diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index b948bef22b41..588bc0542a31 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -774,11 +774,19 @@ ip_fragment(struct ip *ip, struct mbuf **m_frag, int mtu, IPSTAT_INC(ips_odropped); goto done; } - /* make sure the flowid is the same for the fragmented mbufs */ - M_HASHTYPE_SET(m, M_HASHTYPE_GET(m0)); - m->m_pkthdr.flowid = m0->m_pkthdr.flowid; - /* copy multicast flag, if any */ - m->m_flags |= (m0->m_flags & M_MCAST); + /* + * Make sure the complete packet header gets copied + * from the originating mbuf to the newly created + * mbuf. This also ensures that existing firewall + * classification(s), VLAN tags and so on get copied + * to the resulting fragmented packet(s): + */ + if (m_dup_pkthdr(m, m0, M_NOWAIT) == 0) { + m_free(m); + error = ENOBUFS; + IPSTAT_INC(ips_odropped); + goto done; + } /* * In the first mbuf, leave room for the link header, then * copy the original IP header including options. The payload @@ -808,11 +816,9 @@ ip_fragment(struct ip *ip, struct mbuf **m_frag, int mtu, goto done; } m->m_pkthdr.len = mhlen + len; - m->m_pkthdr.rcvif = NULL; #ifdef MAC mac_netinet_fragment(m0, m); #endif - m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags; mhip->ip_off = htons(mhip->ip_off); mhip->ip_sum = 0; if (m->m_pkthdr.csum_flags & CSUM_IP & ~if_hwassist_flags) {