Date: Mon, 15 Aug 2005 17:28:37 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: Fwd: Dual-feed: PF setup troubles Message-ID: <200508151728.51489.max@love2party.net> In-Reply-To: <20050815143449.GA32151@insomnia.benzedrine.cx> References: <42FF47A2.1090208@yuckfou.org> <48239d39050815042096f9890@mail.gmail.com> <20050815143449.GA32151@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart17843871.CkQWrrVyAs
Content-Type: multipart/mixed;
boundary="Boundary-01=_uSLADTKtcBjGrXZ"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--Boundary-01=_uSLADTKtcBjGrXZ
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Monday 15 August 2005 16:34, Daniel Hartmeier wrote:
> I suspect the loop occurs through sys/net/if_ethersubr.c ether_output()
> You route-to the broadcast packet, pf will call ether_output() to send
> it out through the new interface, and this piece of code in there will
> send it right back in through that interface again. If your ruleset then
> routes that resent packet again, you get a tight endless loop, locking
> up the kernel, like you describe.
Good catch!
> OpenBSD doesn't have this piece in ether_output(), I'm not sure in what
> cases people want outgoing broadcasts on an interface reflected back at
> them by the stack.
In fact OpenBSD has this code as well, though in it's old/original form. =20
However, in version 1.70 you introduced the fix:
line 283:
/* If broadcasting on a simplex interface, loopback a copy =
*/
if ((m->m_flags & M_BCAST) && (ifp->if_flags & IFF_SIMPLEX)=
&&
m_tag_find(m, PACKET_TAG_PF_ROUTED, NULL) =3D=3D NULL)
mcopy =3D m_copy(m, 0, (int)M_COPYALL);
Attached is a patch to reproduce this in FreeBSD, can you please try? I am=
=20
not 100% that this is the right fix, or if it is better to do the relooping=
=20
as well telling pf not to re-route it again (e.g. via PF_GENERATED), though=
=20
this has different gotchas.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--Boundary-01=_uSLADTKtcBjGrXZ
Content-Type: text/x-diff;
charset="iso-8859-1";
name="routefix.diff"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="routefix.diff"
Index: if_ethersubr.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/store/mlaier/fcvs/src/sys/net/if_ethersubr.c,v
retrieving revision 1.196
diff -u -r1.196 if_ethersubr.c
=2D-- if_ethersubr.c 9 Aug 2005 10:19:58 -0000 1.196
+++ if_ethersubr.c 15 Aug 2005 15:14:34 -0000
@@ -310,7 +310,8 @@
* on the wire). However, we don't do that here for security
* reasons and compatibility with the original behavior.
*/
=2D if ((ifp->if_flags & IFF_SIMPLEX) && (loop_copy !=3D -1)) {
+ if ((ifp->if_flags & IFF_SIMPLEX) && (loop_copy !=3D -1) &&
+ m_tag_find(m, PACKET_TAG_PF_ROUTED, NULL) =3D=3D NULL) {
int csum_flags =3D 0;
=20
if (m->m_pkthdr.csum_flags & CSUM_IP)
--Boundary-01=_uSLADTKtcBjGrXZ--
--nextPart17843871.CkQWrrVyAs
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQBDALSzXyyEoT62BG0RAmpFAJkB2qq9+V7OduQmpVNNC7GKQilmOgCeJW3u
gkXREYcyNJBgyhos320uciE=
=vGpQ
-----END PGP SIGNATURE-----
--nextPart17843871.CkQWrrVyAs--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508151728.51489.max>