag != NULL) { + if (__predict_true(mtag != NULL && ip_divert_ptr != NULL)) { ((struct pf_divert_mtag *)(mtag+1))->port = ntohs(r->divert.port); ((struct pf_divert_mtag *)(mtag+1))->idir = @@ -11265,15 +11265,20 @@ done: } ip_divert_ptr(*m0, dir == PF_IN); *m0 = NULL; - return (action); - } else { + } else if (mtag == NULL) { /* XXX: ipfw has the same behaviour! */ action = PF_DROP; REASON_SET(&reason, PFRES_MEMORY); pd.act.log = PF_LOG_FORCE; DPFPRINTF(PF_DEBUG_MISC, "pf: failed to allocate divert tag"); + } else { + action = PF_DROP; + REASON_SET(&reason, PFRES_MATCH); + pd.act.log = PF_LOG_FORCE; + DPFPRINTF(PF_DEBUG_MISC, + "pf: divert(4) is not loaded"); } } /* XXX: Anybody working on it?! */home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?698a21ab.27da6.1df8c3ac>