Author: kp
Date: Sat Jul 14 10:14:59 2018
New Revision: 336275
URL: https://svnweb.freebsd.org/changeset/base/336275
Log:
pf: Fix synproxy
Synproxy was accidentally broken by r335569. The 'return (action)' must be
executed for every non-PF_PASS result, but the error packet (TCP RST or ICMP
error) should only be sent if the packet was dropped (i.e. PF_DROP) and the
return flag is set.
PR: 229477
Submitted by: Andre Albsmeier <mail AT fbsd.e4m.org>
MFC after: 1 week
Modified:
head/sys/netpfil/pf/pf.c
Modified: head/sys/netpfil/pf/pf.c
==============================================================================
--- head/sys/netpfil/pf/pf.c Sat Jul 14 09:29:45 2018 (r336274)
+++ head/sys/netpfil/pf/pf.c Sat Jul 14 10:14:59 2018 (r336275)
@@ -3558,9 +3558,11 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm
action = pf_create_state(r, nr, a, pd, nsn, nk, sk, m, off,
sport, dport, &rewrite, kif, sm, tag, bproto_sum, bip_sum,
hdrlen);
- if (action != PF_PASS && r->rule_flag & PFRULE_RETURN) {
- pf_return(r, nr, pd, sk, off, m, th, kif,
- bproto_sum, bip_sum, hdrlen, &reason);
+ if (action != PF_PASS) {
+ if (action == PF_DROP &&
+ (r->rule_flag & PFRULE_RETURN))
+ pf_return(r, nr, pd, sk, off, m, th, kif,
+ bproto_sum, bip_sum, hdrlen, &reason);
return (action);
}
} else {
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
