diff options
| author |   kn <kn@openbsd.org> | 2018-10-04 20:25:59 +0000 |
|---|---|---|
| committer | kn <kn@openbsd.org> | 2018-10-04 20:25:59 +0000 |
| commit | b9014d31ce5fb92146d5a52ee005bc00b05c1297 (patch) | |
| tree | 3f9e6a9d8036521282c5d35bd82acaa8c5c9309a | |
| parent | Call unveil_destroy() from exit1() instead of from the reaper. Fixes a (diff) | |
| download | wireguard-openbsd-b9014d31ce5fb92146d5a52ee005bc00b05c1297.tar.xz wireguard-openbsd-b9014d31ce5fb92146d5a52ee005bc00b05c1297.zip | |
Honor quick on anchor rules
When evaluating the anchor's ruleset, prevent clobbering it's very own
`quick' test result by blindly setting it.
This makes the following pf.conf work as intended (packets would be blocked
since `quick' had no effect):
anchor quick {
pass
}
block
Broken since after 6.1 release as reported by Fabian Mueller-Knapp, thanks!
OK henning sashan
| -rw-r--r-- | sys/net/pf.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 76a351278f0..0bdf90a8d13 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1075 2018/09/13 19:53:58 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.1076 2018/10/04 20:25:59 kn Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3128,6 +3128,12 @@ pf_step_into_anchor(struct pf_test_ctx *ctx, struct pf_rule *r) } } else { rv = pf_match_rule(ctx, &r->anchor->ruleset); + /* + * Unless there was an error inside the anchor, + * retain its quick state. + */ + if (rv != PF_TEST_FAIL && r->quick == PF_TEST_QUICK) + rv = PF_TEST_QUICK; } ctx->depth--; |