summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Gwynne <dlg@cvs.openbsd.org>2021-01-28 09:37:21 +0000
committerDavid Gwynne <dlg@cvs.openbsd.org>2021-01-28 09:37:21 +0000
commit6e9a7f7f6ab4c46106b287c9498f36dafbe70bc0 (patch)
tree26a24d1984976150dccf3817a34075e295477bbb
parenta099abb6b3be1bf0dea5fff24845b3b5851fba2a (diff)
handle "once" rules before letting pfsync defer tx of a packet.
pfsync may want to defer the transmission of a packet. it does this so it can try and get a state over to a peer firewall before a host may send a reply to the peer, which would get dropped cos there's no matching state. i think the once rule processing should happen before that. the state is created from the rule, whether the packet the state is for goes out immediately or not shouldn't matter. ok sashan@
-rw-r--r--sys/net/pf.c30
1 files changed, 15 insertions, 15 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 2411456416b..0f07fe93bc9 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.1104 2021/01/27 23:53:35 dlg Exp $ */
+/* $OpenBSD: pf.c,v 1.1105 2021/01/28 09:37:20 dlg Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -3937,20 +3937,6 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT);
}
-#if NPFSYNC > 0
- if (*sm != NULL && !ISSET((*sm)->state_flags, PFSTATE_NOSYNC) &&
- pd->dir == PF_OUT && pfsync_up()) {
- /*
- * We want the state created, but we dont
- * want to send this in case a partner
- * firewall has to know about it to allow
- * replies through it.
- */
- if (pfsync_defer(*sm, pd->m))
- return (PF_DEFER);
- }
-#endif /* NPFSYNC > 0 */
-
if (r->rule_flag & PFRULE_ONCE) {
u_int32_t rule_flag;
@@ -3967,6 +3953,20 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
}
}
+#if NPFSYNC > 0
+ if (*sm != NULL && !ISSET((*sm)->state_flags, PFSTATE_NOSYNC) &&
+ pd->dir == PF_OUT && pfsync_up()) {
+ /*
+ * We want the state created, but we dont
+ * want to send this in case a partner
+ * firewall has to know about it to allow
+ * replies through it.
+ */
+ if (pfsync_defer(*sm, pd->m))
+ return (PF_DEFER);
+ }
+#endif /* NPFSYNC > 0 */
+
return (action);
cleanup: