diff options
author | Kristof Provost <kp@FreeBSD.org> | 2018-03-23 16:56:44 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2018-03-23 16:56:44 +0000 |
commit | effaab8861d675090f859b6e49d75381ec3ba6ca (patch) | |
tree | 82ed386e8dcaf0714325e83fec7ad059f533eb8c /sys/netinet/ip_input.c | |
parent | 6a6c0d584479fce237345ca6ee2d3c3ea3b26e1d (diff) | |
download | src-effaab8861d675090f859b6e49d75381ec3ba6ca.tar.gz src-effaab8861d675090f859b6e49d75381ec3ba6ca.zip |
netpfil: Introduce PFIL_FWD flag
Forwarded packets passed through PFIL_OUT, which made it difficult for
firewalls to figure out if they were forwarding or producing packets. This in
turn is an issue for pf for IPv6 fragment handling: it needs to call
ip6_output() or ip6_forward() to handle the fragments. Figuring out which was
difficult (and until now, incorrect).
Having pfil distinguish the two removes an ugly piece of code from pf.
Introduce a new variant of the netpfil callbacks with a flags variable, which
has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if
a packet is forwarded.
Reviewed by: ae, kevans
Differential Revision: https://reviews.freebsd.org/D13715
Notes
Notes:
svn path=/head/; revision=331436
Diffstat (limited to 'sys/netinet/ip_input.c')
-rw-r--r-- | sys/netinet/ip_input.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index e03ae4c07a37..7aed544e16e2 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -600,7 +600,7 @@ tooshort: goto passin; odst = ip->ip_dst; - if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_IN, NULL) != 0) + if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_IN, 0, NULL) != 0) return; if (m == NULL) /* consumed by filter */ return; |