Add 'reply-to' to filter rules, similar to route-to, but applying to

replies (packets that flow in the opposite direction of the packet that
created state), used for symmetric routing enforcement.
Document how route-to and reply-to work in context of stateful filtering.

2 files changed, 5 insertions, 5 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 379725adc1f..783f211b40a 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.247 2002/10/05 21:17:57 dhartmei Exp $ */
+/*	$OpenBSD: pf.c,v 1.248 2002/10/07 12:39:29 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -3631,7 +3631,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp)
 		if (m0 == NULL)
 			return;
 	} else {
-		if (r->direction != dir)
+		if ((r->rt == PF_REPLYTO) == (r->direction == dir))
 			return;
 		m0 = *m;
 	}
@@ -3770,7 +3770,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp)
 		if (m0 == NULL)
 			return;
 	} else {
-		if (r->direction != dir)
+		if ((r->rt == PF_REPLYTO) == (r->direction == dir))
 			return;
 		m0 = *m;
 	}
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 8da6466f27b..62b5c342f40 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.90 2002/10/05 21:17:57 dhartmei Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.91 2002/10/07 12:39:29 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -51,7 +51,7 @@ enum	{ PFTM_TCP_FIRST_PACKET=0, PFTM_TCP_OPENING=1, PFTM_TCP_ESTABLISHED=2,
 	  PFTM_ICMP_FIRST_PACKET=9, PFTM_ICMP_ERROR_REPLY=10,
 	  PFTM_OTHER_FIRST_PACKET=11, PFTM_OTHER_SINGLE=12,
 	  PFTM_OTHER_MULTIPLE=13, PFTM_FRAG=14, PFTM_INTERVAL=15, PFTM_MAX=16 };
-enum	{ PF_FASTROUTE=1, PF_ROUTETO=2, PF_DUPTO=3 };
+enum	{ PF_FASTROUTE=1, PF_ROUTETO=2, PF_DUPTO=3, PF_REPLYTO=4 };
 enum	{ PF_LIMIT_STATES=0, PF_LIMIT_FRAGS=1, PF_LIMIT_MAX=2 };
 
 struct pf_addr {