pf af-to forward

Alexander Bluhm Mon, 21 Nov 2016 09:17:38 -0800

Hi,

Path MTU discovery and traceroute does not always work with pf
af-to.  If an incoming packet is directly put into the output path,
sending the icmp error packet is never done.  As this is basically
forwarding, calling ip_forward() for such packets does everything
that is needed.


ok?

bluhm

Index: net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.1000
diff -u -p -r1.1000 pf.c
--- net/pf.c    21 Nov 2016 15:23:18 -0000      1.1000
+++ net/pf.c    21 Nov 2016 15:30:20 -0000
@@ -6906,10 +6906,18 @@ done:
                        pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
                        switch (pd.naf) {
                        case AF_INET:
-                               ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0);
+                               if (pd.dir == PF_IN)
+                                       ip_forward(pd.m, ifp, NULL, 1);
+                               else
+                                       ip_output(pd.m, NULL, NULL, 0, NULL,
+                                           NULL, 0);
                                break;
                        case AF_INET6:
-                               ip6_output(pd.m, NULL, NULL, 0, NULL, NULL);
+                               if (pd.dir == PF_IN)
+                                       ip6_forward(pd.m, NULL, 1);
+                               else
+                                       ip6_output(pd.m, NULL, NULL, 0, NULL,
+                                           NULL);
                                break;
                        }
                        pd.m = NULL;
Index: netinet/ip_input.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.285
diff -u -p -r1.285 ip_input.c
--- netinet/ip_input.c  14 Nov 2016 04:27:03 -0000      1.285
+++ netinet/ip_input.c  21 Nov 2016 15:29:41 -0000
@@ -129,7 +129,6 @@ static struct mbuf_queue    ipsend_mq;
 void   ip_ours(struct mbuf *);
 int    ip_dooptions(struct mbuf *, struct ifnet *);
 int    in_ouraddr(struct mbuf *, struct ifnet *, struct rtentry **);
-void   ip_forward(struct mbuf *, struct ifnet *, struct rtentry *, int);
 #ifdef IPSEC
 int    ip_input_ipsec_fwd_check(struct mbuf *, int);
 int    ip_input_ipsec_ours_check(struct mbuf *, int);
Index: netinet/ip_var.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_var.h,v
retrieving revision 1.63
diff -u -p -r1.63 ip_var.h
--- netinet/ip_var.h    14 Nov 2016 03:51:53 -0000      1.63
+++ netinet/ip_var.h    21 Nov 2016 15:29:41 -0000
@@ -249,6 +249,7 @@ void         ip_savecontrol(struct inpcb *, str
            struct mbuf *);
 void    ipintr(void);
 void    ipv4_input(struct mbuf *);
+void    ip_forward(struct mbuf *, struct ifnet *, struct rtentry *, int);
 int     rip_ctloutput(int, struct socket *, int, int, struct mbuf **);
 void    rip_init(void);
 void    rip_input(struct mbuf *, ...);

pf af-to forward

Reply via email to