diff options
author | Kristof Provost <kp@FreeBSD.org> | 2024-12-12 12:41:42 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2024-12-17 10:07:18 +0000 |
commit | 08a512019ccb19d1e05d4069faa959a530256ec1 (patch) | |
tree | bfaee5db327263ef3c7b019d84d1dccee142d5e1 | |
parent | 7f3d159b9ff2b594778e9180fb7910721495a24f (diff) |
pf: fix dummynet + route-to for IPv6
Apply the fixes from c6f1116357904 and b8ef285f6cc6a to IPv6 as well.
Ensure that when dummynet re-injects it does so in the correct direction, and
uses the correct dummynet pipes.
Sponsored by: Rubicon Communications, LLC ("Netgate")
-rw-r--r-- | sys/netpfil/pf/pf.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 881b3cf91140..d9c0beb0169f 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9130,6 +9130,28 @@ pf_route6(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; } + if (pd->dir == PF_IN) { + uint16_t tmp; + /* + * Make sure dummynet gets the correct direction, in case it needs to + * re-inject later. + */ + pd->dir = PF_OUT; + + /* + * The following processing is actually the rest of the inbound processing, even + * though we've marked it as outbound (so we don't look through dummynet) and it + * happens after the outbound processing (pf_test(PF_OUT) above). + * Swap the dummynet pipe numbers, because it's going to come to the wrong + * conclusion about what direction it's processing, and we can't fix it or it + * will re-inject incorrectly. Swapping the pipe numbers means that its incorrect + * decision will pick the right pipe, and everything will mostly work as expected. + */ + tmp = pd->act.dnrpipe; + pd->act.dnrpipe = pd->act.dnpipe; + pd->act.dnpipe = tmp; + } + /* * If the packet is too large for the outgoing interface, * send back an icmp6 error. |