freebsd-nq/sys/netpfil/pf
Kristof Provost 1873dcc8c9 pf: Skip firewall for refragmented ip6 packets
In cases where we scrub (fragment reassemble) on both input and output
we risk ending up in infinite loops when forwarding packets.

Fragmented packets come in and get collected until we can defragment. At
that point the defragmented packet is handed back to the ip stack (at
the pfil point in ip6_input(). Normal processing continues.

Eventually we figure out that the packet has to be forwarded and we end
up at the pfil hook in ip6_forward(). After doing the inspection on the
defragmented packet we see that the packet has been defragmented and
because we're forwarding we have to refragment it.

In pf_refragment6() we split the packet up again and then ip6_forward()
the individual fragments.  Those fragments hit the pfil hook on the way
out, so they're collected until we can reconstruct the full packet, at
which point we're right back where we left off and things continue until
we run out of stack.

Break that loop by marking the fragments generated by pf_refragment6()
as M_SKIP_FIREWALL. There's no point in processing those packets in the
firewall anyway. We've already filtered on the full packet.

Differential Revision:	https://reviews.freebsd.org/D2197
Reviewed by:	glebius, gnn
Approved by:	gnn (mentor)
2015-04-06 19:05:00 +00:00
..
if_pflog.c Mechanically convert to if_inc_counter(). 2014-09-19 09:19:29 +00:00
if_pfsync.c o Use new function ip_fillid() in all places throughout the kernel, 2015-04-01 22:26:39 +00:00
in4_cksum.c
pf_altq.h Move new pf includes to the pf directory. The pfvar.h remain 2013-10-27 16:25:57 +00:00
pf_if.c Back out r276841, r276756, r276747, r276746. The change in r276747 is very 2015-01-22 01:23:16 +00:00
pf_ioctl.c Always lock the hash row of a source node when updating its 'states' counter. 2015-03-17 12:19:28 +00:00
pf_lb.c Do not lookup source node twice when pf_map_addr() is used. 2014-08-15 14:16:08 +00:00
pf_mtag.h In the forwarding case refragment the reassembled packets with the same 2015-02-16 07:01:02 +00:00
pf_norm.c pf: Skip firewall for refragmented ip6 packets 2015-04-06 19:05:00 +00:00
pf_osfp.c The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
pf_ruleset.c Provide includes that are needed in these files, and before were read 2013-10-26 18:18:50 +00:00
pf_table.c Back out r276841, r276756, r276747, r276746. The change in r276747 is very 2015-01-22 01:23:16 +00:00
pf.c Always lock the hash row of a source node when updating its 'states' counter. 2015-03-17 12:19:28 +00:00
pf.h In the forwarding case refragment the reassembled packets with the same 2015-02-16 07:01:02 +00:00