Re: pf af-to route output

Tue, 22 Nov 2016 16:43:19 -0800 

On Tue, Nov 22, 2016 at 01:44:09PM +0100, Mike Belopuhov wrote:
> OK, all I wanted to know was if this is know to work and if it has
> been tested.  I'd argue that we don't put the code that doesn't work
> or not tested or we don't know what it does :)

After looking at all the cases, it will be hard to test the at-to
with route-to combinations.  As the feature never worked, let's
disable it.  If someone has a usecase, he can put it back.

ok?

bluhm

Index: sys/net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.1001
diff -u -p -r1.1001 pf.c
--- sys/net/pf.c        22 Nov 2016 19:29:54 -0000      1.1001
+++ sys/net/pf.c        23 Nov 2016 00:00:30 -0000
@@ -6878,28 +6878,16 @@ done:
                        action = PF_DROP;
                        break;
                }
-               if (r->rt) {
-                       switch (pd.naf) {
-                       case AF_INET:
-                               pf_route(&pd, r, s);
-                               break;
-                       case AF_INET6:
-                               pf_route6(&pd, r, s);
-                               break;
-                       }
-               }
-               if (pd.m) {
-                       pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
-                       switch (pd.naf) {
-                       case AF_INET:
-                               ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0);
-                               break;
-                       case AF_INET6:
-                               ip6_output(pd.m, NULL, NULL, 0, NULL, NULL);
-                               break;
-                       }
-                       pd.m = NULL;
+               pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
+               switch (pd.naf) {
+               case AF_INET:
+                       ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0);
+                       break;
+               case AF_INET6:
+                       ip6_output(pd.m, NULL, NULL, 0, NULL, NULL);
+                       break;
                }
+               pd.m = NULL;
                action = PF_PASS;
                break;
 #endif /* INET6 */
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.655
diff -u -p -r1.655 parse.y
--- sbin/pfctl/parse.y  26 Aug 2016 06:06:58 -0000      1.655
+++ sbin/pfctl/parse.y  23 Nov 2016 00:07:42 -0000
@@ -1530,6 +1530,11 @@ pfrule           : action dir logquick interface 
                                yyerror("af-to can only be used with direction 
in");
                                YYERROR;
                        }
+                       if (($8.marker & FOM_AFTO) && $8.route.rt) {
+                               yyerror("af-to cannot be used together with "
+                                   "route-to, reply-to, dup-to");
+                               YYERROR;
+                       }
                        r.af = $5;
 
                        if ($8.tag)

Reply via email to