From 1a636228d4f25fc453ef65bab0cc177c1563273f Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Mon, 18 Nov 2013 20:30:05 +0000 Subject: The prio value of a pf match rule was overridden by a later pass rule even if the latter had no prio flag. Fix match rules with prio to work as expected. Found by Roman Kravchuk; reported and tested by Alexey Suslikov; OK henning@ --- sys/net/pf.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'sys/net') diff --git a/sys/net/pf.c b/sys/net/pf.c index 368eb03ffcb..cf66f928649 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.861 2013/11/16 00:36:01 chl Exp $ */ +/* $OpenBSD: pf.c,v 1.862 2013/11/18 20:30:04 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3110,8 +3110,10 @@ pf_rule_to_actions(struct pf_rule *r, struct pf_rule_actions *a) a->max_mss = r->max_mss; a->flags |= (r->scrub_flags & (PFSTATE_NODF|PFSTATE_RANDOMID| PFSTATE_SETTOS|PFSTATE_SCRUB_TCP|PFSTATE_SETPRIO)); - a->set_prio[0] = r->set_prio[0]; - a->set_prio[1] = r->set_prio[1]; + if (r->scrub_flags & PFSTATE_SETPRIO) { + a->set_prio[0] = r->set_prio[0]; + a->set_prio[1] = r->set_prio[1]; + } } #define PF_TEST_ATTRIB(t, a) \ -- cgit v1.2.3