Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 4 Feb 2025 21:14:11 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 1f4c3887e3fa - main - pfil: set PFIL_FWD for IPv4 forwarding
Message-ID:  <202502042114.514LEBuj039521@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=1f4c3887e3fad411914ddc729fce175d5613e2b4

commit 1f4c3887e3fad411914ddc729fce175d5613e2b4
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-01-31 15:53:34 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-04 20:56:06 +0000

    pfil: set PFIL_FWD for IPv4 forwarding
    
    Just like we already do for IPv6 set the PFIL_FWD flag when we're forwarding
    IPv4 traffic. This allows firewalls to make more precise decisions.
    
    Reviewed by:    glebius
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D48824
---
 sys/netinet/ip_fastfwd.c | 2 +-
 sys/netinet/ip_output.c  | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index 6d34ba4f5420..7a80cce908c1 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -401,7 +401,7 @@ passin:
 	if (!PFIL_HOOKED_OUT(V_inet_pfil_head))
 		goto passout;
 
-	if (pfil_mbuf_out(V_inet_pfil_head, &m, nh->nh_ifp,
+	if (pfil_mbuf_fwd(V_inet_pfil_head, &m, nh->nh_ifp,
 	    NULL) != PFIL_PASS)
 		goto drop;
 
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 9317d5d57e1d..d0dbd22512f0 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -112,13 +112,19 @@ ip_output_pfil(struct mbuf **mp, struct ifnet *ifp, int flags,
 	struct mbuf *m;
 	struct in_addr odst;
 	struct ip *ip;
+	int ret;
 
 	m = *mp;
 	ip = mtod(m, struct ip *);
 
 	/* Run through list of hooks for output packets. */
 	odst.s_addr = ip->ip_dst.s_addr;
-	switch (pfil_mbuf_out(V_inet_pfil_head, mp, ifp, inp)) {
+	if (flags & IP_FORWARDING)
+		ret = pfil_mbuf_fwd(V_inet_pfil_head, mp, ifp, inp);
+	else
+		ret = pfil_mbuf_out(V_inet_pfil_head, mp, ifp, inp);
+
+	switch (ret) {
 	case PFIL_DROPPED:
 		*error = EACCES;
 		/* FALLTHROUGH */

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202502042114.514LEBuj039521>