diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2009-02-18 20:06:24 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2009-02-18 20:06:24 +0000 |
| commit | c8950135f474f5f07268639d601ec25c9037e14f (patch) | |
| tree | b7a5cf59548c7601c9805e4bde74e3880bac4bd4 /sys | |
| parent | d4d2f97c31d3f2dff59019347c65a6a40ff78f0a (diff) | |
bring back the NAT NOP fix, but this time right.
when we want to pretend pf_get_translation didn't do anything we must
get rid of _both_ state keys and reset all 4 sk pointers to NULL and
not leave one key behind and have all 4 pointers point to it - that must
fail. tested dhill sthen, david agrees, deraadt ok
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/pf_lb.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c index 0ddc950e9f6..b826f6a3556 100644 --- a/sys/net/pf_lb.c +++ b/sys/net/pf_lb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_lb.c,v 1.2 2009/02/12 02:13:15 sthen Exp $ */ +/* $OpenBSD: pf_lb.c,v 1.3 2009/02/18 20:06:23 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -678,6 +678,16 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, int direction, default: return (NULL); } + /* + * Translation was a NOP. + * Pretend there was no match. + */ + if (!bcmp(*skp, *nkp, sizeof(struct pf_state_key_cmp))) { + pool_put(&pf_state_key_pl, *nkp); + pool_put(&pf_state_key_pl, *skp); + *skw = *sks = *nkp = *skp = NULL; + return (NULL); + } } return (r); |