pf fastroute tag removal reviewers needed
Franco Fichtner
franco at opnsense.org
Sat Oct 1 09:43:19 UTC 2016
Hi Kristof,
> On 28 Sep 2016, at 3:36 PM, Kristof Provost <kp at freebsd.org> wrote:
>
> On 28 Sep 2016, at 13:53, Franco Fichtner wrote:
>> The main culprit of pfil not working correctly is pf's
>> route-to and reply-to (and the tag formerly known as fastroute)
>> as they would call if_output directly on the ifnet and consume
>> their packets this way. That transmit code is also copied from
>> if_output() and should likely not be called from within pf,
>> especially when there is a pfil hook chain to go through.
>
> Agreed, but there’s another culprit: the v6 fragment handling code. It needs to
> call ip6_output()/ip6_forward() because it generates multiple output packets.
>
> Dealing with that has been on my todo list for a while now, but I’ve not even
> found the time to make a start at it.
Right, that also has some issues, but at least the pfil out hook
is invoked with this.
I see that ipfw also has some of those netinet code spots, which
undermine the integrity of pfil. Would it make sense to take it
to another mailing list to raise awareness the issue to at least
not get any new code added that does this?
Thanks,
Franco
More information about the freebsd-pf
mailing list