The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=fe20818673aa9fa33c1abe6262a6f3fc0ef7a5e9
commit fe20818673aa9fa33c1abe6262a6f3fc0ef7a5e9
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-06-30 09:45:36 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-03 07:16:15 +0000
pf: Honor quick on anchor rules
When evaluating the anchor's ruleset, prevent clobbering it's very own
`quick' test result by blindly setting it.
This makes the following pf.conf work as intended (packets would be blocked
since `quick' had no effect):
anchor quick {
pass
}
block
Broken since after 6.1 release as reported by Fabian Mueller-Knapp, thanks!
OK henning sashan
Obtained from: OpenBSD, kn <k...@openbsd.org>, b9014d31ce
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index b24bbe036141..accc811a12ba 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -4675,6 +4675,12 @@ pf_step_into_anchor(struct pf_test_ctx *ctx, struct
pf_krule *r)
}
} else {
rv = pf_match_rule(ctx, &r->anchor->ruleset);
+ /*
+ * Unless there was an error inside the anchor,
+ * retain its quick state.
+ */
+ if (rv != PF_TEST_FAIL && r->quick == PF_TEST_QUICK)
+ rv = PF_TEST_QUICK;
}
ctx->depth--;
