From nobody Fri Jun 27 15:16:09 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bTJzZ18xSz5yvDC; Fri, 27 Jun 2025 15:16:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bTJzY6VnSz3Yfg; Fri, 27 Jun 2025 15:16:09 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1751037369; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E/9hukT8jA/aZ/X4Jk+K5JAf5Ppn2ELscDGFqXXxOmY=; b=BMkX7E0idWIKo5cdkfxJ8/QOt6xSn0Ey1FeoaGlD4DIKyEloXZdeekL+zsyUUVlqeTcNSZ 2iPAlUUkzQnpQK/Y50Gd5R4e0cgOlwSbMW6WOVtKXobwENkeEJxxCRNX+ibt+iEg8ciRvU kaZpJQdV0NsaPdRUziCgjYC4UptlYv8ivR0Ahrsdm/1MOR8+NfGMBDb/DD/9rCnCZRvFfk 4iBkJ5UYZs1iNIfrd6UFbMeSyWaXzZsMS7VrOVSZmm/GJ+MAHB+xU2gETCMfOtw0sgzY0l OxkJCHUD1Fj+GFUPf0dfGS524IQ/E/HwBeU28zSZPvuhqCPRw9wiMY/nedLSlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1751037369; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=E/9hukT8jA/aZ/X4Jk+K5JAf5Ppn2ELscDGFqXXxOmY=; b=iXeJ4DjN7mF/PArnxSanjiRhm5c21nyJPe0Ys+UZ0GI3wF3Kbm2AVLT1cmJFoRLWb72XnU vV2STRfjU/ZBhjJ75C0yQM50S6yAzA5/mxLQVckdvuFD1rxtPvKFoW5nvYhl3VUK08a3Sr 3D9fIyAfHBajjjX5CRc4wYCBwUo82GqUylGrpWt8z1mv/zgFuH7HstVoq9d4ugGt/HTHXR GYLAUveBervT5uLe5nNX8l+6SuBIXNQzFXBFwQTpPSN3+u7nrFxMA1WnNCefg4W/DX77+L lOCVowz9V5N8BrfJieO+fcl5Pky9dFVtK7YPEA/vUWzMRjuILL5pLJYKD7Bm0A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1751037369; a=rsa-sha256; cv=none; b=L17PmMuLLVXVDVwRswwmgTdrH9pqMOZorNqyh+rzJAfGMcS+Wwna48h03jQpt5M4RJnasn nynCS+MHLx/IA8eMi63AaatjBUDasiiOkFrG6po9hgk09M4+7ClgPcFY8ixqw9oe9/LiLb cBRTaUkD344TzbgWNpSDQrrh5pvYttf6xNFjkuqtkNZTRO+f2WPSPTMExK6AwHgWk+3aBW nRfi5CdW07J2oPbaGxasCRvDs2643CatYWj7cvOBZKNX5XaYhM5I9E39gYA+4muttWHvCO nc9kY9cvU7/7/NX9jXV21Q6228y/xIjZE9aRY1VmmW9XWCVaMXeT97dusCdCbw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bTJzY617nztHR; Fri, 27 Jun 2025 15:16:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55RFG9ct049017; Fri, 27 Jun 2025 15:16:09 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55RFG9LF049014; Fri, 27 Jun 2025 15:16:09 GMT (envelope-from git) Date: Fri, 27 Jun 2025 15:16:09 GMT Message-Id: <202506271516.55RFG9LF049014@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 0c273335b2de - main - pf: ensure max-pkt-size works on match rules List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0c273335b2deac7cf7dadbcb5cd43d35127eb3f0 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0c273335b2deac7cf7dadbcb5cd43d35127eb3f0 commit 0c273335b2deac7cf7dadbcb5cd43d35127eb3f0 Author: Kristof Provost AuthorDate: 2025-06-25 15:02:28 +0000 Commit: Kristof Provost CommitDate: 2025-06-27 14:55:15 +0000 pf: ensure max-pkt-size works on match rules Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/pfvar.h | 1 + sys/netpfil/pf/pf.c | 11 +++++-- tests/sys/netpfil/pf/max_pkt_size.sh | 61 +++++++++++++++++++++++++++++------- 3 files changed, 58 insertions(+), 15 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 5c798216f9f5..9fc2a00dca77 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -690,6 +690,7 @@ struct pf_rule_actions { uint8_t set_prio[2]; uint8_t rt; uint8_t allow_opts; + uint16_t max_pkt_size; }; union pf_keth_rule_ptr { diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 6da537aaa2cd..4ce2df2f0e31 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4886,6 +4886,8 @@ pf_rule_to_actions(struct pf_krule *r, struct pf_rule_actions *a) } if (r->allow_opts) a->allow_opts = r->allow_opts; + if (r->max_pkt_size) + a->max_pkt_size = r->max_pkt_size; } int @@ -10668,8 +10670,10 @@ done: if (pd.m == NULL) goto eat_pkt; - if (action == PF_PASS && pd.badopts && - !((s && s->state_flags & PFSTATE_ALLOWOPTS) || pd.act.allow_opts)) { + if (s) + memcpy(&pd.act, &s->act, sizeof(s->act)); + + if (action == PF_PASS && pd.badopts && !pd.act.allow_opts) { action = PF_DROP; REASON_SET(&reason, PFRES_IPOPTIONS); pd.act.log = PF_LOG_FORCE; @@ -10677,7 +10681,8 @@ done: ("pf: dropping packet with dangerous headers\n")); } - if (r && r->max_pkt_size && pd.tot_len > r->max_pkt_size) { + if (pd.act.max_pkt_size && pd.act.max_pkt_size && + pd.tot_len > pd.act.max_pkt_size) { action = PF_DROP; REASON_SET(&reason, PFRES_NORM); pd.act.log = PF_LOG_FORCE; diff --git a/tests/sys/netpfil/pf/max_pkt_size.sh b/tests/sys/netpfil/pf/max_pkt_size.sh index 05aab0b7990a..030d642303fc 100644 --- a/tests/sys/netpfil/pf/max_pkt_size.sh +++ b/tests/sys/netpfil/pf/max_pkt_size.sh @@ -26,17 +26,8 @@ . $(atf_get_srcdir)/utils.subr -atf_test_case "basic" "cleanup" -basic_head() -{ - atf_set descr 'Basic max-pkt-size test' - atf_set require.user root -} - -basic_body() +common_setup() { - pft_init - epair=$(vnet_mkepair) ifconfig ${epair}b 192.0.2.2/24 up @@ -45,9 +36,10 @@ basic_body() jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up jexec alcatraz pfctl -e - pft_set_rules alcatraz \ - "pass max-pkt-size 128" +} +common_test() +{ # Small packets pass atf_check -s exit:0 -o ignore \ ping -c 1 192.0.2.1 @@ -59,6 +51,25 @@ basic_body() ping -c 3 -s 101 192.0.2.1 atf_check -s exit:2 -o ignore \ ping -c 3 -s 128 192.0.2.1 +} + +atf_test_case "basic" "cleanup" +basic_head() +{ + atf_set descr 'Basic max-pkt-size test' + atf_set require.user root +} + +basic_body() +{ + pft_init + + common_setup + + pft_set_rules alcatraz \ + "pass max-pkt-size 128" + + common_test # We can enforce this on fragmented packets too pft_set_rules alcatraz \ @@ -79,7 +90,33 @@ basic_cleanup() pft_cleanup } +atf_test_case "match" "cleanup" +match_head() +{ + atf_set descr 'max-pkt-size on match rules' + atf_set require.user root +} + +match_body() +{ + pft_init + + common_setup + + pft_set_rules alcatraz \ + "match in max-pkt-size 128" \ + "pass" + + common_test +} + +match_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "basic" + atf_add_test_case "match" }