SVNews r332513

NOTE: This service is experimental and subject to change! Use at your own risk!

2018-04-15 15:22:28 - r332513 by kp (kp)

Complete list of files affected by revision r332513:

(Note: At the moment, these links point to ViewVC on svn.freebsd.org. They are probably slow. Do not overuse.)

   Contents     MODIFY   /stable/11  
  History   Contents   Diff   MODIFY   /stable/11/share/man/man9/pfil.9  
  History   Contents   Diff   MODIFY   /stable/11/sys/net/if_bridge.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/net/if_enc.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/net/if_ethersubr.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/net/pfil.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/net/pfil.h  
  History   Contents   Diff   MODIFY   /stable/11/sys/net/pfvar.h  
  History   Contents   Diff   MODIFY   /stable/11/sys/netinet/ip_fastfwd.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/netinet/ip_input.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/netinet/ip_output.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/netinet6/ip6_fastfwd.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/netinet6/ip6_forward.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/netinet6/ip6_input.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/netinet6/ip6_output.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/netpfil/pf/pf.c  
  History   Contents   Diff   MODIFY   /stable/11/sys/netpfil/pf/pf.h  
  History   Contents   Diff   MODIFY   /stable/11/sys/netpfil/pf/pf_ioctl.c  

Commit message:

MFC r331436:

netpfil: Introduce PFIL_FWD flag

Forwarded packets passed through PFIL_OUT, which made it difficult for
firewalls to figure out if they were forwarding or producing packets. This in
turn is an issue for pf for IPv6 fragment handling: it needs to call
ip6_output() or ip6_forward() to handle the fragments. Figuring out which was
difficult (and until now, incorrect).
Having pfil distinguish the two removes an ugly piece of code from pf.

Introduce a new variant of the netpfil callbacks with a flags variable, which
has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if
a packet is forwarded.

 


Powered by Python FreeBSD support by secnetix GmbH & Co. KG

Page generated in 16 ms, 18 files printed. Current time is 2018-04-23 15:14:58. All times are in UTC/GMT.