Evaluate packet size after the firewall had its chance in the ip6 fast path
Defer the packet size check until after the firewall has had a look at it. This means that the firewall now has the opportunity to (re-)fragment an oversized packet. This mirrors what the slow path does. Reviewed by: ae MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D12779
This commit is contained in:
Kristof Provost
parent
7562d7ddbd
commit
a0bf3ee425
@ -194,6 +194,16 @@ passin:
|
|||||||
in6_ifstat_inc(rcvif, ifs6_in_noroute);
|
in6_ifstat_inc(rcvif, ifs6_in_noroute);
|
||||||
goto dropin;
|
goto dropin;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Outgoing packet firewall processing.
|
||||||
|
*/
|
||||||
|
if (!PFIL_HOOKED(&V_inet6_pfil_hook))
|
||||||
|
goto passout;
|
||||||
|
if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT,
|
||||||
|
NULL) != 0 || m == NULL)
|
||||||
|
goto dropout;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We used slow path processing for packets with scoped addresses.
|
* We used slow path processing for packets with scoped addresses.
|
||||||
* So, scope checks aren't needed here.
|
* So, scope checks aren't needed here.
|
||||||
@ -205,14 +215,6 @@ passin:
|
|||||||
goto dropout;
|
goto dropout;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
* Outgoing packet firewall processing.
|
|
||||||
*/
|
|
||||||
if (!PFIL_HOOKED(&V_inet6_pfil_hook))
|
|
||||||
goto passout;
|
|
||||||
if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT,
|
|
||||||
NULL) != 0 || m == NULL)
|
|
||||||
goto dropout;
|
|
||||||
/*
|
/*
|
||||||
* If packet filter sets the M_FASTFWD_OURS flag, this means
|
* If packet filter sets the M_FASTFWD_OURS flag, this means
|
||||||
* that new destination or next hop is our local address.
|
* that new destination or next hop is our local address.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user