Maxime Villard <max%M00nBSD.net@localhost> writes: >> When can it do that? > > It can do that in L4 when handling fragments. [...] Ah, thanks for the explanation! I've got a better overview, now. >> I adapted the pfil_run_hooks() calls from those in if_vlan.c, so they'll >> need fixing, too. > > Mmh yes, they will need fixing, I missed that. I'll post a new proposal when I have all of this sorted out and tested. > But now that I'm thinking about it... Are you sure that your change > indeed enforces NPF policies? If you pass ifp->if_pfil normally it > doesn't do IP filtering, unless I missed something else. My change to if_tun.c does make NPF work as expected. I've tested it carefully, in both directions. (NPF also works correctly for VLANs.) -tih -- Most people who graduate with CS degrees don't understand the significance of Lisp. Lisp is the most important idea in computer science. --Alan Kay
Attachment:
signature.asc
Description: PGP signature