Page MenuHomeFreeBSD

pf: handle IPv6 fragmentation for route-to
ClosedPublic

Authored by kp on Wed, Nov 20, 4:16 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 2, 8:55 AM
Unknown Object (File)
Tue, Nov 26, 2:11 PM
Unknown Object (File)
Mon, Nov 25, 6:33 PM
Unknown Object (File)
Fri, Nov 22, 8:28 AM
Unknown Object (File)
Thu, Nov 21, 11:30 PM
Unknown Object (File)
Thu, Nov 21, 11:28 PM

Details

Summary

If a fragmented IPv6 packet hits a route-to rule we have to first prevent
the pf_test(PF_OUT) check in pf_route6() from refragmenting (and calling
ip6_output()/ip6_forward()). We then have to refragment in pf_route6() and
transmit the packets on the route-to interface.

Split pf_refragment6() into two parts, the first to perform the refragmentation,
the second to call ip6_output()/ip6_forward() and call the former from
pf_route6().

Add a test case for route-to-ing fragmented IPv6 packets to verify this works
as expected.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp requested review of this revision.Wed, Nov 20, 4:16 PM

Change the approach. Tell pf_refragment6() what interface to use. If unspecified
fall back to the previous ip6_forward/ip6_output calls.
This is basically the same approach OpenBSD took for this issue, and it's a
smaller change than splitting pf_refragment6() into two functions.

This revision was not accepted when it landed; it landed in state Needs Review.Tue, Nov 26, 2:07 PM
This revision was automatically updated to reflect the committed changes.