From owner-dev-commits-src-main@freebsd.org Tue Apr 6 00:01:15 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 764775CB014; Tue, 6 Apr 2021 00:01:15 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FDnk32MyWz3wXj; Tue, 6 Apr 2021 00:01:14 +0000 (UTC) (envelope-from koobs.freebsd@gmail.com) Received: by mail-pf1-x431.google.com with SMTP id l123so7653545pfl.8; Mon, 05 Apr 2021 17:01:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:message-id:date:mime-version:user-agent:reply-to:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=0YNssuKxF3EpRXC4WkA62ZFL1AACchjD2buJem5L6aI=; b=b2sxBqsX/l0U3aWBm8jszwQdQIPi/DhZFRtKSSDmxOCAAq+klYKPjqykLnrrR4Kq/1 iPQWKsAT8epcq8nsqvXHd34UpGo4yYMF8K22RlGmnhMaXp8vnfnUnB4tOuOWJ1VK0uAS WZdN2Xb65z32p//M/w67JBY2wgT/Ky8CG7pIss+ovbEz/DkROpzHxDBa4ghP+TIKO0pF HryKX4uLnAqqb8J4503SQdDIIVicH7jhogUzn7e+6WvJzQ58XtjEebo9zB/CCS2YBMUg bzacqkSqZyCeV4IarVEfi38E3U2GqXTcII8eDu7cL45+t3iweylPj97mRIaIG+3jxy/L 69aQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:message-id:date:mime-version:user-agent :reply-to:subject:content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=0YNssuKxF3EpRXC4WkA62ZFL1AACchjD2buJem5L6aI=; b=qQ3WyO4vMqwhzUVjB3OFYSXbKoOmj3hdrHGKpQ0ivgPglD8jC+XTv7YtQR0IuCZD0i uiE5tb8P3cgsodjmM8LzlOertJBB2LgHUPSzInyFliHZv6ohm09ZmYeduYvhQrTM07iu hZ/uK9yFB7NJazCjJgUDSkBM6xA2fehOVt2g/4R+MyOOaiMCqBFqYtd4Z1KcaEDp25xe WXdP/+yP2ouXlbkpmyIJ5Fv5gopiKwO5GjjPmPwf3BYzwo6owUvZuzsLet7H1Y/TjxWh vmjuapfV2TzDDuK7bQensq1eu8ayXlvtxlk/pjCSd3NJz+/vpQxHNQAEueNWEcwHTYLq dduA== X-Gm-Message-State: AOAM532s2SpHH36XdPWbmBgQ8ZCa/HPMQQcGQRfp6gnpbHJry0ues0Yr t3n7NSP8wUVMC+1Vt8SrmnivJBa4zGQ62Q== X-Google-Smtp-Source: ABdhPJw+1ziwlaH/E/kftWePGti+Qd1wmP9DyDScDNZpv9BoWXOmqOqrOGJaJyEXmVBxVV+cEMt9pQ== X-Received: by 2002:a63:1f42:: with SMTP id q2mr11997066pgm.2.1617667273211; Mon, 05 Apr 2021 17:01:13 -0700 (PDT) Received: from [2403:5800:7500:3601:4d41:6bf9:4b8:f2b2] (2403-5800-7500-3601-4d41-6bf9-4b8-f2b2.ip6.aussiebb.net. [2403:5800:7500:3601:4d41:6bf9:4b8:f2b2]) by smtp.gmail.com with UTF8SMTPSA id o9sm686721pfh.217.2021.04.05.17.01.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 05 Apr 2021 17:01:12 -0700 (PDT) Sender: Kubilay Kocak Message-ID: Date: Tue, 6 Apr 2021 10:01:08 +1000 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Thunderbird/89.0a1 Reply-To: koobs@FreeBSD.org Subject: Re: git: 829a69db855b - main - pf: change pf_route so pf only runs when packets enter and leave the stack. Content-Language: en-US To: Kristof Provost , src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org References: <202104051144.135BiCpe039479@gitrepo.freebsd.org> From: Kubilay Kocak In-Reply-To: <202104051144.135BiCpe039479@gitrepo.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4FDnk32MyWz3wXj X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; TAGGED_FROM(0.00)[]; REPLY(-4.00)[] X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 00:01:15 -0000 On 5/04/2021 9:44 pm, Kristof Provost wrote: > The branch main has been updated by kp: > > URL: https://cgit.FreeBSD.org/src/commit/?id=829a69db855b48ff7e8242b95e193a0783c489d9 > > commit 829a69db855b48ff7e8242b95e193a0783c489d9 > Author: Kristof Provost > AuthorDate: 2021-04-02 10:23:42 +0000 > Commit: Kristof Provost > CommitDate: 2021-04-05 07:57:06 +0000 > > pf: change pf_route so pf only runs when packets enter and leave the stack. > > before this change pf_route operated on the semantic that pf runs > when packets go over an interface, so when pf_route changed which > interface the packet was on it would run pf_test again. this change > changes (restores) the semantic that pf is only supposed to run > when packets go in or out of the network stack, even if route-to > is responsibly for short circuiting past the network stack. > > just to be clear, for normal packets (ie, those not touched by > route-to/reply-to/dup-to), there isn't a difference between running > pf when packets enter or leave the stack, or having pf run when a > packet goes over an interface. > > the main reason for this change is that running the same packet > through pf multiple times creates confusion for the state table. > by default, pf states are floating, meaning that packets are matched > to states regardless of which interface they're going over. if a > packet leaving on em0 is rerouted out em1, both traversals will end > up using the same state, which at best will make the accounting > look weird, or at worst fail some checks in the state and get > dropped. > > another reason for this commit is is to make handling of the changes > that route-to makes consistent with other changes that are made to > packet. eg, when nat is applied to a packet, we don't run pf_test > again with the new addresses. > > the main caveat with this diff is you can't have one rule that > pushes a packet out a different interface, and then have a rule on > that second interface that NATs the packet. i'm not convinced this > ever worked reliably or was used much anyway, so we don't think > it's a big concern. > > discussed with many, with special thanks to bluhm@, sashan@ and > sthen@ for weathering most of that pain. > ok claudio@ sashan@ jmatthew@ > > Obtained from: OpenBSD > MFC after: 2 weeks > Sponsored by: Rubicon Communications, LLC ("Netgate") > Differential Revision: https://reviews.freebsd.org/D29554 Relnotes: Yes For the rule semantics change? > --- > sys/netpfil/pf/pf.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c > index 50bf4b3871c5..5b41be4ad683 100644 > --- a/sys/netpfil/pf/pf.c > +++ b/sys/netpfil/pf/pf.c > @@ -5549,7 +5549,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, > if (ifp == NULL) > goto bad; > > - if (oifp != ifp) { > + if (dir == PF_IN) { > if (pf_test(PF_OUT, 0, ifp, &m0, inp) != PF_PASS) > goto bad; > else if (m0 == NULL) > @@ -5738,7 +5738,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, > if (ifp == NULL) > goto bad; > > - if (oifp != ifp) { > + if (dir == PF_IN) { > if (pf_test6(PF_OUT, PFIL_FWD, ifp, &m0, inp) != PF_PASS) > goto bad; > else if (m0 == NULL) > _______________________________________________ > dev-commits-src-main@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main > To unsubscribe, send any mail to "dev-commits-src-main-unsubscribe@freebsd.org" >