ipfw: teach ipfw that pfsync is an upper layer protocol

Explicitly add pfsync as a know upper layer protocol so we don't automatically discard pfsync packets (carried over IPv6). net.inet6.ip6.fw.deny_unknown_exthdrs defaults to 1, so even if net.inet.ip.fw.default_to_accept is set to 1 we'd discard pfsync (over IPv6). Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D40973
2026-05-28 04:12:45 -04:00 · 2023-07-11 12:37:17 +02:00 · 2023-07-11 12:37:17 +02:00 · 66f2f9ee08
commit 66f2f9ee08
parent d744a37a3a
1 changed files with 5 additions and 0 deletions
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@ -69,6 +69,7 @@ __FBSDID("$FreeBSD$");
 #include <net/route/nhop.h>
 #include <net/pfil.h>
 #include <net/vnet.h>
+#include <net/if_pfsync.h>

 #include <netpfil/pf/pf_mtag.h>

@ -1718,6 +1719,10 @@ do {								\
 				PULLUP_TO(hlen, ulp, struct ip);
 				break;

+			case IPPROTO_PFSYNC:
+				PULLUP_TO(hlen, ulp, struct pfsync_header);
+				break;
+
 			default:
 				if (V_fw_verbose)
 					printf("IPFW2: IPV6 - Unknown "