The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=08a512019ccb19d1e05d4069faa959a530256ec1
commit 08a512019ccb19d1e05d4069faa959a530256ec1
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2024-12-12 12:41:42 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2024-12-17 10:07:18 +0000
pf: fix dummynet + route-to for IPv6
Apply the fixes from c6f1116357904 and b8ef285f6cc6a to IPv6 as well.
Ensure that when dummynet re-injects it does so in the correct direction,
and
uses the correct dummynet pipes.
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 881b3cf91140..d9c0beb0169f 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9130,6 +9130,28 @@ pf_route6(struct mbuf **m, struct pf_krule *r, struct
ifnet *oifp,
m0->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
}
+ if (pd->dir == PF_IN) {
+ uint16_t tmp;
+ /*
+ * Make sure dummynet gets the correct direction, in case it
needs to
+ * re-inject later.
+ */
+ pd->dir = PF_OUT;
+
+ /*
+ * The following processing is actually the rest of the inbound
processing, even
+ * though we've marked it as outbound (so we don't look through
dummynet) and it
+ * happens after the outbound processing (pf_test(PF_OUT)
above).
+ * Swap the dummynet pipe numbers, because it's going to come
to the wrong
+ * conclusion about what direction it's processing, and we
can't fix it or it
+ * will re-inject incorrectly. Swapping the pipe numbers means
that its incorrect
+ * decision will pick the right pipe, and everything will
mostly work as expected.
+ */
+ tmp = pd->act.dnrpipe;
+ pd->act.dnrpipe = pd->act.dnpipe;
+ pd->act.dnpipe = tmp;
+ }
+
/*
* If the packet is too large for the outgoing interface,
* send back an icmp6 error.
