diff options
| -rw-r--r-- | sys/net/pf.c | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 2411456416b..0f07fe93bc9 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1104 2021/01/27 23:53:35 dlg Exp $ */ +/* $OpenBSD: pf.c,v 1.1105 2021/01/28 09:37:20 dlg Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3937,20 +3937,6 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, m_copyback(pd->m, pd->off, pd->hdrlen, &pd->hdr, M_NOWAIT); } -#if NPFSYNC > 0 - if (*sm != NULL && !ISSET((*sm)->state_flags, PFSTATE_NOSYNC) && - pd->dir == PF_OUT && pfsync_up()) { - /* - * We want the state created, but we dont - * want to send this in case a partner - * firewall has to know about it to allow - * replies through it. - */ - if (pfsync_defer(*sm, pd->m)) - return (PF_DEFER); - } -#endif /* NPFSYNC > 0 */ - if (r->rule_flag & PFRULE_ONCE) { u_int32_t rule_flag; @@ -3967,6 +3953,20 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm, } } +#if NPFSYNC > 0 + if (*sm != NULL && !ISSET((*sm)->state_flags, PFSTATE_NOSYNC) && + pd->dir == PF_OUT && pfsync_up()) { + /* + * We want the state created, but we dont + * want to send this in case a partner + * firewall has to know about it to allow + * replies through it. + */ + if (pfsync_defer(*sm, pd->m)) + return (PF_DEFER); + } +#endif /* NPFSYNC > 0 */ + return (action); cleanup: |