From owner-svn-src-all@FreeBSD.ORG Thu Jun 18 20:43:17 2015 Return-Path: Delivered-To: svn-src-all@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 18ADBC36; Thu, 18 Jun 2015 20:43:17 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E1059C0B; Thu, 18 Jun 2015 20:43:16 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t5IKhG6n032156; Thu, 18 Jun 2015 20:43:16 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t5IKhGD9032155; Thu, 18 Jun 2015 20:43:16 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201506182043.t5IKhGD9032155@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Thu, 18 Jun 2015 20:43:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r284574 - stable/10/sys/netpfil/pf X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jun 2015 20:43:17 -0000 Author: kp Date: Thu Jun 18 20:43:16 2015 New Revision: 284574 URL: https://svnweb.freebsd.org/changeset/base/284574 Log: Merge r281164 pf: Skip firewall for refragmented ip6 packets In cases where we scrub (fragment reassemble) on both input and output we risk ending up in infinite loops when forwarding packets. Fragmented packets come in and get collected until we can defragment. At that point the defragmented packet is handed back to the ip stack (at the pfil point in ip6_input(). Normal processing continues. Eventually we figure out that the packet has to be forwarded and we end up at the pfil hook in ip6_forward(). After doing the inspection on the defragmented packet we see that the packet has been defragmented and because we're forwarding we have to refragment it. In pf_refragment6() we split the packet up again and then ip6_forward() the individual fragments. Those fragments hit the pfil hook on the way out, so they're collected until we can reconstruct the full packet, at which point we're right back where we left off and things continue until we run out of stack. Break that loop by marking the fragments generated by pf_refragment6() as M_SKIP_FIREWALL. There's no point in processing those packets in the firewall anyway. We've already filtered on the full packet. Differential Revision: https://reviews.freebsd.org/D2819 Reviewed by: gnn Modified: stable/10/sys/netpfil/pf/pf_norm.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/netpfil/pf/pf_norm.c ============================================================================== --- stable/10/sys/netpfil/pf/pf_norm.c Thu Jun 18 20:41:55 2015 (r284573) +++ stable/10/sys/netpfil/pf/pf_norm.c Thu Jun 18 20:43:16 2015 (r284574) @@ -1158,6 +1158,7 @@ pf_refragment6(struct ifnet *ifp, struct for (t = m; m; m = t) { t = m->m_nextpkt; m->m_nextpkt = NULL; + m->m_flags |= M_SKIP_FIREWALL; memset(&pd, 0, sizeof(pd)); pd.pf_mtag = pf_find_mtag(m); if (error == 0)