Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Jun 2015 20:43:16 +0000 (UTC)
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r284574 - stable/10/sys/netpfil/pf
Message-ID:  <201506182043.t5IKhGD9032155@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: kp
Date: Thu Jun 18 20:43:16 2015
New Revision: 284574
URL: https://svnweb.freebsd.org/changeset/base/284574

Log:
  Merge r281164
  
  pf: Skip firewall for refragmented ip6 packets
  
  In cases where we scrub (fragment reassemble) on both input and output
  we risk ending up in infinite loops when forwarding packets.
  
  Fragmented packets come in and get collected until we can defragment. At
  that point the defragmented packet is handed back to the ip stack (at
  the pfil point in ip6_input(). Normal processing continues.
  
  Eventually we figure out that the packet has to be forwarded and we end
  up at the pfil hook in ip6_forward(). After doing the inspection on the
  defragmented packet we see that the packet has been defragmented and
  because we're forwarding we have to refragment it.
  
  In pf_refragment6() we split the packet up again and then ip6_forward()
  the individual fragments.  Those fragments hit the pfil hook on the way
  out, so they're collected until we can reconstruct the full packet, at
  which point we're right back where we left off and things continue until
  we run out of stack.
  
  Break that loop by marking the fragments generated by pf_refragment6()
  as M_SKIP_FIREWALL. There's no point in processing those packets in the
  firewall anyway. We've already filtered on the full packet.
  
  Differential Revision:	https://reviews.freebsd.org/D2819
  Reviewed by:	gnn

Modified:
  stable/10/sys/netpfil/pf/pf_norm.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/pf/pf_norm.c
==============================================================================
--- stable/10/sys/netpfil/pf/pf_norm.c	Thu Jun 18 20:41:55 2015	(r284573)
+++ stable/10/sys/netpfil/pf/pf_norm.c	Thu Jun 18 20:43:16 2015	(r284574)
@@ -1158,6 +1158,7 @@ pf_refragment6(struct ifnet *ifp, struct
 	for (t = m; m; m = t) {
 		t = m->m_nextpkt;
 		m->m_nextpkt = NULL;
+		m->m_flags |= M_SKIP_FIREWALL;
 		memset(&pd, 0, sizeof(pd));
 		pd.pf_mtag = pf_find_mtag(m);
 		if (error == 0)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506182043.t5IKhGD9032155>