pf: fix dummynet + ipdivert use case
ClosedPublic
Actions

Authored by igoro on Nov 15 2023, 12:56 AM.

Details

Reviewers

None

Group Reviewers

network

Commits

rGf831517d862d: pf: fix dummynet + ipdivert use case
rGfe3bb40b9e80: pf: fix dummynet + ipdivert use case

Summary

Dummynet re-injects an mbuf with MTAG_IPFW_RULE added, and the same mtag
is used by divert(4) as parameters for packet diversion.

If according to pf rule set a packet should go through dummynet first
and through ipdivert after then mentioned mtag must be removed after
dummynet not to make ipdivert think that this is its input parameters.

At the very beginning ipfw consumes this mtag what means the same
behavior with tag clearing after dummynet.

And after fabf705f4b5a pf passes parameters to ipdivert using its
personal MTAG_PF_DIVERT mtag.
    
PR:             274850

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

igoro created this revision.Nov 15 2023, 12:56 AM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptNov 15 2023, 12:56 AM

igoro requested review of this revision.Nov 15 2023, 12:56 AM

This seems sane to me (and the existing tests pass, which is a nice thing to have).

Two minor remarks, more about taste than actual issues.

sys/netpfil/pf/pf.c
306	I'd call that `pf_dummynet_flag_remove()` or something
tests/sys/netpfil/pf/Makefile
11 ↗	(On Diff #130104)	I'd put this in the existing divert-to tests file.