Call pf_test() from pf_route() to filter (and translate) routed packets,

too. Use mbuf tag to prevent loops. Suggested by Darren Reed. ok frantzen@

1 files changed, 30 insertions, 1 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 9b4ed90613b..88f17d3d62c 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.214 2002/06/07 18:45:59 pb Exp $ */
+/*	$OpenBSD: pf.c,v 1.215 2002/06/07 20:59:20 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -5215,6 +5215,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir)
 	struct sockaddr_in *dst;
 	struct ip *ip;
 	struct ifnet *ifp = r->rt_ifp;
+	struct m_tag *mtag;
 	int hlen;
 	int error = 0;
 
@@ -5258,6 +5259,20 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir)
 	if (ifp == NULL)
 		goto bad;
 
+	mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL);
+	if (mtag == NULL) {
+		if (pf_test(PF_OUT, ifp, &m0) != PF_PASS)
+			goto bad;
+		else if (m0 == NULL)
+			goto done;
+		else {
+			mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT);
+			if (mtag == NULL)
+				goto bad;
+			m_tag_prepend(m0, mtag);
+		}
+	}
+
 	/* Copied from ip_output. */
 	if ((u_int16_t)ip->ip_len <= ifp->if_mtu) {
 		ip->ip_len = htons((u_int16_t)ip->ip_len);
@@ -5371,6 +5386,20 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir)
 	if (ifp == NULL)
 		goto bad;
 
+	mtag = m_tag_find(m0, PACKET_TAG_PF_ROUTED, NULL);
+	if (mtag == NULL) {
+		if (pf_test(PF_OUT, ifp, &m0) != PF_PASS)
+			goto bad;
+		else if (m0 == NULL)
+			goto done;
+		else {
+			mtag = m_tag_get(PACKET_TAG_PF_ROUTED, 0, M_NOWAIT);
+			if (mtag == NULL)
+				goto bad;
+			m_tag_prepend(m0, mtag);
+		}
+	}
+
 	/*
 	 * Do not fragment packets (yet).  Not much is done here for dealing
 	 * with errors.  Actions on errors depend on whether the packet