Re: svn commit: r281164 - head/sys/netpfil/pf

Mon, 06 Apr 2015 23:34:07 -0700 

On 04/06/15 21:05, Kristof Provost wrote:

Author: kp
Date: Mon Apr  6 19:05:00 2015
New Revision: 281164
URL: https://svnweb.freebsd.org/changeset/base/281164

Log:
   pf: Skip firewall for refragmented ip6 packets

   In cases where we scrub (fragment reassemble) on both input and output
   we risk ending up in infinite loops when forwarding packets.

   Fragmented packets come in and get collected until we can defragment. At
   that point the defragmented packet is handed back to the ip stack (at
   the pfil point in ip6_input(). Normal processing continues.

   Eventually we figure out that the packet has to be forwarded and we end
   up at the pfil hook in ip6_forward(). After doing the inspection on the
   defragmented packet we see that the packet has been defragmented and
   because we're forwarding we have to refragment it.

   In pf_refragment6() we split the packet up again and then ip6_forward()
   the individual fragments.  Those fragments hit the pfil hook on the way
   out, so they're collected until we can reconstruct the full packet, at
   which point we're right back where we left off and things continue until
   we run out of stack.

   Break that loop by marking the fragments generated by pf_refragment6()
   as M_SKIP_FIREWALL. There's no point in processing those packets in the
   firewall anyway. We've already filtered on the full packet.

   Differential Revision:       https://reviews.freebsd.org/D2197
   Reviewed by: glebius, gnn
   Approved by: gnn (mentor)

Modified:
   head/sys/netpfil/pf/pf_norm.c

Modified: head/sys/netpfil/pf/pf_norm.c
==============================================================================
--- head/sys/netpfil/pf/pf_norm.c       Mon Apr  6 18:56:02 2015        
(r281163)
+++ head/sys/netpfil/pf/pf_norm.c       Mon Apr  6 19:05:00 2015        
(r281164)
@@ -1152,6 +1152,7 @@ pf_refragment6(struct ifnet *ifp, struct
        for (t = m; m; m = t) {
                t = m->m_nextpkt;
                m->m_nextpkt = NULL;
+               m->m_flags |= M_SKIP_FIREWALL;
                memset(&pd, 0, sizeof(pd));
                pd.pf_mtag = pf_find_mtag(m);
                if (error == 0)
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"



Hi,
Is there any chance that this commit and your previous pf and inet6 related changes will get MFC'd to 10.1-STABLE. Is it safe or even possible to incorporate these changes myself? 

Kind regards,

Hans
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to