Date: Wed, 28 Sep 2016 15:36:34 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "Franco Fichtner" <franco@opnsense.org> Cc: freebsd-pf@freebsd.org Subject: Re: pf fastroute tag removal reviewers needed Message-ID: <D82461C3-EA8E-4379-9019-89717A99E8FA@FreeBSD.org> In-Reply-To: <022E4530-A6DF-452B-8978-43A9B10DA726@opnsense.org> References: <022E4530-A6DF-452B-8978-43A9B10DA726@opnsense.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28 Sep 2016, at 13:53, Franco Fichtner wrote: > The main culprit of pfil not working correctly is pf's > route-to and reply-to (and the tag formerly known as fastroute) > as they would call if_output directly on the ifnet and consume > their packets this way. That transmit code is also copied from > if_output() and should likely not be called from within pf, > especially when there is a pfil hook chain to go through. Agreed, but there’s another culprit: the v6 fragment handling code. It needs to call ip6_output()/ip6_forward() because it generates multiple output packets. Dealing with that has been on my todo list for a while now, but I’ve not even found the time to make a start at it. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D82461C3-EA8E-4379-9019-89717A99E8FA>