Page MenuHomeFreeBSD
Differential D41479

Draft: Forwarding: Use the next hop installed by pfil_mbuf_in
Needs ReviewPublic
Actions

Authored by vegeta_tuxpowered.net on Aug 16 2023, 7:04 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Dec 13, 5:47 PM
Unknown Object (File)
Mon, Dec 9, 2:00 AM
Unknown Object (File)
Sun, Dec 8, 4:48 PM
Unknown Object (File)
Tue, Dec 3, 6:55 AM
Unknown Object (File)
Nov 9 2024, 3:07 AM
Unknown Object (File)
Oct 12 2024, 10:39 AM
Unknown Object (File)
Oct 10 2024, 11:48 AM
Unknown Object (File)
Oct 7 2024, 10:58 PM
View All 58 Files
Subscribers
ae
glebius
imp
melifaro
This revision needs review, but there are no reviewers specified.

Details

Reviewers
None
Summary

In the fast forwarding path the next hop installed by pfil_mbuf_in is read but then lost.

In the slow forwarding path only the presence of the next hop is checked, then the pfil_mbuf_out hook is called and only after that the next hop from the PACKET_TAG_IPFORWARD tag is applied. This causes firewalls applying the next hop in pfil_mbuf_in to not work correctly when rules are interface-bound because pfil_mbuf_out is called on the interface matching the destination IP address from the IP header instead of then one matching the next hop.

Sponsored by: InnoGames GmbH

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Aug 16 2023, 7:04 AM
Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptAug 16 2023, 7:04 AM
vegeta_tuxpowered.net requested review of this revision.Aug 16 2023, 7:04 AM
vegeta_tuxpowered.net updated this revision to Diff 126137.Aug 17 2023, 5:35 PM
vegeta_tuxpowered.net retitled this revision from ip_fastfwd: Don't overwrite a next hop installed by pfil to Draft: fastfwd: Don't overwrite a next hop installed by pfil.

Updated to cover the IPv6 forwarding too

Herald added a subscriber: ae. · View Herald TranscriptAug 17 2023, 5:36 PM
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)Aug 17 2023, 5:41 PM
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)
vegeta_tuxpowered.net updated this revision to Diff 126141.Aug 17 2023, 5:44 PM
vegeta_tuxpowered.net updated this revision to Diff 126208.Aug 18 2023, 5:24 PM
vegeta_tuxpowered.net retitled this revision from Draft: fastfwd: Don't overwrite a next hop installed by pfil to Draft: Forwarding: Use the next hop installed by pfil_mbuf_in.
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)
vegeta_tuxpowered.net updated this revision to Diff 126264.Aug 20 2023, 2:50 PM
vegeta_tuxpowered.net mentioned this in D41517: Draft: pf: Switch pf_route() to PACKET_TAG_IPFORWARD tag.Aug 20 2023, 6:30 PM

Revision Contents
Changeset List

PathSize
sys/
netinet/
50 lines
18 lines
netinet6/
54 lines
14 lines

Diff 126264

View Options

sys/netinet/ip_fastfwd.c

Loading...
View Options

sys/netinet/ip_input.c

Loading...
View Options

sys/netinet6/ip6_fastfwd.c

Loading...
View Options

sys/netinet6/ip6_forward.c

Loading...