diff options
author | Kristof Provost <kp@FreeBSD.org> | 2017-10-25 19:21:48 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2017-10-25 19:21:48 +0000 |
commit | a0bf3ee4252a1b3309b1eff635d92028866f70b3 (patch) | |
tree | 10d97bd67436e2440cb54830c0da16aee68146fc /sys/netinet6/ip6_fastfwd.c | |
parent | 7562d7ddbd91976a746f57af61dbd3e5a9f28faa (diff) | |
download | src-a0bf3ee4252a1b3309b1eff635d92028866f70b3.tar.gz src-a0bf3ee4252a1b3309b1eff635d92028866f70b3.zip |
Evaluate packet size after the firewall had its chance in the ip6 fast path
Defer the packet size check until after the firewall has had a look at it. This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.
This mirrors what the slow path does.
Reviewed by: ae
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D12779
Notes
Notes:
svn path=/head/; revision=324996
Diffstat (limited to 'sys/netinet6/ip6_fastfwd.c')
-rw-r--r-- | sys/netinet6/ip6_fastfwd.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/sys/netinet6/ip6_fastfwd.c b/sys/netinet6/ip6_fastfwd.c index 5358868b68af..e7a8a7b03749 100644 --- a/sys/netinet6/ip6_fastfwd.c +++ b/sys/netinet6/ip6_fastfwd.c @@ -194,6 +194,16 @@ passin: in6_ifstat_inc(rcvif, ifs6_in_noroute); goto dropin; } + + /* + * Outgoing packet firewall processing. + */ + if (!PFIL_HOOKED(&V_inet6_pfil_hook)) + goto passout; + if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT, + NULL) != 0 || m == NULL) + goto dropout; + /* * We used slow path processing for packets with scoped addresses. * So, scope checks aren't needed here. @@ -206,14 +216,6 @@ passin: } /* - * Outgoing packet firewall processing. - */ - if (!PFIL_HOOKED(&V_inet6_pfil_hook)) - goto passout; - if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT, - NULL) != 0 || m == NULL) - goto dropout; - /* * If packet filter sets the M_FASTFWD_OURS flag, this means * that new destination or next hop is our local address. * So, we can just go back to ip6_input. |