diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-10-07 12:39:30 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-10-07 12:39:30 +0000 |
| commit | b645be9b9e878ea84b8e1cff2de6be4795a17150 (patch) | |
| tree | 521258aaf80c699ad6b0f8c87971050d96f9833e /sys/net/pf.c | |
| parent | dbdfe3f4d5fda1eb9eac60002f6ffc57ae808203 (diff) | |
Add 'reply-to' to filter rules, similar to route-to, but applying to
replies (packets that flow in the opposite direction of the packet that
created state), used for symmetric routing enforcement.
Document how route-to and reply-to work in context of stateful filtering.
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 379725adc1f..783f211b40a 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.247 2002/10/05 21:17:57 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.248 2002/10/07 12:39:29 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3631,7 +3631,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp) if (m0 == NULL) return; } else { - if (r->direction != dir) + if ((r->rt == PF_REPLYTO) == (r->direction == dir)) return; m0 = *m; } @@ -3770,7 +3770,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp) if (m0 == NULL) return; } else { - if (r->direction != dir) + if ((r->rt == PF_REPLYTO) == (r->direction == dir)) return; m0 = *m; } |