diff options
| author | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2018-10-16 22:49:42 +0000 |
|---|---|---|
| committer | Alexandr Nedvedicky <sashan@cvs.openbsd.org> | 2018-10-16 22:49:42 +0000 |
| commit | 35fa376c371aff9f09d3eff46b526412a2af98a8 (patch) | |
| tree | fbbbdaf6ea7f2edcebedeaf5b5cd21057a42c3be | |
| parent | 09402a233a785c4d1001c24e786dd2f821d3be6d (diff) | |
- pf: honor quick on anchor rules
Regression has been introduced in version 1.1024 (a 6.2 time frame).
It's been discovered and reported by Fabian Mueller-Knapp. Fair amount
of credit goes to kn@, benno@ and henning@ for pointing me to releveant
section of pf.conf(5). Fabian and kn@ also did test the patch.
OK kn@, henning@
| -rw-r--r-- | sys/net/pf.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 0bdf90a8d13..4b944842008 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1076 2018/10/04 20:25:59 kn Exp $ */ +/* $OpenBSD: pf.c,v 1.1077 2018/10/16 22:49:41 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3129,10 +3129,11 @@ pf_step_into_anchor(struct pf_test_ctx *ctx, struct pf_rule *r) } else { rv = pf_match_rule(ctx, &r->anchor->ruleset); /* - * Unless there was an error inside the anchor, - * retain its quick state. + * Unless errors occured, stop iff any rule matched + * within quick anchors. */ - if (rv != PF_TEST_FAIL && r->quick == PF_TEST_QUICK) + if (rv != PF_TEST_FAIL && r->quick == PF_TEST_QUICK && + *ctx->am == r) rv = PF_TEST_QUICK; } |