netpfil: Introduce PFIL_FWD
Needs ReviewPublic

Authored by kristof on Sun, Dec 31, 4:38 PM.

Details

Reviewers
None
Group Reviewers
network
Summary

Until now forwarded packets passed through PFIL_OUT, which made it
difficult for firewalls to figure out if they were forwarding or
producing packets.
This in turn is an issue for pf for IPv6 fragment handling: it needs to
call ip6_output() or ip6_forward() to handle the fragments. Figuring out
which was difficult (and until now, incorrect).
Having pfil distinguish the two removes an ugly piece of code from pf.

Other firewalls (ipfw, ipf) need to be made aware of this. Simply
changing PFIL_FWD into PFIL_OUT in their hook functions removes any
behaviour change for them.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped
Build Status
Buildable 14163
kristof created this revision.Sun, Dec 31, 4:38 PM
ae added a comment.Sat, Jan 6, 4:54 PM

Can you please update the patch with additional context according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface

eri added a subscriber: eri.Sat, Jan 6, 6:58 PM

While this is needed i do not agree that the modifications on the stack and packet filters should be so hackish.

kristof updated this revision to Diff 37594.Sat, Jan 6, 8:17 PM

More context. No changes to the diff.

In D13715#288702, @eri wrote:

While this is needed i do not agree that the modifications on the stack and packet filters should be so hackish.

What specifically do you not like? The 'if (dir == PFIL_FWD) dir = PFIL_OUT;' additions to the other pfil users?
The alternative to that would be to try to hide this in pfil, so that pf (and others who want PFIL_FWD) could tell pfil it understands this, and keep sending PFIL_OUT for PFIL_FWD to the others. That would get rid of the couple of if statements in the other pfil users, at the price of extra complexity in pfil.