Page MenuHomeFreeBSD
Differential D41479

Draft: Forwarding: Use the next hop installed by pfil_mbuf_in
AbandonedPublic
Actions

Authored by vegeta_tuxpowered.net on Aug 16 2023, 7:04 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Oct 12, 8:20 AM
Unknown Object (File)
Mon, Sep 29, 5:59 PM
Unknown Object (File)
Mon, Sep 29, 3:18 PM
Unknown Object (File)
Mon, Sep 29, 1:19 PM
Unknown Object (File)
Sat, Sep 27, 1:32 AM
Unknown Object (File)
Fri, Sep 26, 9:24 PM
Unknown Object (File)
Thu, Sep 18, 8:48 PM
Unknown Object (File)
Thu, Sep 18, 11:54 AM
View All Files
Subscribers
ae
glebius
imp
melifaro

Details

Reviewers
None
Summary

In the fast forwarding path the next hop installed by pfil_mbuf_in is read but then lost.

In the slow forwarding path only the presence of the next hop is checked, then the pfil_mbuf_out hook is called and only after that the next hop from the PACKET_TAG_IPFORWARD tag is applied. This causes firewalls applying the next hop in pfil_mbuf_in to not work correctly when rules are interface-bound because pfil_mbuf_out is called on the interface matching the destination IP address from the IP header instead of then one matching the next hop.

Sponsored by: InnoGames GmbH

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Aug 16 2023, 7:04 AM
Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptAug 16 2023, 7:04 AM
vegeta_tuxpowered.net requested review of this revision.Aug 16 2023, 7:04 AM
vegeta_tuxpowered.net updated this revision to Diff 126137.Aug 17 2023, 5:35 PM
vegeta_tuxpowered.net retitled this revision from ip_fastfwd: Don't overwrite a next hop installed by pfil to Draft: fastfwd: Don't overwrite a next hop installed by pfil.

Updated to cover the IPv6 forwarding too

Herald added a subscriber: ae. · View Herald TranscriptAug 17 2023, 5:36 PM
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)Aug 17 2023, 5:41 PM
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)
vegeta_tuxpowered.net updated this revision to Diff 126141.Aug 17 2023, 5:44 PM
vegeta_tuxpowered.net updated this revision to Diff 126208.Aug 18 2023, 5:24 PM
vegeta_tuxpowered.net retitled this revision from Draft: fastfwd: Don't overwrite a next hop installed by pfil to Draft: Forwarding: Use the next hop installed by pfil_mbuf_in.
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)
vegeta_tuxpowered.net updated this revision to Diff 126264.Aug 20 2023, 2:50 PM
vegeta_tuxpowered.net mentioned this in D41517: Draft: pf: Switch pf_route() to PACKET_TAG_IPFORWARD tag.Aug 20 2023, 6:30 PM
vegeta_tuxpowered.net abandoned this revision.Sep 17 2025, 3:48 PM

Revision Contents
Changeset List

PathSize
sys/
netinet/
50 lines
18 lines
netinet6/
54 lines
14 lines

Diff 126264

View Options

sys/netinet/ip_fastfwd.c

Loading...
View Options

sys/netinet/ip_input.c

Loading...
View Options

sys/netinet6/ip6_fastfwd.c

Loading...
View Options

sys/netinet6/ip6_forward.c

Loading...