On Mon, Nov 14, 2016 at 16:38 +0100, Alexander Bluhm wrote:
> Hi,
>
> The !r->rt case is only used by af-to. pf_route6() calls ip6_output()
> to do the work while pf_route() has some custom implementation for
> that. It is simpler to call ip_output() or ip6_output() from
> pf_test() directly.
>
> ok?
>
> bluhm
>
> Index: net/pf.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
> retrieving revision 1.998
> diff -u -p -r1.998 pf.c
> --- net/pf.c 14 Nov 2016 13:25:00 -0000 1.998
> +++ net/pf.c 14 Nov 2016 14:08:57 -0000
> @@ -6908,10 +6884,28 @@ done:
> action = PF_DROP;
> break;
> }
> - if (pd.naf == AF_INET)
> - pf_route(&pd, r, s);
> - if (pd.naf == AF_INET6)
> - pf_route6(&pd, r, s);
> + if (r->rt) {
> + switch (pd.naf) {
> + case AF_INET:
> + pf_route(&pd, r, s);
> + break;
> + case AF_INET6:
> + pf_route6(&pd, r, s);
> + break;
> + }
> + }
Is the r->rt check there to catch additional dup-to/route-to actions
hooked on to the af-to rule? Does it actually work?
> + if (pd.m) {
> + pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
> + switch (pd.naf) {
> + case AF_INET:
> + ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0);
> + break;
> + case AF_INET6:
> + ip6_output(pd.m, NULL, NULL, 0, NULL, NULL);
> + break;
> + }
> + pd.m = NULL;
> + }
> action = PF_PASS;
> break;
> #endif /* INET6 */
>
