To implement transparent relays for connectionless protocols, the

pf the state has to vanish immediately when the relay closes the
socket.  To make this work reliably, the linkage between state and
socket must be established with the first packet.  This packet could
be incomming or outgoing.
Link the pf state in the socket layer earlier.  This makes all tests
in /usr/src/regress/sys/net/pf_divert pass.
OK henning@

1 files changed, 6 insertions, 1 deletions

diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 71403e3e4d3..dde15506391 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: raw_ip6.c,v 1.69 2014/10/14 09:55:44 mpi Exp $	*/
+/*	$OpenBSD: raw_ip6.c,v 1.70 2014/11/09 22:05:08 bluhm Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $	*/
 
 /*
@@ -469,6 +469,11 @@ rip6_output(struct mbuf *m, ...)
 	/* force routing table */
 	m->m_pkthdr.ph_rtableid = in6p->inp_rtableid;
 
+#if NPF > 0
+	if (in6p->inp_socket->so_state & SS_ISCONNECTED)
+		m->m_pkthdr.pf.inp = in6p;
+#endif
+
 	error = ip6_output(m, optp, &in6p->inp_route6, flags,
 	    in6p->inp_moptions6, &oifp, in6p);
 	if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) {