pf fastroute tag removal reviewers needed
Kristof Provost
kp at FreeBSD.org
Wed Sep 28 13:36:36 UTC 2016
On 28 Sep 2016, at 13:53, Franco Fichtner wrote:
> The main culprit of pfil not working correctly is pf's
> route-to and reply-to (and the tag formerly known as fastroute)
> as they would call if_output directly on the ifnet and consume
> their packets this way. That transmit code is also copied from
> if_output() and should likely not be called from within pf,
> especially when there is a pfil hook chain to go through.
Agreed, but there’s another culprit: the v6 fragment handling code. It
needs to
call ip6_output()/ip6_forward() because it generates multiple output
packets.
Dealing with that has been on my todo list for a while now, but I’ve
not even
found the time to make a start at it.
Regards,
Kristof
More information about the freebsd-pf
mailing list