On Tue, Aug 30, 2011 at 01:18:12PM +0200, Henning Brauer wrote: > --- pf.c 30 Aug 2011 00:40:47 -0000 1.771 > +++ pf.c 30 Aug 2011 11:14:19 -0000 > @@ -2762,9 +2762,6 @@ pf_test_rule(struct pf_rule **rm, struct > u_int16_t virtual_type, virtual_id; > u_int8_t icmptype = 0, icmpcode = 0; > > - PF_ACPY(&pd->nsaddr, pd->src, pd->af); > - PF_ACPY(&pd->ndaddr, pd->dst, pd->af); > - > bzero(&act, sizeof(act)); > act.prio[0] = act.prio[1] = PF_PRIO_NOTSET; > bzero(sns, sizeof(sns));
When pf_test_rule() is called for fragments that have not been reassembled, the address copy is not done anymore. I think pf_setup_pdesc() should not call pf_test_rule() at all and just fill the pd struct. But that is more work so I would suggest to copy the PF_ACPY() to the handle fragments that aren't reassembled by normalization. bluhm
