Page MenuHomeFreeBSD
Differential D47906

pf: Don't pfsync states with unrecoverable routing information
ClosedPublic
Actions

Authored by vegeta_tuxpowered.net on Dec 4 2024, 11:55 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jan 22, 4:00 AM
Unknown Object (File)
Wed, Jan 15, 5:11 AM
Unknown Object (File)
Dec 24 2024, 8:47 AM
Unknown Object (File)
Dec 21 2024, 2:22 PM
Unknown Object (File)
Dec 21 2024, 6:08 AM
Unknown Object (File)
Dec 16 2024, 9:20 AM
Unknown Object (File)
Dec 8 2024, 9:20 AM
Unknown Object (File)
Dec 5 2024, 10:10 PM
View All 12 Files
Subscribers
farrokhi
glebius
imp
melifaro

Details

Reviewers
kp
Commits
rGad6562ec858f: pf: Don't pfsync states with unrecoverable routing information
Summary

States created by route-to rules can't be trusted when received with
pfsync version 1301 as they lack the rt and rt_kif information. They
are imported, though, and pf_route() function attempts to recover
the missing information for every forwarded packet.

Move the recovery operation to pfsync_state_import() so that it's
performed only once and if it's impossible don't import the state.
Add an additional check for cases when recovery might produce wrong
results.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Dec 4 2024, 11:55 AM
Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptDec 4 2024, 11:55 AM
vegeta_tuxpowered.net requested review of this revision.Dec 4 2024, 11:55 AM
vegeta_tuxpowered.net added inline comments.Dec 4 2024, 1:50 PM
sys/netpfil/pf/pf.c
7729

Can ifp even be NULL? Can we instead KASSERT it?

vegeta_tuxpowered.net updated this revision to Diff 147474.Dec 4 2024, 2:49 PM

Improve some comments.

kp accepted this revision.Dec 4 2024, 10:53 PM

LGTM. Approved regardless of how you choose to deal with the remarks I've raised.

And I'm delighted to see the extra test cases.

sys/netpfil/pf/if_pfsync.c
113

We have a define like that one in a number of files (pf.c, pf_lb.c, pf_ruleset.c). We should probably move a single definition into pfvar.h.

That's independent of this patch though. We can either do that first, or after this one.

sys/netpfil/pf/pf.c
7705–7706

That's not going to be true for nat64 pf_route/pf_route6 calls, so I'm not sure it's worth adding an invariant that is pretty much immediately going to be removed again.
On the other hand, it is correct within this patch.

I really need to just land those patches, because I keep having to rebase them on top of your work :)

7729

It can be, yes.

It's possible for a rule to reference an interface that doesn't exist. In that case we'd have a struct pfi_kkif (so pd->act.rt_kif can be non-null), but not a struct ifnet pointer from there (so pfik_ifp == NULL).

This revision is now accepted and ready to land.Dec 4 2024, 10:53 PM
Closed by commit rGad6562ec858f: pf: Don't pfsync states with unrecoverable routing information (authored by vegeta_tuxpowered.net). · Explain WhyDec 5 2024, 10:10 PM
This revision was automatically updated to reflect the committed changes.
vegeta_tuxpowered.net added a commit: rGad6562ec858f: pf: Don't pfsync states with unrecoverable routing information.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
90 lines
79 lines
tests/
sys/
netpfil/
pf/
268 lines

Diff 147474

View Options

sys/netpfil/pf/if_pfsync.c

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...
View Options

tests/sys/netpfil/pf/pfsync.sh

Loading...