Page MenuHomeFreeBSD

Evaluate packet size after the firewall had its chance in the ip6 fast path
ClosedPublic

Authored by kristof on Oct 24 2017, 7:50 PM.

Details

Summary

Defer the packet size check until after the firewall has had a look at it. This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.
This mirrors what the slow path does.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

kristof created this revision.Oct 24 2017, 7:50 PM
ae added inline comments.Oct 25 2017, 8:07 AM
sys/netinet6/ip6_fastfwd.c
203–205 ↗(On Diff #34297)

This doesn't look like the code from head/. Original code uses PFIL_IN and PFIL_OUT directions.

kristof added inline comments.Oct 25 2017, 8:38 AM
sys/netinet6/ip6_fastfwd.c
203–205 ↗(On Diff #34297)

Ah, right. I've got another patch I'm working on to add 'PFIL_FWD', but that's not quite ready yet. I'll rebase this so it doesn't include that change.

kristof updated this revision to Diff 34321.Oct 25 2017, 10:53 AM
ae accepted this revision as: ae.Oct 25 2017, 11:42 AM
This revision is now accepted and ready to land.Oct 25 2017, 11:42 AM
This revision was automatically updated to reflect the committed changes.