Evaluate packet size after the firewall had its chance in the ip6 fast path

Defer the packet size check until after the firewall has had a look at it. This means that the firewall now has the opportunity to (re-)fragment an oversized packet. This mirrors what the slow path does. Reviewed by: ae MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D12779
svn path=/head/; revision=324996
2017-10-25 19:21:48 +00:00 · 2017-10-25 19:21:48 +00:00 · a0bf3ee425 · 2020-12-20 02:59:44 +00:00
commit a0bf3ee425
parent 7562d7ddbd
1 changed files with 10 additions and 8 deletions
--- a/sys/netinet6/ip6_fastfwd.c
+++ b/sys/netinet6/ip6_fastfwd.c
@ -194,6 +194,16 @@ ip6_tryforward(struct mbuf *m)
 		in6_ifstat_inc(rcvif, ifs6_in_noroute);
 		goto dropin;
 	}
+
+	/*
+	 * Outgoing packet firewall processing.
+	 */
+	if (!PFIL_HOOKED(&V_inet6_pfil_hook))
+		goto passout;
+	if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT,
+	    NULL) != 0 || m == NULL)
+		goto dropout;
+
 	/*
 	 * We used slow path processing for packets with scoped addresses.
 	 * So, scope checks aren't needed here.
@ -205,14 +215,6 @@ ip6_tryforward(struct mbuf *m)
 		goto dropout;
 	}

-	/*
-	 * Outgoing packet firewall processing.
-	 */
-	if (!PFIL_HOOKED(&V_inet6_pfil_hook))
-		goto passout;
-	if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT,
-	    NULL) != 0 || m == NULL)
-		goto dropout;
 	/*
 	 * If packet filter sets the M_FASTFWD_OURS flag, this means
 	 * that new destination or next hop is our local address.