From owner-svn-src-stable@FreeBSD.ORG Wed Jun 17 07:28:51 2015 Return-Path: Delivered-To: svn-src-stable@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EA7A2BA2; Wed, 17 Jun 2015 07:28:51 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BDF5F26E; Wed, 17 Jun 2015 07:28:51 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t5H7SpfI012450; Wed, 17 Jun 2015 07:28:51 GMT (envelope-from hselasky@FreeBSD.org) Received: (from hselasky@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t5H7Sp4E012449; Wed, 17 Jun 2015 07:28:51 GMT (envelope-from hselasky@FreeBSD.org) Message-Id: <201506170728.t5H7Sp4E012449@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: hselasky set sender to hselasky@FreeBSD.org using -f From: Hans Petter Selasky Date: Wed, 17 Jun 2015 07:28:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r284497 - stable/9/sys/netinet X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jun 2015 07:28:52 -0000 Author: hselasky Date: Wed Jun 17 07:28:51 2015 New Revision: 284497 URL: https://svnweb.freebsd.org/changeset/base/284497 Log: MFC r280991: Extend fixes made in r278103 and r38754 by copying the complete packet header and not only partial flags and fields. Firewalls can attach classification tags to the outgoing mbufs which should be copied to all the new fragments. Else only the first fragment will be let through by the firewall. This can easily be tested by sending a large ping packet through a firewall. It was also discovered that VLAN related flags and fields should be copied for packets traversing through VLANs. This is all handled by "m_dup_pkthdr()". Regarding the MAC policy check in ip_fragment(), the tag provided by the originating mbuf is copied instead of using the default one provided by m_gethdr(). Tested by: Karim Fodil-Lemelin Sponsored by: Mellanox Technologies PR: 7802 Modified: stable/9/sys/netinet/ip_output.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netinet/ip_output.c ============================================================================== --- stable/9/sys/netinet/ip_output.c Wed Jun 17 07:21:43 2015 (r284496) +++ stable/9/sys/netinet/ip_output.c Wed Jun 17 07:28:51 2015 (r284497) @@ -785,11 +785,20 @@ smart_frag_failure: IPSTAT_INC(ips_odropped); goto done; } - /* copy multicast and flowid flag, if any */ - m->m_flags |= (m0->m_flags & (M_FLOWID | M_MCAST)) | M_FRAG; - /* make sure the flowid is the same for the fragmented mbufs */ - M_HASHTYPE_SET(m, M_HASHTYPE_GET(m0)); - m->m_pkthdr.flowid = m0->m_pkthdr.flowid; + /* + * Make sure the complete packet header gets copied + * from the originating mbuf to the newly created + * mbuf. This also ensures that existing firewall + * classification(s), VLAN tags and so on get copied + * to the resulting fragmented packet(s): + */ + if (m_dup_pkthdr(m, m0, M_NOWAIT) == 0) { + m_free(m); + error = ENOBUFS; + IPSTAT_INC(ips_odropped); + goto done; + } + m->m_flags |= M_FRAG; /* * In the first mbuf, leave room for the link header, then * copy the original IP header including options. The payload @@ -820,11 +829,9 @@ smart_frag_failure: goto done; } m->m_pkthdr.len = mhlen + len; - m->m_pkthdr.rcvif = NULL; #ifdef MAC mac_netinet_fragment(m0, m); #endif - m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags; mhip->ip_off = htons(mhip->ip_off); mhip->ip_sum = 0; if (sw_csum & CSUM_DELAY_IP)