The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1f4c3887e3fad411914ddc729fce175d5613e2b4
commit 1f4c3887e3fad411914ddc729fce175d5613e2b4
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-01-31 15:53:34 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-02-04 20:56:06 +0000
pfil: set PFIL_FWD for IPv4 forwarding
Just like we already do for IPv6 set the PFIL_FWD flag when we're forwarding
IPv4 traffic. This allows firewalls to make more precise decisions.
Reviewed by: glebius
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D48824
---
sys/netinet/ip_fastfwd.c | 2 +-
sys/netinet/ip_output.c | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index 6d34ba4f5420..7a80cce908c1 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -401,7 +401,7 @@ passin:
if (!PFIL_HOOKED_OUT(V_inet_pfil_head))
goto passout;
- if (pfil_mbuf_out(V_inet_pfil_head, &m, nh->nh_ifp,
+ if (pfil_mbuf_fwd(V_inet_pfil_head, &m, nh->nh_ifp,
NULL) != PFIL_PASS)
goto drop;
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 9317d5d57e1d..d0dbd22512f0 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -112,13 +112,19 @@ ip_output_pfil(struct mbuf **mp, struct ifnet *ifp, int
flags,
struct mbuf *m;
struct in_addr odst;
struct ip *ip;
+ int ret;
m = *mp;
ip = mtod(m, struct ip *);
/* Run through list of hooks for output packets. */
odst.s_addr = ip->ip_dst.s_addr;
- switch (pfil_mbuf_out(V_inet_pfil_head, mp, ifp, inp)) {
+ if (flags & IP_FORWARDING)
+ ret = pfil_mbuf_fwd(V_inet_pfil_head, mp, ifp, inp);
+ else
+ ret = pfil_mbuf_out(V_inet_pfil_head, mp, ifp, inp);
+
+ switch (ret) {
case PFIL_DROPPED:
*error = EACCES;
/* FALLTHROUGH */
