diff options
| author |   dhartmei <dhartmei@openbsd.org> | 2003-01-31 19:36:39 +0000 |
|---|---|---|
| committer | dhartmei <dhartmei@openbsd.org> | 2003-01-31 19:36:39 +0000 |
| commit | 2eaab18d1e0368018e2f828d078b71093ffc10b8 (patch) | |
| tree | a957212331bb397a4eb5ad5a8e8a0fc451f00da7 | |
| parent | Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets, (diff) | |
| download | wireguard-openbsd-2eaab18d1e0368018e2f828d078b71093ffc10b8.tar.xz wireguard-openbsd-2eaab18d1e0368018e2f828d078b71093ffc10b8.zip | |
The fix introduced with 1.294 to solve issues with route-to in
combination with translations was too broad and broke some
more complex setups (creating two states for one connection on
two interfaces, using modulate state for each, and additionally
using route-to/reply-to on one of them), so narrow it to the
cases where it's needed. Reported by henric@.
| -rw-r--r-- | sys/net/pf.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index a128a9389f2..408bb73aa82 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.313 2003/01/31 19:22:11 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.314 2003/01/31 19:36:39 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -249,11 +249,12 @@ struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = *state = pf_find_state(&tree_lan_ext, &key); \ if (*state == NULL) \ return (PF_DROP); \ - if ((*state)->rule.ptr != NULL && \ + if (direction == PF_OUT && \ + (*state)->rule.ptr != NULL && \ (((*state)->rule.ptr->rt == PF_ROUTETO && \ - (*state)->rule.ptr->direction == direction) || \ + (*state)->rule.ptr->direction == PF_OUT) || \ ((*state)->rule.ptr->rt == PF_REPLYTO && \ - (*state)->rule.ptr->direction != direction)) && \ + (*state)->rule.ptr->direction == PF_IN)) && \ (*state)->rt_ifp != NULL && \ (*state)->rt_ifp != ifp) \ return (PF_PASS); \ |