From a81f5112a002196936eacabfc7ab173ce8a5630a Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Wed, 26 Apr 2023 15:12:30 +0200
Subject: [PATCH] pf: clear PF_TAG_ROUTE_TO for dummynet fast path

Similar to the PF_TAG_DUMMYNET we must also clear the route tag if
dummynet didn't keep the packet. In that case we'd continue immediately
and there'd be no need for the route tag. Keeping it could lead to
unexpected routing of traffic.

See also:	27407a6adc793bdfaef8a86ece32fb1b461429f0
See also:	https://redmine.pfsense.org/issues/14055
Sponsored by:	Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 5eebd44c297d..a8da800dd814 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7076,8 +7076,10 @@ pf_dummynet_route(struct pf_pdesc *pd, int dir, struct pf_kstate *s,
 		if (pf_pdesc_to_dnflow(dir, pd, r, s, &dnflow)) {
 			pd->pf_mtag->flags |= PF_TAG_DUMMYNET;
 			ip_dn_io_ptr(m0, &dnflow);
-			if (*m0 != NULL)
+			if (*m0 != NULL) {
+				pd->pf_mtag->flags &= ~PF_TAG_ROUTE_TO;
 				pd->pf_mtag->flags &= ~PF_TAG_DUMMYNET;
+			}
 		}
 	}