From c202673480ce60c9d08dcd83e1aecb53dcf67f2a Mon Sep 17 00:00:00 2001 From: dlg Date: Fri, 23 Apr 2021 03:29:24 +0000 Subject: [PATCH] only skip pf once for packets that are injected by a divert-packet socket. when a divert socket gets a packet from userland to send back through the kernel, it marks it as diverted so pf knows not to divert it back to userland again. this marking stuck to the packet though, so if it went through pf again (eg, on the way out of the network stack) pf would skip it again. this is undesirable if you want pf to do things to the packet on this outgoing hope, such as nat. this has pf clear the mark once it's been used, which allows the next run of a packet through pf to have stuff work on it. found by some people at parta networks. ok sashan@ lteo@ bluhm@ bluhm@ also suggested keeping my diff in the same style as the rest of pf.c --- sys/net/pf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/net/pf.c b/sys/net/pf.c index 28aa6157552..12d05976f0b 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1114 2021/03/10 10:21:48 jsg Exp $ */ +/* $OpenBSD: pf.c,v 1.1115 2021/04/23 03:29:24 dlg Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6844,8 +6844,10 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0) if ((*m0)->m_pkthdr.pf.flags & PF_TAG_GENERATED) return (PF_PASS); - if ((*m0)->m_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET) + if ((*m0)->m_pkthdr.pf.flags & PF_TAG_DIVERTED_PACKET) { + (*m0)->m_pkthdr.pf.flags &= ~PF_TAG_DIVERTED_PACKET; return (PF_PASS); + } if ((*m0)->m_pkthdr.pf.flags & PF_TAG_REFRAGMENTED) { (*m0)->m_pkthdr.pf.flags &= ~PF_TAG_REFRAGMENTED; -- 2.20.1