Page MenuHomeFreeBSD
Differential D41479

Draft: Forwarding: Use the next hop installed by pfil_mbuf_in
AbandonedPublic
Actions

Authored by vegeta_tuxpowered.net on Aug 16 2023, 7:04 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jun 27, 4:50 PM
Unknown Object (File)
Thu, Jun 25, 1:19 AM
Unknown Object (File)
Tue, Jun 23, 12:02 AM
Unknown Object (File)
Mon, Jun 22, 3:34 AM
Unknown Object (File)
Mon, Jun 22, 2:45 AM
Unknown Object (File)
Sun, Jun 21, 2:53 PM
Unknown Object (File)
Thu, Jun 18, 10:14 PM
Unknown Object (File)
Thu, Jun 18, 2:58 AM
View All Files
Subscribers
ae
glebius
imp
melifaro

Details

Reviewers
None
Summary

In the fast forwarding path the next hop installed by pfil_mbuf_in is read but then lost.

In the slow forwarding path only the presence of the next hop is checked, then the pfil_mbuf_out hook is called and only after that the next hop from the PACKET_TAG_IPFORWARD tag is applied. This causes firewalls applying the next hop in pfil_mbuf_in to not work correctly when rules are interface-bound because pfil_mbuf_out is called on the interface matching the destination IP address from the IP header instead of then one matching the next hop.

Sponsored by: InnoGames GmbH

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Aug 16 2023, 7:04 AM
Herald added subscribers: glebius, melifaro, imp. · View Herald TranscriptAug 16 2023, 7:04 AM
vegeta_tuxpowered.net requested review of this revision.Aug 16 2023, 7:04 AM
vegeta_tuxpowered.net updated this revision to Diff 126137.Aug 17 2023, 5:35 PM
vegeta_tuxpowered.net retitled this revision from ip_fastfwd: Don't overwrite a next hop installed by pfil to Draft: fastfwd: Don't overwrite a next hop installed by pfil.

Updated to cover the IPv6 forwarding too

Herald added a subscriber: ae. · View Herald TranscriptAug 17 2023, 5:36 PM
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)Aug 17 2023, 5:41 PM
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)
vegeta_tuxpowered.net updated this revision to Diff 126141.Aug 17 2023, 5:44 PM
vegeta_tuxpowered.net updated this revision to Diff 126208.Aug 18 2023, 5:24 PM
vegeta_tuxpowered.net retitled this revision from Draft: fastfwd: Don't overwrite a next hop installed by pfil to Draft: Forwarding: Use the next hop installed by pfil_mbuf_in.
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)
vegeta_tuxpowered.net updated this revision to Diff 126264.Aug 20 2023, 2:50 PM
vegeta_tuxpowered.net mentioned this in D41517: Draft: pf: Switch pf_route() to PACKET_TAG_IPFORWARD tag.Aug 20 2023, 6:30 PM
vegeta_tuxpowered.net abandoned this revision.Sep 17 2025, 3:48 PM

Revision Contents
Changeset List

PathSize
sys/
netinet/
50 lines
netinet6/
54 lines

Diff 126141

View Options

sys/netinet/ip_fastfwd.c

Loading...
View Options

sys/netinet6/ip6_fastfwd.c

Loading...