The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=27407a6adc793bdfaef8a86ece32fb1b461429f0
commit 27407a6adc793bdfaef8a86ece32fb1b461429f0
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2022-05-05 07:21:32 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2022-05-05 07:21:32 +0000
pf: clear PF_TAG_DUMMYNET for dummynet fast path
ip_dn_io_ptr() (i.e. dummynet_io()) can return the mbuf immediately (as
opposed to owning it and later passing it through dummynet_send(), which
returns it to pf_test()). In that case we must clear the PF_TAG_DUMMYNET
flag to ensure we don't skip any subsequent firewall passes.
This can happen if we process a packet in PFIL_IN, set PF_TAG_DUMMYNET
on it, pass it to ip_dn_io_ptr() but have it returned immediately. The
packet continues its normal path, eventually hitting
pf_test(dir=PFIL_OUT), where we'd skip when we're not supposed to.
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 5eee9dcf5b91..b0d8d8c6e017 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7300,6 +7300,8 @@ done:
ip_dn_io_ptr(m0, &dnflow);
if (*m0 == NULL)
action = PF_DROP;
+ else
+ pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET;
}
}
break;
@@ -7758,6 +7760,8 @@ done:
ip_dn_io_ptr(m0, &dnflow);
if (*m0 == NULL)
action = PF_DROP;
+ else
+ pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET;
}
}
break;
