pf: Do not short-circuit processing for REPLY_TO
When we find a state for packets that was created by a reply-to rule we
still need to process the packet. The state may require us to modify the
packet (e.g. in rdr or nat cases), which we won't do with the shortcut.
MFC after: 2 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
parent
ab8d25880e
commit
6d786845cf
@ -342,10 +342,8 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
|
||||
if (PACKET_LOOPED(pd)) \
|
||||
return (PF_PASS); \
|
||||
if ((d) == PF_OUT && \
|
||||
(((s)->rule.ptr->rt == PF_ROUTETO && \
|
||||
(s)->rule.ptr->direction == PF_OUT) || \
|
||||
((s)->rule.ptr->rt == PF_REPLYTO && \
|
||||
(s)->rule.ptr->direction == PF_IN)) && \
|
||||
(s)->rule.ptr->rt == PF_ROUTETO && \
|
||||
(s)->rule.ptr->direction == PF_OUT && \
|
||||
(s)->rt_kif != NULL && \
|
||||
(s)->rt_kif != (i)) \
|
||||
return (PF_PASS); \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user