Page MenuHomeFreeBSD

pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set
ClosedPublic

Authored by kp on Aug 30 2015, 8:12 PM.

Details

Summary

If net.link.bridge.pfil_bridge is set we can end up thinking we're forwarding in
pf_test6() because the rcvif and the ifp (output interface) are different.
In that case we're bridging though, and the rcvif the the bridge member on which
the packet was received and ifp is the bridge itself.
If we'd set dir to PF_FWD we'd end up calling ip6_forward() which is incorrect.

Instead check if the rcvif is a member of the ifp bridge. (In other words, the
if_bridge is the ifp's softc). If that's the case we're not forwarding but
bridging.

PR: 202351

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

kp updated this revision to Diff 8354.Aug 30 2015, 8:12 PM
kp retitled this revision from to pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set.
kp updated this object.
kp edited the test plan for this revision. (Show Details)
kp added a reviewer: network.
kp set the repository for this revision to rS FreeBSD src repository.
eri added a reviewer: eri.Aug 31 2015, 6:31 AM
eri edited edge metadata.

Did this behavior started after implementing the re fragmentation functinality?

sys/netpfil/pf/pf.c
6088 ↗(On Diff #8354)

Can you put a comment on top of this explaining why the check for the bridge

kp added a comment.Aug 31 2015, 6:34 AM

Yes, that's when the entire check and the call to pf_refragment6() at the bottom of pf_test6() were introduced.

I'll update the review later today with the comment you asked for.

kp updated this revision to Diff 8362.Aug 31 2015, 9:25 AM
kp edited edge metadata.
kp removed rS FreeBSD src repository as the repository for this revision.

Added the comment block.

I also extended the check slightly, to check that rcvif really is a bridge member. Mostly for the unlikely case where the output interface doesn't have a softc, but it also clarifies things I little I think.

eri accepted this revision.Aug 31 2015, 10:07 AM
eri edited edge metadata.

I would have put this in pf_refragment6 function call but lets put this in and see later on to improve it further.

This revision is now accepted and ready to land.Aug 31 2015, 10:07 AM
This revision was automatically updated to reflect the committed changes.