Page MenuHomeFreeBSD

pf: bind route-to states to their route-to interface
ClosedPublic

Authored by kp on Jan 25 2024, 1:05 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Dec 24, 10:00 AM
Unknown Object (File)
Sat, Dec 21, 12:34 PM
Unknown Object (File)
Sat, Dec 21, 12:09 PM
Unknown Object (File)
Tue, Dec 10, 8:14 AM
Unknown Object (File)
Oct 16 2024, 10:20 PM
Unknown Object (File)
Oct 16 2024, 4:34 PM
Unknown Object (File)
Oct 16 2024, 4:34 PM
Unknown Object (File)
Oct 16 2024, 4:34 PM

Details

Summary

When we route-to the state should be bound to the route-to interface,
not the default route interface.
Explicitly check for this in BOUND_IFACE().

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp requested review of this revision.Jan 25 2024, 1:05 PM

This is wrong, as I'd have seen immediately if I'd had the test send more than 1 ping.
When the second outbound ping arrives pf looks for the state on epair_one, but we've created it for epair_two, so we don't find the state and reject the packet (or more accurately, try to create a new state for it and fail because such a state already exists).

  • improve test (ping 3x, to ensure that subsequent packets make it)
  • when matching states also look at the original interface This is required because the expected outbound interface before we match the state is the original interface, but for inbound packets it will be the route-to'd interface (which we've now bound the state to)
This revision was not accepted when it landed; it landed in state Needs Review.Jan 29 2024, 1:53 PM
This revision was automatically updated to reflect the committed changes.