Page MenuHomeFreeBSD

pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set
ClosedPublic

Authored by kp on Aug 30 2015, 8:12 PM.
Tags
None
Referenced Files
F133204747: D3534.id8400.diff
Thu, Oct 23, 11:03 PM
Unknown Object (File)
Wed, Oct 22, 11:31 PM
Unknown Object (File)
Tue, Oct 21, 10:48 PM
Unknown Object (File)
Tue, Oct 21, 3:23 AM
Unknown Object (File)
Mon, Oct 20, 4:05 AM
Unknown Object (File)
Wed, Oct 8, 7:45 PM
Unknown Object (File)
Thu, Oct 2, 8:41 PM
Unknown Object (File)
Thu, Oct 2, 11:33 AM
Subscribers

Details

Summary

If net.link.bridge.pfil_bridge is set we can end up thinking we're forwarding in
pf_test6() because the rcvif and the ifp (output interface) are different.
In that case we're bridging though, and the rcvif the the bridge member on which
the packet was received and ifp is the bridge itself.
If we'd set dir to PF_FWD we'd end up calling ip6_forward() which is incorrect.

Instead check if the rcvif is a member of the ifp bridge. (In other words, the
if_bridge is the ifp's softc). If that's the case we're not forwarding but
bridging.

PR: 202351

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp retitled this revision from to pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set.
kp updated this object.
kp edited the test plan for this revision. (Show Details)
kp added a reviewer: network.
kp set the repository for this revision to rS FreeBSD src repository - subversion.
eri edited edge metadata.

Did this behavior started after implementing the re fragmentation functinality?

sys/netpfil/pf/pf.c
6088 ↗(On Diff #8354)

Can you put a comment on top of this explaining why the check for the bridge

Yes, that's when the entire check and the call to pf_refragment6() at the bottom of pf_test6() were introduced.

I'll update the review later today with the comment you asked for.

kp edited edge metadata.
kp removed rS FreeBSD src repository - subversion as the repository for this revision.

Added the comment block.

I also extended the check slightly, to check that rcvif really is a bridge member. Mostly for the unlikely case where the output interface doesn't have a softc, but it also clarifies things I little I think.

eri edited edge metadata.

I would have put this in pf_refragment6 function call but lets put this in and see later on to improve it further.

This revision is now accepted and ready to land.Aug 31 2015, 10:07 AM
This revision was automatically updated to reflect the committed changes.