diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2012-10-19 15:56:41 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2012-10-19 15:56:41 +0000 |
| commit | 84ae5359af48359f0b7e0247e7fe77ac4e5fe291 (patch) | |
| tree | 1fbb027fc0da0b9ba9a4a1020d5faeeef3554d6c /sbin | |
| parent | e7bbccd33f45612b2a7eec33133a95d65b884485 (diff) | |
rtableid must be BREAK instead of MERGE, otherwise the optimizer might
reorder rules incorrectly, i. e.:
pass rtable 2
pass from 10/16 rtable 0
pass from 10.1/16 rtable 1
so with this ruleset a packet from 10/16 will end up in rtable 0.
now let's see what pfctl makes out of it, with default optimization:
<brahe@tachi> pfctl $ pfctl -nvf t.conf
pass inet from 10.0.0.0/16 to any flags S/SA rtable 0
pass inet from 10.1.0.0/16 to any flags S/SA rtable 1
pass all flags S/SA rtable 2
OUPS! a packet from 10/16 will end up in rtable 2 now.
found by phessler, fix by your's truly, from EuroBSDcon
ok beck phessler benno mikeb sthen
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/pfctl/pfctl_optimize.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c index 79b94a5141c..0e5fde90415 100644 --- a/sbin/pfctl/pfctl_optimize.c +++ b/sbin/pfctl/pfctl_optimize.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_optimize.c,v 1.31 2011/12/19 23:26:16 mikeb Exp $ */ +/* $OpenBSD: pfctl_optimize.c,v 1.32 2012/10/19 15:56:40 henning Exp $ */ /* * Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org> @@ -138,6 +138,7 @@ struct pf_rule_field { PF_RULE_FIELD(nat, BREAK), PF_RULE_FIELD(logif, BREAK), PF_RULE_FIELD(route, BREAK), + PF_RULE_FIELD(rtableid, BREAK), /* * Any fields not listed in this structure act as BREAK fields @@ -173,7 +174,6 @@ struct pf_rule_field { PF_RULE_FIELD(dst.port_op, NOMERGE), PF_RULE_FIELD(src.neg, NOMERGE), PF_RULE_FIELD(dst.neg, NOMERGE), - PF_RULE_FIELD(rtableid, NOMERGE), PF_RULE_FIELD(onrdomain, NOMERGE), PF_RULE_FIELD(naf, NOMERGE), |