Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jun 2019 07:58:08 +0000 (UTC)
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r349266 - head/sys/netinet
Message-ID:  <201906210758.x5L7w8hp080487@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kp
Date: Fri Jun 21 07:58:08 2019
New Revision: 349266
URL: https://svnweb.freebsd.org/changeset/base/349266

Log:
  ip_output: pass PFIL_FWD in the slow path
  
  If we take the slow path for forwarding we should still tell our
  firewalls (hooked through pfil(9)) that we're forwarding. Pass the
  ip_output() flags to ip_output_pfil() so it can set the PFIL_FWD flag
  when we're forwarding.
  
  MFC after:	1 week
  Sponsored by:	Axiado

Modified:
  head/sys/netinet/ip_output.c

Modified: head/sys/netinet/ip_output.c
==============================================================================
--- head/sys/netinet/ip_output.c	Fri Jun 21 07:45:58 2019	(r349265)
+++ head/sys/netinet/ip_output.c	Fri Jun 21 07:58:08 2019	(r349266)
@@ -109,20 +109,24 @@ extern int in_mcast_loop;
 extern	struct protosw inetsw[];
 
 static inline int
-ip_output_pfil(struct mbuf **mp, struct ifnet *ifp, struct inpcb *inp,
-    struct sockaddr_in *dst, int *fibnum, int *error)
+ip_output_pfil(struct mbuf **mp, struct ifnet *ifp, int flags,
+    struct inpcb *inp, struct sockaddr_in *dst, int *fibnum, int *error)
 {
 	struct m_tag *fwd_tag = NULL;
 	struct mbuf *m;
 	struct in_addr odst;
 	struct ip *ip;
+	int pflags = PFIL_OUT;
 
+	if (flags & IP_FORWARDING)
+		pflags |= PFIL_FWD;
+
 	m = *mp;
 	ip = mtod(m, struct ip *);
 
 	/* Run through list of hooks for output packets. */
 	odst.s_addr = ip->ip_dst.s_addr;
-	switch (pfil_run_hooks(V_inet_pfil_head, mp, ifp, PFIL_OUT, inp)) {
+	switch (pfil_run_hooks(V_inet_pfil_head, mp, ifp, pflags, inp)) {
 	case PFIL_DROPPED:
 		*error = EPERM;
 		/* FALLTHROUGH */
@@ -653,7 +657,8 @@ sendit:
 
 	/* Jump over all PFIL processing if hooks are not active. */
 	if (PFIL_HOOKED_OUT(V_inet_pfil_head)) {
-		switch (ip_output_pfil(&m, ifp, inp, dst, &fibnum, &error)) {
+		switch (ip_output_pfil(&m, ifp, flags, inp, dst, &fibnum,
+		    &error)) {
 		case 1: /* Finished */
 			goto done;
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906210758.x5L7w8hp080487>