Details

Reviewers: None

Summary

In the fast forwarding path the next hop installed by pfil_mbuf_in is read but then lost.

In the slow forwarding path only the presence of the next hop is checked, then the pfil_mbuf_out hook is called and only after that the next hop from the PACKET_TAG_IPFORWARD tag is applied. This causes firewalls applying the next hop in pfil_mbuf_in to not work correctly when rules are interface-bound because pfil_mbuf_out is called on the interface matching the destination IP address from the IP header instead of then one matching the next hop.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Aug 16 2023, 7:04 AM

Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptAug 16 2023, 7:04 AM

vegeta_tuxpowered.net requested review of this revision.Aug 16 2023, 7:04 AM

Updated to cover the IPv6 forwarding too

Herald added a subscriber: ae. · View Herald TranscriptAug 17 2023, 5:36 PM

vegeta_tuxpowered.net edited the summary of this revision. (Show Details)Aug 17 2023, 5:41 PM

vegeta_tuxpowered.net edited the summary of this revision. (Show Details)

vegeta_tuxpowered.net updated this revision to Diff 126141.Aug 17 2023, 5:44 PM

vegeta_tuxpowered.net updated this revision to Diff 126208.Aug 18 2023, 5:24 PM

vegeta_tuxpowered.net retitled this revision from Draft: fastfwd: Don't overwrite a next hop installed by pfil to Draft: Forwarding: Use the next hop installed by pfil_mbuf_in.

vegeta_tuxpowered.net edited the summary of this revision. (Show Details)

vegeta_tuxpowered.net updated this revision to Diff 126264.Aug 20 2023, 2:50 PM

vegeta_tuxpowered.net mentioned this in D41517: Draft: pf: Switch pf_route() to PACKET_TAG_IPFORWARD tag.Aug 20 2023, 6:30 PM

vegeta_tuxpowered.net abandoned this revision.Sep 17 2025, 3:48 PM