Re: pf af-to forward

Mike Belopuhov Mon, 21 Nov 2016 10:16:33 -0800

On Mon, Nov 21, 2016 at 18:16 +0100, Alexander Bluhm wrote:
> Hi,
> 
> Path MTU discovery and traceroute does not always work with pf
> af-to.  If an incoming packet is directly put into the output path,
> sending the icmp error packet is never done.  As this is basically
> forwarding, calling ip_forward() for such packets does everything
> that is needed.
> 
> ok?
>


I'm surprised this works as I'm pretty sure it didn't way back when...
But no matter, this totally makes sense to me and I'm fine with the
change.

> bluhm
> 
> Index: net/pf.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
> retrieving revision 1.1000
> diff -u -p -r1.1000 pf.c
> --- net/pf.c  21 Nov 2016 15:23:18 -0000      1.1000
> +++ net/pf.c  21 Nov 2016 15:30:20 -0000
> @@ -6906,10 +6906,18 @@ done:
>                       pd.m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
>                       switch (pd.naf) {
>                       case AF_INET:
> -                             ip_output(pd.m, NULL, NULL, 0, NULL, NULL, 0);
> +                             if (pd.dir == PF_IN)
> +                                     ip_forward(pd.m, ifp, NULL, 1);
> +                             else
> +                                     ip_output(pd.m, NULL, NULL, 0, NULL,
> +                                         NULL, 0);
>                               break;
>                       case AF_INET6:
> -                             ip6_output(pd.m, NULL, NULL, 0, NULL, NULL);
> +                             if (pd.dir == PF_IN)
> +                                     ip6_forward(pd.m, NULL, 1);
> +                             else
> +                                     ip6_output(pd.m, NULL, NULL, 0, NULL,
> +                                         NULL);
>                               break;
>                       }
>                       pd.m = NULL;
> Index: netinet/ip_input.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_input.c,v
> retrieving revision 1.285
> diff -u -p -r1.285 ip_input.c
> --- netinet/ip_input.c        14 Nov 2016 04:27:03 -0000      1.285
> +++ netinet/ip_input.c        21 Nov 2016 15:29:41 -0000
> @@ -129,7 +129,6 @@ static struct mbuf_queue  ipsend_mq;
>  void ip_ours(struct mbuf *);
>  int  ip_dooptions(struct mbuf *, struct ifnet *);
>  int  in_ouraddr(struct mbuf *, struct ifnet *, struct rtentry **);
> -void ip_forward(struct mbuf *, struct ifnet *, struct rtentry *, int);
>  #ifdef IPSEC
>  int  ip_input_ipsec_fwd_check(struct mbuf *, int);
>  int  ip_input_ipsec_ours_check(struct mbuf *, int);
> Index: netinet/ip_var.h
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_var.h,v
> retrieving revision 1.63
> diff -u -p -r1.63 ip_var.h
> --- netinet/ip_var.h  14 Nov 2016 03:51:53 -0000      1.63
> +++ netinet/ip_var.h  21 Nov 2016 15:29:41 -0000
> @@ -249,6 +249,7 @@ void       ip_savecontrol(struct inpcb *, str
>           struct mbuf *);
>  void  ipintr(void);
>  void  ipv4_input(struct mbuf *);
> +void  ip_forward(struct mbuf *, struct ifnet *, struct rtentry *, int);
>  int   rip_ctloutput(int, struct socket *, int, int, struct mbuf **);
>  void  rip_init(void);
>  void  rip_input(struct mbuf *, ...);
>

Re: pf af-to forward

Reply via email to