diff options
| author |   sashan <sashan@openbsd.org> | 2018-10-16 22:49:41 +0000 |
|---|---|---|
| committer | sashan <sashan@openbsd.org> | 2018-10-16 22:49:41 +0000 |
| commit | 7e89334d42869d2b2b968ecb23a77e0856af243b (patch) | |
| tree | d8f073f0ffe942fb727829552bb13706f829af5f /sys/net/pf.c | |
| parent | More fixes from David Fifield: (diff) | |
| download | wireguard-openbsd-7e89334d42869d2b2b968ecb23a77e0856af243b.tar.xz wireguard-openbsd-7e89334d42869d2b2b968ecb23a77e0856af243b.zip | |
- pf: honor quick on anchor rules
Regression has been introduced in version 1.1024 (a 6.2 time frame).
It's been discovered and reported by Fabian Mueller-Knapp. Fair amount
of credit goes to kn@, benno@ and henning@ for pointing me to releveant
section of pf.conf(5). Fabian and kn@ also did test the patch.
OK kn@, henning@
Diffstat (limited to 'sys/net/pf.c')
| -rw-r--r-- | sys/net/pf.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 0bdf90a8d13..4b944842008 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1076 2018/10/04 20:25:59 kn Exp $ */ +/* $OpenBSD: pf.c,v 1.1077 2018/10/16 22:49:41 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -3129,10 +3129,11 @@ pf_step_into_anchor(struct pf_test_ctx *ctx, struct pf_rule *r) } else { rv = pf_match_rule(ctx, &r->anchor->ruleset); /* - * Unless there was an error inside the anchor, - * retain its quick state. + * Unless errors occured, stop iff any rule matched + * within quick anchors. */ - if (rv != PF_TEST_FAIL && r->quick == PF_TEST_QUICK) + if (rv != PF_TEST_FAIL && r->quick == PF_TEST_QUICK && + *ctx->am == r) rv = PF_TEST_QUICK; } |