diff options
| author |   bluhm <bluhm@openbsd.org> | 2016-12-28 15:36:15 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2016-12-28 15:36:15 +0000 |
| commit | 4f7fcb0b3ce4e811dd2d9eab082ccfc2a9ff43e3 (patch) | |
| tree | 3ba4da9494e169d181554566adcb0c246f2ee460 | |
| parent | Better check for a valid route than for an existing route in pf (diff) | |
| download | wireguard-openbsd-4f7fcb0b3ce4e811dd2d9eab082ccfc2a9ff43e3.tar.xz wireguard-openbsd-4f7fcb0b3ce4e811dd2d9eab082ccfc2a9ff43e3.zip | |
In pf_find_state() pkt_sk was set to NULL if pkt_sk->reverse was
not valid. This did not work as the value of pkt_sk must be used
later to establish the link. So discard the packet statekey only
if it is invalid itself and use it to establish the reverse link.
From Christiano Haesbaert; OK sashan@
| -rw-r--r-- | sys/net/pf.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 5321bfdee96..ebf42702c9c 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1007 2016/12/28 15:19:02 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1008 2016/12/28 15:36:15 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1002,14 +1002,15 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, if (dir == PF_OUT) { /* first if block deals with outbound forwarded packet */ pkt_sk = m->m_pkthdr.pf.statekey; - if (pf_state_key_isvalid(pkt_sk) && - pf_state_key_isvalid(pkt_sk->reverse)) { - sk = pkt_sk->reverse; - } else { + + if (!pf_state_key_isvalid(pkt_sk)) { pf_pkt_unlink_state_key(m); pkt_sk = NULL; } + if (pkt_sk && pf_state_key_isvalid(pkt_sk->reverse)) + sk = pkt_sk->reverse; + if (pkt_sk == NULL) { /* here we deal with local outbound packet */ if (m->m_pkthdr.pf.inp != NULL) { |