svn commit: r349266 - head/sys/netinet

Fri, 21 Jun 2019 00:59:24 -0700 

Author: kp
Date: Fri Jun 21 07:58:08 2019
New Revision: 349266
URL: https://svnweb.freebsd.org/changeset/base/349266

Log:
  ip_output: pass PFIL_FWD in the slow path
  
  If we take the slow path for forwarding we should still tell our
  firewalls (hooked through pfil(9)) that we're forwarding. Pass the
  ip_output() flags to ip_output_pfil() so it can set the PFIL_FWD flag
  when we're forwarding.
  
  MFC after:    1 week
  Sponsored by: Axiado

Modified:
  head/sys/netinet/ip_output.c

Modified: head/sys/netinet/ip_output.c
==============================================================================
--- head/sys/netinet/ip_output.c        Fri Jun 21 07:45:58 2019        
(r349265)
+++ head/sys/netinet/ip_output.c        Fri Jun 21 07:58:08 2019        
(r349266)
@@ -109,20 +109,24 @@ extern int in_mcast_loop;
 extern struct protosw inetsw[];
 
 static inline int
-ip_output_pfil(struct mbuf **mp, struct ifnet *ifp, struct inpcb *inp,
-    struct sockaddr_in *dst, int *fibnum, int *error)
+ip_output_pfil(struct mbuf **mp, struct ifnet *ifp, int flags,
+    struct inpcb *inp, struct sockaddr_in *dst, int *fibnum, int *error)
 {
        struct m_tag *fwd_tag = NULL;
        struct mbuf *m;
        struct in_addr odst;
        struct ip *ip;
+       int pflags = PFIL_OUT;
 
+       if (flags & IP_FORWARDING)
+               pflags |= PFIL_FWD;
+
        m = *mp;
        ip = mtod(m, struct ip *);
 
        /* Run through list of hooks for output packets. */
        odst.s_addr = ip->ip_dst.s_addr;
-       switch (pfil_run_hooks(V_inet_pfil_head, mp, ifp, PFIL_OUT, inp)) {
+       switch (pfil_run_hooks(V_inet_pfil_head, mp, ifp, pflags, inp)) {
        case PFIL_DROPPED:
                *error = EPERM;
                /* FALLTHROUGH */
@@ -653,7 +657,8 @@ sendit:
 
        /* Jump over all PFIL processing if hooks are not active. */
        if (PFIL_HOOKED_OUT(V_inet_pfil_head)) {
-               switch (ip_output_pfil(&m, ifp, inp, dst, &fibnum, &error)) {
+               switch (ip_output_pfil(&m, ifp, flags, inp, dst, &fibnum,
+                   &error)) {
                case 1: /* Finished */
                        goto done;
 
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to