#
334438 |
|
31-May-2018 |
tuexen |
MFC r333186:
Send an ICMPv6 PacketTooBig message in case of forwading a packet which is too big for the outgoing interface and no firewall is involed. This problem was introduced in https://svnweb.freebsd.org/changeset/base/324996 Thanks to Irene Ruengeler for finding the bug and testing the fix.
Approved by: re
|
#
332810 |
|
20-Apr-2018 |
ae |
MFC r332475: Add check that mbuf had not multicast layer2 address. Such packets should be handled by ip6_mforward().
|
#
332513 |
|
15-Apr-2018 |
kp |
MFC r331436:
netpfil: Introduce PFIL_FWD flag
Forwarded packets passed through PFIL_OUT, which made it difficult for firewalls to figure out if they were forwarding or producing packets. This in turn is an issue for pf for IPv6 fragment handling: it needs to call ip6_output() or ip6_forward() to handle the fragments. Figuring out which was difficult (and until now, incorrect). Having pfil distinguish the two removes an ugly piece of code from pf.
Introduce a new variant of the netpfil callbacks with a flags variable, which has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if a packet is forwarded.
|
#
325282 |
|
01-Nov-2017 |
kp |
MFC r324996:
Evaluate packet size after the firewall had its chance in the ip6 fast path
Defer the packet size check until after the firewall has had a look at it. This means that the firewall now has the opportunity to (re-)fragment an oversized packet. This mirrors what the slow path does.
|
#
311681 |
|
08-Jan-2017 |
ae |
MFC r309883: Add ip6_tryforward() - a run to completion forwarding implementation for IPv6.
It gets performance benefits from reduced number of checks. It doesn't copy mbuf to be able send ICMPv6 error message, because it keeps mbuf unchanged until the moment, when the route decision has been made. It doesn't do IPsec checks, and when some IPsec security policies present, ip6_input() uses normal slow path.
Relnotes: yes Sponsored by: Yandex LLC
|