svn commit: r284497 - stable/9/sys/netinet

Hans Petter Selasky hselasky at FreeBSD.org
Wed Jun 17 07:28:52 UTC 2015 

Author: hselasky
Date: Wed Jun 17 07:28:51 2015
New Revision: 284497
URL: https://svnweb.freebsd.org/changeset/base/284497

Log:
  MFC r280991:
  Extend fixes made in r278103 and r38754 by copying the complete packet
  header and not only partial flags and fields. Firewalls can attach
  classification tags to the outgoing mbufs which should be copied to
  all the new fragments. Else only the first fragment will be let
  through by the firewall. This can easily be tested by sending a large
  ping packet through a firewall. It was also discovered that VLAN
  related flags and fields should be copied for packets traversing
  through VLANs. This is all handled by "m_dup_pkthdr()".
  
  Regarding the MAC policy check in ip_fragment(), the tag provided by
  the originating mbuf is copied instead of using the default one
  provided by m_gethdr().
  
  Tested by:		Karim Fodil-Lemelin <fodillemlinkarim at gmail.com>
  Sponsored by:		Mellanox Technologies
  PR:			7802

Modified:
  stable/9/sys/netinet/ip_output.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/netinet/ip_output.c
==============================================================================
--- stable/9/sys/netinet/ip_output.c	Wed Jun 17 07:21:43 2015	(r284496)
+++ stable/9/sys/netinet/ip_output.c	Wed Jun 17 07:28:51 2015	(r284497)
@@ -785,11 +785,20 @@ smart_frag_failure:
 			IPSTAT_INC(ips_odropped);
 			goto done;
 		}
-		/* copy multicast and flowid flag, if any */
-		m->m_flags |= (m0->m_flags & (M_FLOWID | M_MCAST)) | M_FRAG;
-		/* make sure the flowid is the same for the fragmented mbufs */
-		M_HASHTYPE_SET(m, M_HASHTYPE_GET(m0));
-		m->m_pkthdr.flowid = m0->m_pkthdr.flowid;
+		/*
+		 * Make sure the complete packet header gets copied
+		 * from the originating mbuf to the newly created
+		 * mbuf. This also ensures that existing firewall
+		 * classification(s), VLAN tags and so on get copied
+		 * to the resulting fragmented packet(s):
+		 */
+		if (m_dup_pkthdr(m, m0, M_NOWAIT) == 0) {
+			m_free(m);
+			error = ENOBUFS;
+			IPSTAT_INC(ips_odropped);
+			goto done;
+		}
+		m->m_flags |= M_FRAG;
 		/*
 		 * In the first mbuf, leave room for the link header, then
 		 * copy the original IP header including options. The payload
@@ -820,11 +829,9 @@ smart_frag_failure:
 			goto done;
 		}
 		m->m_pkthdr.len = mhlen + len;
-		m->m_pkthdr.rcvif = NULL;
 #ifdef MAC
 		mac_netinet_fragment(m0, m);
 #endif
-		m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags;
 		mhip->ip_off = htons(mhip->ip_off);
 		mhip->ip_sum = 0;
 		if (sw_csum & CSUM_DELAY_IP)

More information about the svn-src-stable-9 mailing list