213736 – pf: hardcoded if_output skips ip[6]_output and pfil order

Bug 213736 - pf: hardcoded if_output skips ip[6]_output and pfil order

Summary: pf: hardcoded if_output skips ip[6]_output and pfil order

Status:	Closed Feedback Timeout

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-pf (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-10-24 05:08 UTC by Franco Fichtner
Modified:	2017-11-22 13:25 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Franco Fichtner 2016-10-24 05:08:15 UTC

Hi,

Up until now pf_route[6] uses code copied from ip_output[6] to push packets to their destination for the tags route-to, reply-to and dup-to. The packet is consumed on the spot.

From an architectural standpoint of pfil, this undermines its consistency: Packets must either be consumed when they are dropped or when they are delayed (dummynet).

In case of ipfw, PACKET_TAG_FORWARD is used to store the hext hop for the forward tag and evaluated properly outside the pfil hooks.  The same could be done for pf, but it's not a crucial requirement.

Skipping the full ip_output[6] code in favour of a stub has other side effects and fixing it would help align the packet processing consistency.

Of prime interest are productive combinations of ipfw+pf that in case of route-to et al simply stop working as pf consumes all its traffic up front.


Cheers,
Franco

Comment 1 Franco Fichtner 2016-12-22 20:06:17 UTC

Review available at https://reviews.freebsd.org/D8877