From eaa2c80721d8793a3079241c088428e5fa161e3a Mon Sep 17 00:00:00 2001 From: sashan Date: Thu, 28 May 2026 06:41:24 +0000 Subject: [PATCH] pf(4) currently ignores fragment direction (in vs. out) in pf_frnode_compare() function. Issue noticed and reported by Frank Denis OK @bluhm --- sys/net/pf_norm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 2ec8cb40ccf..7fe406795e2 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.237 2026/04/12 22:34:19 sashan Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.238 2026/05/28 06:41:24 sashan Exp $ */ /* * Copyright 2001 Niels Provos @@ -176,6 +176,8 @@ pf_frnode_compare(struct pf_frnode *a, struct pf_frnode *b) return (diff); if ((diff = a->fn_af - b->fn_af) != 0) return (diff); + if ((diff = a->fn_direction - b->fn_direction) != 0) + return (diff); if ((diff = pf_addr_compare(&a->fn_src, &b->fn_src, a->fn_af)) != 0) return (diff); if ((diff = pf_addr_compare(&a->fn_dst, &b->fn_dst, a->fn_af)) != 0)