Evaluate packet size after the firewall had its chance in the ip6 fast path

Defer the packet size check until after the firewall has had a look at it. This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.
This mirrors what the slow path does.

Reviewed by:	ae
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D12779

1 files changed, 10 insertions, 8 deletions

diff --git a/sys/netinet6/ip6_fastfwd.c b/sys/netinet6/ip6_fastfwd.c
index 5358868b68af..e7a8a7b03749 100644
--- a/sys/netinet6/ip6_fastfwd.c
+++ b/sys/netinet6/ip6_fastfwd.c
@@ -194,6 +194,16 @@ passin:
 		in6_ifstat_inc(rcvif, ifs6_in_noroute);
 		goto dropin;
 	}
+
+	/*
+	 * Outgoing packet firewall processing.
+	 */
+	if (!PFIL_HOOKED(&V_inet6_pfil_hook))
+		goto passout;
+	if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT,
+	    NULL) != 0 || m == NULL)
+		goto dropout;
+
 	/*
 	 * We used slow path processing for packets with scoped addresses.
 	 * So, scope checks aren't needed here.
@@ -206,14 +216,6 @@ passin:
 	}
 
 	/*
-	 * Outgoing packet firewall processing.
-	 */
-	if (!PFIL_HOOKED(&V_inet6_pfil_hook))
-		goto passout;
-	if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT,
-	    NULL) != 0 || m == NULL)
-		goto dropout;
-	/*
 	 * If packet filter sets the M_FASTFWD_OURS flag, this means
 	 * that new destination or next hop is our local address.
 	 * So, we can just go back to ip6_input.