diff options
author | kp <kp@FreeBSD.org> | 2015-04-07 20:29:03 +0000 |
---|---|---|
committer | kp <kp@FreeBSD.org> | 2015-04-07 20:29:03 +0000 |
commit | 86419259e34a2d1a2e00743f754541ba82400172 (patch) | |
tree | 9a0ff4a83a23a93487904241f98d53bf6b014d9e | |
parent | 250c8d6f6d86ef6cef92136a0748bbc1967c0919 (diff) | |
download | FreeBSD-src-86419259e34a2d1a2e00743f754541ba82400172.zip FreeBSD-src-86419259e34a2d1a2e00743f754541ba82400172.tar.gz |
Evaluate packet size after the firewall had its chance
Defer the packet size check until after the firewall has had a look at it. This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.
Differential Revision: https://reviews.freebsd.org/D1815
Reviewed by: ae
Approved by: gnn (mentor)
-rw-r--r-- | sys/netinet6/ip6_forward.c | 67 |
1 files changed, 34 insertions, 33 deletions
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index e79baba..08234d5 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -413,39 +413,6 @@ again2: goto bad; } - if (m->m_pkthdr.len > IN6_LINKMTU(rt->rt_ifp)) { - in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig); - if (mcopy) { - u_long mtu; -#ifdef IPSEC - size_t ipsechdrsiz; -#endif /* IPSEC */ - - mtu = IN6_LINKMTU(rt->rt_ifp); -#ifdef IPSEC - /* - * When we do IPsec tunnel ingress, we need to play - * with the link value (decrement IPsec header size - * from mtu value). The code is much simpler than v4 - * case, as we have the outgoing interface for - * encapsulated packet as "rt->rt_ifp". - */ - ipsechdrsiz = ipsec_hdrsiz(mcopy, IPSEC_DIR_OUTBOUND, - NULL); - if (ipsechdrsiz < mtu) - mtu -= ipsechdrsiz; - /* - * if mtu becomes less than minimum MTU, - * tell minimum MTU (and I'll need to fragment it). - */ - if (mtu < IPV6_MMTU) - mtu = IPV6_MMTU; -#endif /* IPSEC */ - icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu); - } - goto bad; - } - if (rt->rt_flags & RTF_GATEWAY) dst = (struct sockaddr_in6 *)rt->rt_gateway; @@ -571,6 +538,40 @@ again2: } pass: + /* See if the size was changed by the packet filter. */ + if (m->m_pkthdr.len > IN6_LINKMTU(rt->rt_ifp)) { + in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig); + if (mcopy) { + u_long mtu; +#ifdef IPSEC + size_t ipsechdrsiz; +#endif /* IPSEC */ + + mtu = IN6_LINKMTU(rt->rt_ifp); +#ifdef IPSEC + /* + * When we do IPsec tunnel ingress, we need to play + * with the link value (decrement IPsec header size + * from mtu value). The code is much simpler than v4 + * case, as we have the outgoing interface for + * encapsulated packet as "rt->rt_ifp". + */ + ipsechdrsiz = ipsec_hdrsiz(mcopy, IPSEC_DIR_OUTBOUND, + NULL); + if (ipsechdrsiz < mtu) + mtu -= ipsechdrsiz; + /* + * if mtu becomes less than minimum MTU, + * tell minimum MTU (and I'll need to fragment it). + */ + if (mtu < IPV6_MMTU) + mtu = IPV6_MMTU; +#endif /* IPSEC */ + icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu); + } + goto bad; + } + error = nd6_output(rt->rt_ifp, origifp, m, dst, rt); if (error) { in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard); |