upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pfil: set PFIL_FWD for IPv4 forwarding

Browse source 
Just like we already do for IPv6 set the PFIL_FWD flag when we're forwarding
IPv4 traffic. This allows firewalls to make more precise decisions.

Reviewed by:	glebius
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D48824
This commit is contained in:
Kristof Provost 2025-01-31 16:53:34 +01:00 committed by Franco Fichtner
parent 4f4ebd2896
commit a33722184c
2 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
sys/netinet/ip_fastfwd.c
View file

@ -397,7 +397,7 @@ passin:
if (!PFIL_HOOKED_OUT(V_inet_pfil_head))
goto passout;
if (pfil_mbuf_out(V_inet_pfil_head, &m, nifp,
if (pfil_mbuf_fwd(V_inet_pfil_head, &m, nifp,
NULL) != PFIL_PASS)
goto drop;

8
sys/netinet/ip_output.c
View file

@ -113,13 +113,19 @@ ip_output_pfil(struct mbuf **mp, struct ifnet **ifp, int flags,
struct mbuf *m;
struct in_addr odst;
struct ip *ip;
int ret;
m = *mp;
ip = mtod(m, struct ip *);
/* Run through list of hooks for output packets. */
odst.s_addr = ip->ip_dst.s_addr;
switch (pfil_mbuf_out(V_inet_pfil_head, mp, *ifp, inp)) {
if (flags & IP_FORWARDING)
ret = pfil_mbuf_fwd(V_inet_pfil_head, mp, *ifp, inp);
else
ret = pfil_mbuf_out(V_inet_pfil_head, mp, *ifp, inp);
switch (ret) {
case PFIL_DROPPED:
*error = EACCES;
/* FALLTHROUGH */