From a33722184c6dfb8259f7d129a3537bd3eca8f810 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Fri, 31 Jan 2025 16:53:34 +0100 Subject: [PATCH] pfil: set PFIL_FWD for IPv4 forwarding Just like we already do for IPv6 set the PFIL_FWD flag when we're forwarding IPv4 traffic. This allows firewalls to make more precise decisions. Reviewed by: glebius Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D48824 --- sys/netinet/ip_fastfwd.c | 2 +- sys/netinet/ip_output.c | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index 378fa14ec82..e6abbbe21f1 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -397,7 +397,7 @@ passin: if (!PFIL_HOOKED_OUT(V_inet_pfil_head)) goto passout; - if (pfil_mbuf_out(V_inet_pfil_head, &m, nifp, + if (pfil_mbuf_fwd(V_inet_pfil_head, &m, nifp, NULL) != PFIL_PASS) goto drop; diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 8632841fdb3..9a5ecbbd013 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -113,13 +113,19 @@ ip_output_pfil(struct mbuf **mp, struct ifnet **ifp, int flags, struct mbuf *m; struct in_addr odst; struct ip *ip; + int ret; m = *mp; ip = mtod(m, struct ip *); /* Run through list of hooks for output packets. */ odst.s_addr = ip->ip_dst.s_addr; - switch (pfil_mbuf_out(V_inet_pfil_head, mp, *ifp, inp)) { + if (flags & IP_FORWARDING) + ret = pfil_mbuf_fwd(V_inet_pfil_head, mp, *ifp, inp); + else + ret = pfil_mbuf_out(V_inet_pfil_head, mp, *ifp, inp); + + switch (ret) { case PFIL_DROPPED: *error = EACCES; /* FALLTHROUGH */