Fix bridging IPv6 fragments with pf reassembly.

Sending IPv6 fragments over a bridge with pf did not work.  During
input pf reassembles the packet, and at bridge output it should be
refragmented.  This is only done for PF_FWD direction, but bridge(4)
and veb(4) called pf_test() with PF_OUT argument.

OK sashan@

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 154f7de..8f72c1c 100644 (file)
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_bridge.c,v 1.370 2024/04/14 20:46:27 bluhm Exp $   */
+/*     $OpenBSD: if_bridge.c,v 1.371 2024/08/05 17:47:29 bluhm Exp $   */
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -70,7 +70,7 @@
 #if NPF > 0
 #include <net/pfvar.h>
 #define        BRIDGE_IN       PF_IN
-#define        BRIDGE_OUT      PF_OUT
+#define        BRIDGE_OUT      PF_FWD
 #else
 #define        BRIDGE_IN       0
 #define        BRIDGE_OUT      1

diff --git a/sys/net/if_veb.c b/sys/net/if_veb.c
index ebbca15..02d02ed 100644 (file)
--- a/sys/net/if_veb.c
+++ b/sys/net/if_veb.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_veb.c,v 1.35 2024/02/13 12:22:09 bluhm Exp $ */
+/*     $OpenBSD: if_veb.c,v 1.36 2024/08/05 17:47:29 bluhm Exp $ */
 
 /*
  * Copyright (c) 2021 David Gwynne <dlg@openbsd.org>
@@ -944,7 +944,7 @@ veb_broadcast(struct veb_softc *sc, struct veb_port *rp, struct mbuf *m0,
         * let pf look at it, but use the veb interface as a proxy.
         */
        if (ISSET(ifp->if_flags, IFF_LINK1) &&
-           (m0 = veb_pf(ifp, PF_OUT, m0)) == NULL)
+           (m0 = veb_pf(ifp, PF_FWD, m0)) == NULL)
                return;
 #endif
 
@@ -1039,7 +1039,7 @@ veb_transmit(struct veb_softc *sc, struct veb_port *rp, struct veb_port *tp,
 
 #if NPF > 0
        if (ISSET(ifp->if_flags, IFF_LINK1) &&
-           (m = veb_pf(ifp0, PF_OUT, m)) == NULL)
+           (m = veb_pf(ifp0, PF_FWD, m)) == NULL)
                return (NULL);
 #endif