tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pfil, FreeBSD and multiple checks on single packet


Recently I've found one issue with pfil on FreeBSD: packets can be checked 
twice in some conditions. Here is how it happens:

1) packet arrives on ip_input|ip_output, which calls pfil_run_hooks
2) pfil_run_hooks calls hooks one by one, until ipfw's hook sends packet to 
divert/netgraph/dummynet and sets mbuf pointer to NULL
3) after processing in divert/netgraph/dummynet packet (possibly changed) 
passed to ip_input|ip_output once more

ipfw adds mbuf_tag to track from which rule continue processing, but other 
filters does not know that they already saw this packet and checks it again.

Is this problem affects NetBSD too or it's FreeBSD-specific and NetBSD avoids 
this double checking in some way?

Home | Main Index | Thread Index | Old Index