| #
334438 |
|
31-May-2018 |
tuexen |
MFC r333186:
Send an ICMPv6 PacketTooBig message in case of forwading a packet which
is too big for the outgoing interface and no firewall is involed.
This problem was introduced in
https://svnweb.freebsd.org/changeset/base/324996
Thanks to Irene Ruengeler for finding the bug and testing the fix.
Approved by: re
|
| #
332810 |
|
20-Apr-2018 |
ae |
MFC r332475:
Add check that mbuf had not multicast layer2 address.
Such packets should be handled by ip6_mforward().
|
| #
332513 |
|
15-Apr-2018 |
kp |
MFC r331436:
netpfil: Introduce PFIL_FWD flag
Forwarded packets passed through PFIL_OUT, which made it difficult for
firewalls to figure out if they were forwarding or producing packets. This in
turn is an issue for pf for IPv6 fragment handling: it needs to call
ip6_output() or ip6_forward() to handle the fragments. Figuring out which was
difficult (and until now, incorrect).
Having pfil distinguish the two removes an ugly piece of code from pf.
Introduce a new variant of the netpfil callbacks with a flags variable, which
has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if
a packet is forwarded.
|
| #
325282 |
|
01-Nov-2017 |
kp |
MFC r324996:
Evaluate packet size after the firewall had its chance in the ip6 fast path
Defer the packet size check until after the firewall has had a look at it. This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.
This mirrors what the slow path does.
|
| #
311681 |
|
08-Jan-2017 |
ae |
MFC r309883:
Add ip6_tryforward() - a run to completion forwarding implementation
for IPv6.
It gets performance benefits from reduced number of checks. It doesn't
copy mbuf to be able send ICMPv6 error message, because it keeps mbuf
unchanged until the moment, when the route decision has been made.
It doesn't do IPsec checks, and when some IPsec security policies present,
ip6_input() uses normal slow path.
Relnotes: yes
Sponsored by: Yandex LLC
|