diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2010-09-21 10:43:42 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2010-09-21 10:43:42 +0000 |
| commit | 101487b6bab01e760bf0c45b91a26c323a0823db (patch) | |
| tree | 17613ab24da12916986a9be71fa4c10700b202bf /sys/net | |
| parent | 97da8df34f94fe1896635f5b0ba161c64f79d3f3 (diff) | |
after ruleset eval is done, we must apply actions from the last matching
pass or block rule, not the last matching rule. triggered by pr6401.
this means that, for example, a rdr-to on a pass rule can override an
rdr-to on a match rule that comes later in the ruleset. but that's the
semantics: for block and pass rules, the last matching one wins, aka
actions are applied after we're done with ruleset eval, and match rules'
actions are applied on the fly. discussion with dlg and claudio, ok dlg ryan
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index e5607fb4c3c..aaae1766766 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.701 2010/09/21 10:37:33 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.702 2010/09/21 10:43:41 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2969,10 +2969,10 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, a = *am; ruleset = *rsm; - /* apply actions for last matching rule */ - if (lastr && lastr->action != PF_MATCH) { - pf_rule_to_actions(lastr, &act); - if (pf_get_transaddr(lastr, pd, sns) == -1) { + /* apply actions for last matching pass/block rule */ + if (r) { + pf_rule_to_actions(r, &act); + if (pf_get_transaddr(r, pd, sns) == -1) { REASON_SET(&reason, PFRES_MEMORY); goto cleanup; } |