pf: handle IPv6 fragmentation for route-to
ClosedPublic
Actions

Authored by kp on Nov 20 2024, 4:16 PM.

Details

Reviewers

None

Group Reviewers

pfsense
network

Commits

rG56b7685ae328: pf: handle IPv6 fragmentation for route-to

Summary

If a fragmented IPv6 packet hits a route-to rule we have to first prevent
the pf_test(PF_OUT) check in pf_route6() from refragmenting (and calling
ip6_output()/ip6_forward()). We then have to refragment in pf_route6() and
transmit the packets on the route-to interface.

Split pf_refragment6() into two parts, the first to perform the refragmentation,
the second to call ip6_output()/ip6_forward() and call the former from
pf_route6().

Add a test case for route-to-ing fragmented IPv6 packets to verify this works
as expected.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Nov 20 2024, 4:16 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 3 others. · View Herald TranscriptNov 20 2024, 4:16 PM

kp requested review of this revision.Nov 20 2024, 4:16 PM

Harbormaster completed remote builds in B60703: Diff 146750.Nov 20 2024, 4:16 PM

Change the approach. Tell pf_refragment6() what interface to use. If unspecified
fall back to the previous ip6_forward/ip6_output calls.
This is basically the same approach OpenBSD took for this issue, and it's a
smaller change than splitting pf_refragment6() into two functions.

Harbormaster completed remote builds in B60731: Diff 146845.Nov 22 2024, 5:02 PM

This revision was not accepted when it landed; it landed in state Needs Review.Nov 26 2024, 2:07 PM

Closed by commit rG56b7685ae328: pf: handle IPv6 fragmentation for route-to (authored by kp). · Explain Why

This revision was automatically updated to reflect the committed changes.

kp added a commit: rG56b7685ae328: pf: handle IPv6 fragmentation for route-to.