From nobody Wed Oct 1 16:10:53 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ccKfQ0rymz69spP; Wed, 01 Oct 2025 16:10:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ccKfP5cwMz3Px0; Wed, 01 Oct 2025 16:10:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759335053; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IjYih5ixU8kgrM5sGzVKRh3nWC3tXPf+mW+XbE2NDWk=; b=fUSIG5C+9NYfTwa7q4z4bAEW+sVkaie0qaqCAKmL3GFbJd5On7M97ueTarnZVW4IoNxsQF DNqCTwK7d1TouzDv9xJXKTg08pJMymKc45ZUc3pohZmro1MJx1bsE4sR0QJy/+zYBZCjM+ 2poja3v3u0C5crqjAEBaAVGZDROajUbsElI+tY9azR/gJ0POmG7HzliDrJT5u26wfoYESE ZCAGVVH86nrPQH3QMQcDGODd/ShRjce38AePvYCIkg85UFO3TAbDRN31XJDm07uHNlhzK0 7aCc/Y3VHXpOTe/Jvg6U69l/Ji2c4wK6LeRAIQlTBHTBdSYZ9PRQY6cXrZJ6SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1759335053; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IjYih5ixU8kgrM5sGzVKRh3nWC3tXPf+mW+XbE2NDWk=; b=GuObSFJgpSlU5Wu4QR4ZpMJLoZtU370GCk1IRrWlOITAoQkZP65uSS5BhdcJFKMHdYgYcW eAjh5905bchNfNUtsLwHW+p5vf7Fu9o6GGQaYRMKb2KKGnQKi4wL7+xhq6t0t2ouklJXf7 k+eYFmnV1VlOtzlqdQNB+iObZliJG0JA4VzRsyiMVlLwwbEYKcQak/xzhykKyCGqub3fn8 a6Ck0VWftgUP9VMjr2KwyiMebok0ErFdCGIVdEmlRjysbzy+HECmFsXT5nVdJkHbfWDiPM cT20OpCjFdh1YIYtrA6vV7UKmIaJt7EztFokadoymaosIlg1M1+gM0oFUDYmGw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1759335053; a=rsa-sha256; cv=none; b=ul1qNXA0DmVgJWOfVl0129fAedmmAvw+8uG5kRqQ9HMUsRCbjo73MWBpN/GTOW8HPTWUbF v3oJ3rCGcQArkTkeoYZdG5wyPlT4kxnhJhOObAZLVyFuLZKenqPAXL2DmemJV5oxF/p5ld wHMCTyJkdjrNmupTsj+etKP9AI84adiSmYdX2rwww0VCDijLiE5larUI+BnVX3YCW5I8HA F/yok1ELbGFGQC+6Icw7X5E4LHG9DzLpO+Kvfbq9zIGrLN8fFYQfyDnZSwwXk5dqWefN6J 03wYj5P4Wi0/ZecFllWGRlWB8LHprMtGqoDfFmeUdVaBmQIe3W9zz2Cq874GnQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ccKfP53w4zDTw; Wed, 01 Oct 2025 16:10:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 591GArWc066163; Wed, 1 Oct 2025 16:10:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 591GArrW066160; Wed, 1 Oct 2025 16:10:53 GMT (envelope-from git) Date: Wed, 1 Oct 2025 16:10:53 GMT Message-Id: <202510011610.591GArrW066160@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kajetan Staszkiewicz Subject: git: 048b8123ee87 - stable/15 - pf: Always skip outbound filtering for inbound af-to rules List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ks X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 048b8123ee87154b220d73ea6543423164f25fdb Auto-Submitted: auto-generated The branch stable/15 has been updated by ks: URL: https://cgit.FreeBSD.org/src/commit/?id=048b8123ee87154b220d73ea6543423164f25fdb commit 048b8123ee87154b220d73ea6543423164f25fdb Author: Kajetan Staszkiewicz AuthorDate: 2025-09-07 13:59:00 +0000 Commit: Kajetan Staszkiewicz CommitDate: 2025-10-01 16:00:20 +0000 pf: Always skip outbound filtering for inbound af-to rules The af-to rules on inbound direction create a single state spanning both the inbound and the outbound interface. Calling pf_test() for the outbound direction in pf_route() makes the packet pass through state search, match the existing state, never evaluate the ruleset, and increase state counters. Check that the state comes from an af-to rule in inbound direction, and if yes, skip outbound testing. Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D52446 (cherry picked from commit 938ae26ffda81fd42c235eaa3223dae51331e4eb) --- sys/netpfil/pf/pf.c | 4 ++-- tests/sys/netpfil/pf/nat64.sh | 12 +++++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 3311260aa157..c90ed1ff7769 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9193,7 +9193,7 @@ pf_route(struct pf_krule *r, struct ifnet *oifp, } } - if (r->rt == PF_DUPTO) + if (r->rt == PF_DUPTO || (pd->af != pd->naf && s->direction == PF_IN)) skip_test = true; if (pd->dir == PF_IN && !skip_test) { @@ -9510,7 +9510,7 @@ pf_route6(struct pf_krule *r, struct ifnet *oifp, } } - if (r->rt == PF_DUPTO) + if (r->rt == PF_DUPTO || (pd->af != pd->naf && s->direction == PF_IN)) skip_test = true; if (pd->dir == PF_IN && !skip_test) { diff --git a/tests/sys/netpfil/pf/nat64.sh b/tests/sys/netpfil/pf/nat64.sh index d930e2ee5763..d873d34a51d5 100644 --- a/tests/sys/netpfil/pf/nat64.sh +++ b/tests/sys/netpfil/pf/nat64.sh @@ -214,11 +214,11 @@ tcp_in_if_bound_body() fi # Interfaces of the state are reversed when doing inbound NAT64! - # FIXME: Packets counters seem wrong! + # FIXME: Packets from both directions are counted only on the inbound direction! states=$(mktemp) || exit 1 jexec rtr pfctl -qvvss | normalize_pfctl_s > $states for state_regexp in \ - "${epair_link}a tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\) .* 9:9 pkts.* rule 3 .* origif: ${epair}b" \ + "${epair_link}a tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\) .* 9:0 pkts.* rule 3 .* origif: ${epair}b" \ ; do grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" done @@ -296,11 +296,11 @@ tcp_in_floating_body() fi # Interfaces of the state are reversed when doing inbound NAT64! - # FIXME: Packets counters seem wrong! + # FIXME: Packets from both directions are counted only on the inbound direction! states=$(mktemp) || exit 1 jexec rtr pfctl -qvvss | normalize_pfctl_s > $states for state_regexp in \ - "all tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\).* 9:9 pkts.* rule 3 .* origif: ${epair}b" \ + "all tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\).* 9:0 pkts.* rule 3 .* origif: ${epair}b" \ ; do grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" done @@ -1045,8 +1045,10 @@ route_to_body() states=$(mktemp) || exit 1 jexec rtr pfctl -qvvss | normalize_pfctl_s > $states + # Interfaces of the state are reversed when doing inbound NAT64! + # FIXME: Packets from both directions are counted only on the inbound direction! for state_regexp in \ - "${epair_link}a ipv6-icmp 192.0.2.1:.* \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:8 \(64:ff9b::c000:202\[[0-9]+\]\).*6:6 pkts.*route-to: 192.0.2.2@${epair_link}a origif: ${epair}b" \ + "${epair_link}a ipv6-icmp 192.0.2.1:.* \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:8 \(64:ff9b::c000:202\[[0-9]+\]\).* 6:0 pkts.*route-to: 192.0.2.2@${epair_link}a origif: ${epair}b" \ ; do grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" done