diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2025-01-31 15:53:34 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2025-02-04 20:56:06 +0000 |
| commit | 1f4c3887e3fad411914ddc729fce175d5613e2b4 (patch) | |
| tree | 40480aa681d188162add66bec9c02745bf01222d | |
| parent | b7f2a457a883c8530c9b6111cee6a988ce5b7249 (diff) | |
pfil: set PFIL_FWD for IPv4 forwarding
Just like we already do for IPv6 set the PFIL_FWD flag when we're forwarding
IPv4 traffic. This allows firewalls to make more precise decisions.
Reviewed by: glebius
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D48824
| -rw-r--r-- | sys/netinet/ip_fastfwd.c | 2 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 8 |
2 files changed, 8 insertions, 2 deletions
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index 6d34ba4f5420..7a80cce908c1 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -401,7 +401,7 @@ passin: if (!PFIL_HOOKED_OUT(V_inet_pfil_head)) goto passout; - if (pfil_mbuf_out(V_inet_pfil_head, &m, nh->nh_ifp, + if (pfil_mbuf_fwd(V_inet_pfil_head, &m, nh->nh_ifp, NULL) != PFIL_PASS) goto drop; diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 9317d5d57e1d..d0dbd22512f0 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -112,13 +112,19 @@ ip_output_pfil(struct mbuf **mp, struct ifnet *ifp, int flags, struct mbuf *m; struct in_addr odst; struct ip *ip; + int ret; m = *mp; ip = mtod(m, struct ip *); /* Run through list of hooks for output packets. */ odst.s_addr = ip->ip_dst.s_addr; - switch (pfil_mbuf_out(V_inet_pfil_head, mp, ifp, inp)) { + if (flags & IP_FORWARDING) + ret = pfil_mbuf_fwd(V_inet_pfil_head, mp, ifp, inp); + else + ret = pfil_mbuf_out(V_inet_pfil_head, mp, ifp, inp); + + switch (ret) { case PFIL_DROPPED: *error = EACCES; /* FALLTHROUGH */ |