Like really!
OK?
Sanity checked by blambert.
diff --git sys/net/pf.c sys/net/pf.c
index d4cb67c..2ba04d5 100644
--- sys/net/pf.c
+++ sys/net/pf.c
@@ -4488,21 +4488,16 @@ pf_test_state_icmp(struct pf_pdesc *pd, struct pf_state
**state,
* Search for an ICMP state.
*/
ret = pf_icmp_state_lookup(pd, &key, state,
virtual_id, virtual_type, icmp_dir, &iidx,
0, 0);
- if (ret >= 0) {
- if (ret == PF_DROP && pd->af == AF_INET6 &&
- icmp_dir == PF_OUT) {
- ret = pf_icmp_state_lookup(pd, &key, state,
- virtual_id, virtual_type, icmp_dir, &iidx,
- 1, 0);
- if (ret >= 0)
- return (ret);
- } else
- return (ret);
- }
+ /* IPv6? try matching a multicast address */
+ if (ret == PF_DROP && pd->af == AF_INET6 && icmp_dir == PF_OUT)
+ ret = pf_icmp_state_lookup(pd, &key, state, virtual_id,
+ virtual_type, icmp_dir, &iidx, 1, 0);
+ if (ret >= 0)
+ return (ret);
(*state)->expire = time_uptime;
(*state)->timeout = PFTM_ICMP_ERROR_REPLY;
/* translate source/destination address, if necessary */
@@ -5101,21 +5096,18 @@ pf_test_state_icmp(struct pf_pdesc *pd, struct pf_state
**state,
pd2.hdr.icmp6 = &iih;
pf_icmp_mapping(&pd2, iih.icmp6_type,
&icmp_dir, &virtual_id, &virtual_type);
ret = pf_icmp_state_lookup(&pd2, &key, state,
virtual_id, virtual_type, icmp_dir, &iidx, 0, 1);
- if (ret >= 0) {
- if (ret == PF_DROP && pd2.af == AF_INET6 &&
- icmp_dir == PF_OUT) {
- ret = pf_icmp_state_lookup(&pd2, &key,
- state, virtual_id, virtual_type,
- icmp_dir, &iidx, 1, 1);
- if (ret >= 0)
- return (ret);
- } else
- return (ret);
- }
+ /* IPv6? try matching a multicast address */
+ if (ret == PF_DROP && pd2.af == AF_INET6 &&
+ icmp_dir == PF_OUT)
+ ret = pf_icmp_state_lookup(&pd2, &key, state,
+ virtual_id, virtual_type, icmp_dir, &iidx,
+ 1, 1);
+ if (ret >= 0)
+ return (ret);
/* translate source/destination address, if necessary */
if ((*state)->key[PF_SK_WIRE] !=
(*state)->key[PF_SK_STACK]) {
struct pf_state_key *nk;
