The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=d7eacb1531e7d3e8089ec59dd75717038eb18f41
commit d7eacb1531e7d3e8089ec59dd75717038eb18f41
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-03-27 14:47:23 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-03-31 12:56:29 +0000
pf: simplify action resolution in pf_test_rule()
Rather than looking at state keys after the fact just save the action in the
nat64 section. This simplifies things and it also ensures we don't use state
keys after pf_insert_state().
Reviewed by: glebius, markj
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D49552
---
sys/netpfil/pf/pf.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 12b4d8c1398b..c75737f688b0 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5491,6 +5491,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm,
int asd = 0;
int match = 0;
int state_icmp = 0, icmp_dir;
+ int action = PF_PASS;
u_int16_t virtual_type, virtual_id;
u_int16_t bproto_sum = 0, bip_sum = 0;
u_int8_t icmptype = 0, icmpcode = 0;
@@ -5963,7 +5964,6 @@ nextrule:
if (pd->virtual_proto != PF_VPROTO_FRAGMENT &&
(!state_icmp && (r->keep_state || nr != NULL ||
(pd->flags & PFDESC_TCP_NORM)))) {
- int action;
bool nat64;
action = pf_create_state(r, nr, a, pd, nk, sk,
@@ -6005,6 +6005,9 @@ nextrule:
goto cleanup;
rewrite += ret;
+
+ if (rewrite && sk->af != nk->af)
+ action = PF_AFRT;
}
} else {
while ((ri = SLIST_FIRST(&match_rules))) {
@@ -6032,10 +6035,7 @@ nextrule:
*/
return (PF_DEFER);
- if (rewrite && sk != NULL && nk != NULL && sk->af != nk->af) {
- return (PF_AFRT);
- } else
- return (PF_PASS);
+ return (action);
cleanup:
while ((ri = SLIST_FIRST(&match_rules))) {
