Date: Wed, 31 May 2023 18:07:39 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Doug Rabson <dfr@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 5ab151574c8a - main - netinet*: Fix redirects for connections from localhost Message-ID: <8674E4D4-FA56-407B-A68D-C665FCB8868D@FreeBSD.org> In-Reply-To: <202305311011.34VABVwJ006123@gitrepo.freebsd.org> References: <202305311011.34VABVwJ006123@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31 May 2023, at 12:11, Doug Rabson wrote: > The branch main has been updated by dfr: > > URL: https://cgit.FreeBSD.org/src/commit/?id=3D5ab151574c8a1824c6cd8ede= d28506cb983284bc > > commit 5ab151574c8a1824c6cd8eded28506cb983284bc > Author: Doug Rabson <dfr@FreeBSD.org> > AuthorDate: 2023-05-24 13:11:37 +0000 > Commit: Doug Rabson <dfr@FreeBSD.org> > CommitDate: 2023-05-31 10:11:05 +0000 > > netinet*: Fix redirects for connections from localhost > > Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filt= er > rules to change the destination address and port for a connection. > Typically, the rule triggers on an input event when a packet is rec= eived > by a router and the destination address and/or port is changed to > implement the redirect. When a reply packet on this connection is o= utput > to the network, the rule triggers again, reversing the modification= =2E > > When the connection is initiated on the same host as the packet fil= ter, > it is initially output via lo0 which queues it for input processing= =2E > This causes an input event on the lo0 interface, allowing redirect > processing to rewrite the destination and create state for the > connection. However, when the reply is received, no corresponding o= utput > event is generated; instead, the packet is delivered to the higher = level > protocol (e.g. tcp or udp) without reversing the redirect, the repl= y is > not matched to the connection and the packet is dropped (for tcp, a= > connection reset is also sent). > > This commit fixes the problem by adding a second packet filter call= in > the input path. The second call happens right before the handoff to= > higher level processing and provides the missing output event to al= low > the redirect's reply processing to perform its rewrite. This extra > processing is disabled by default and can be enabled using pfilctl:= > > pfilctl link -o pf:default-out inet-local > pfilctl link -o pf:default-out6 inet6-local > > PR: 268717 > Reviewed-by: kp, melifaro > MFC-after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D40256 It looks like there=E2=80=99s some fallout from this in the dummynet test= s: https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23646/#showF= ailuresLink Those tests set up the new hook, and without those hooks (i.e. with this = patch reverted) the tests pass again. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8674E4D4-FA56-407B-A68D-C665FCB8868D>