Change Details

Until now forwarded packets passed through PFIL_OUT, which made it difficult for firewalls to figure out if they were forwarding or producing packets. This in turn is an issue for pf for IPv6 fragment handling: it needs to call ip6_output() or ip6_forward() to handle the fragments. Figuring out which was difficult (and until now, incorrect). Having pfil distinguish the two removes an ugly piece of code from pf. Other firewalls (ipfw, ipf) need to be made aware of this. Simply changing PFIL_FWD into PFIL_OUT in their hook functions removes any behaviour change for them.

Forwarded packets passed through PFIL_OUT, which made it difficult for firewalls to figure out if they were forwarding or producing packets. This in turn is an issue for pf for IPv6 fragment handling: it needs to call ip6_output() or ip6_forward() to handle the fragments. Figuring out which was difficult (and until now, incorrect). Having pfil distinguish the two removes an ugly piece of code from pf. Introduce a flags variable in the netpfil callbacks, which has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if a packet is forwarded or not.

Until now fForwarded packets passed through PFIL_OUT, which made it difficult for firewalls to figure out if they were forwarding or producing packets. This in turn is an issue for pf for IPv6 fragment handling: it needs to call ip6_output() or ip6_forward() to handle the fragments. Figuring out which was difficult (and until now, incorrect). Having pfil distinguish the two removes an ugly piece of code from pf. Other firewalls (ipfw, ipf) need to be made aware of this.Introduce a flags variable in the netpfil callbacks, Simplywhich has PFIL_FWD changing PFIL_FWD into PFIL_OUT in their hook functions removes anyset for forwarded packets. This allows pf to reliably work out if a packet behaviour change for themis forwarded or not.