svn commit: r329559 - stable/11/sys/netinet6

Mon, 19 Feb 2018 02:35:28 -0800 

Author: ae
Date: Mon Feb 19 10:34:30 2018
New Revision: 329559
URL: https://svnweb.freebsd.org/changeset/base/329559

Log:
  MFC r328541:
    Do not skip scope zone violation check, when mbuf has M_FASTFWD_OURS flag.
  
    When mbuf has M_FASTFWD_OURS flag, this means that a destination address
    is our local, but we still need to pass scope zone violation check,
    because protocol level expects that IPv6 link-local addresses have
    embedded scope zone indexes. This should fix the problem, when ipfw is
    used to forward packets to local address and source address of a packet
    is IPv6 LLA.
  
    Reported by:        asomers@

Modified:
  stable/11/sys/netinet6/ip6_input.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet6/ip6_input.c
==============================================================================
--- stable/11/sys/netinet6/ip6_input.c  Mon Feb 19 10:30:34 2018        
(r329558)
+++ stable/11/sys/netinet6/ip6_input.c  Mon Feb 19 10:34:30 2018        
(r329559)
@@ -571,10 +571,8 @@ ip6_input(struct mbuf *m)
                /*
                 * Firewall changed destination to local.
                 */
-               m->m_flags &= ~M_FASTFWD_OURS;
-               ours = 1;
                ip6 = mtod(m, struct ip6_hdr *);
-               goto hbhcheck;
+               goto passin;
        }
 
        /*
@@ -735,10 +733,8 @@ ip6_input(struct mbuf *m)
                if ((m = ip6_tryforward(m)) == NULL)
                        return;
                if (m->m_flags & M_FASTFWD_OURS) {
-                       m->m_flags &= ~M_FASTFWD_OURS;
-                       ours = 1;
                        ip6 = mtod(m, struct ip6_hdr *);
-                       goto hbhcheck;
+                       goto passin;
                }
        }
 #if defined(IPSEC) || defined(IPSEC_SUPPORT)
@@ -769,13 +765,7 @@ ip6_input(struct mbuf *m)
                return;
        ip6 = mtod(m, struct ip6_hdr *);
        srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
-
-       if (m->m_flags & M_FASTFWD_OURS) {
-               m->m_flags &= ~M_FASTFWD_OURS;
-               ours = 1;
-               goto hbhcheck;
-       }
-       if ((m->m_flags & M_IP6_NEXTHOP) &&
+       if ((m->m_flags & (M_IP6_NEXTHOP | M_FASTFWD_OURS)) == M_IP6_NEXTHOP &&
            m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
                /*
                 * Directly ship the packet on.  This allows forwarding
@@ -805,6 +795,11 @@ passin:
            in6_setscope(&ip6->ip6_dst, rcvif, NULL)) {
                IP6STAT_INC(ip6s_badscope);
                goto bad;
+       }
+       if (m->m_flags & M_FASTFWD_OURS) {
+               m->m_flags &= ~M_FASTFWD_OURS;
+               ours = 1;
+               goto hbhcheck;
        }
        /*
         * Multicast check. Assume packet is for us to avoid
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to