Author: kp
Date: Wed Nov 1 13:54:16 2017
New Revision: 325282
URL: https://svnweb.freebsd.org/changeset/base/325282
Log:
MFC r324996:
Evaluate packet size after the firewall had its chance in the ip6 fast path
Defer the packet size check until after the firewall has had a look at it.
This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.
This mirrors what the slow path does.
Modified:
stable/11/sys/netinet6/ip6_fastfwd.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/netinet6/ip6_fastfwd.c
==============================================================================
--- stable/11/sys/netinet6/ip6_fastfwd.c Wed Nov 1 13:50:35 2017
(r325281)
+++ stable/11/sys/netinet6/ip6_fastfwd.c Wed Nov 1 13:54:16 2017
(r325282)
@@ -194,7 +194,17 @@ passin:
in6_ifstat_inc(rcvif, ifs6_in_noroute);
goto dropin;
}
+
/*
+ * Outgoing packet firewall processing.
+ */
+ if (!PFIL_HOOKED(&V_inet6_pfil_hook))
+ goto passout;
+ if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT,
+ NULL) != 0 || m == NULL)
+ goto dropout;
+
+ /*
* We used slow path processing for packets with scoped addresses.
* So, scope checks aren't needed here.
*/
@@ -205,14 +215,6 @@ passin:
goto dropout;
}
- /*
- * Outgoing packet firewall processing.
- */
- if (!PFIL_HOOKED(&V_inet6_pfil_hook))
- goto passout;
- if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT,
- NULL) != 0 || m == NULL)
- goto dropout;
/*
* If packet filter sets the M_FASTFWD_OURS flag, this means
* that new destination or next hop is our local address.
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
