Date: Wed, 31 May 2023 10:11:45 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] [ipnat] rdr rules don't work for traffic originating at localhost Message-ID: <bug-268717-16861-JqYdKAUUwj@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-268717-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-268717-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #32 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D5ab151574c8a1824c6cd8eded28506cb9= 83284bc commit 5ab151574c8a1824c6cd8eded28506cb983284bc Author: Doug Rabson <dfr@FreeBSD.org> AuthorDate: 2023-05-24 13:11:37 +0000 Commit: Doug Rabson <dfr@FreeBSD.org> CommitDate: 2023-05-31 10:11:05 +0000 netinet*: Fix redirects for connections from localhost Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter rules to change the destination address and port for a connection. Typically, the rule triggers on an input event when a packet is received by a router and the destination address and/or port is changed to implement the redirect. When a reply packet on this connection is output to the network, the rule triggers again, reversing the modification. When the connection is initiated on the same host as the packet filter, it is initially output via lo0 which queues it for input processing. This causes an input event on the lo0 interface, allowing redirect processing to rewrite the destination and create state for the connection. However, when the reply is received, no corresponding output event is generated; instead, the packet is delivered to the higher level protocol (e.g. tcp or udp) without reversing the redirect, the reply is not matched to the connection and the packet is dropped (for tcp, a connection reset is also sent). This commit fixes the problem by adding a second packet filter call in the input path. The second call happens right before the handoff to higher level processing and provides the missing output event to allow the redirect's reply processing to perform its rewrite. This extra processing is disabled by default and can be enabled using pfilctl: pfilctl link -o pf:default-out inet-local pfilctl link -o pf:default-out6 inet6-local PR: 268717 Reviewed-by: kp, melifaro MFC-after: 2 weeks Differential Revision: https://reviews.freebsd.org/D40256 sys/netinet/ip_input.c | 22 ++++++++- sys/netinet/ip_var.h | 4 ++ sys/netinet6/ip6_input.c | 19 ++++++++ sys/netinet6/ip6_var.h | 4 ++ tests/sys/netpfil/common/Makefile | 1 + tests/sys/netpfil/{pf =3D> common}/rdr.sh | 84 +++++++++++++++++++++++++++= ++---- tests/sys/netpfil/common/utils.subr | 4 ++ tests/sys/netpfil/pf/Makefile | 1 - 8 files changed, 127 insertions(+), 12 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-268717-16861-JqYdKAUUwj>