Date: Tue, 20 Jun 2023 11:57:47 -0400 From: Matteo Riondato <matteo@freebsd.org> To: Doug Rabson <dfr@freebsd.org>, Kristof Provost <kp@freebsd.org> Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 3a1f834b5228 - main - pf: Add code to enable filtering for locally delivered packets Message-ID: <bpp7osufd7dbvoo35ffldieku3ctkv6p2evbfygisfq7hixiic@j7xyvx5blomy> In-Reply-To: <202306201435.35KEZtHN062484@gitrepo.freebsd.org> References: <202306201435.35KEZtHN062484@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--atpy5efsszlmg427 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2023-06-20 at 10:35 EDT, Doug Rabson <dfr@FreeBSD.org> wrote: >The branch main has been updated by dfr: > >URL: https://cgit.FreeBSD.org/src/commit/?id=3D3a1f834b5228986a7c14fd60da1= 3cf2700e80996 > >commit 3a1f834b5228986a7c14fd60da13cf2700e80996 >Author: Doug Rabson <dfr@FreeBSD.org> >AuthorDate: 2023-06-20 13:01:58 +0000 >Commit: Doug Rabson <dfr@FreeBSD.org> >CommitDate: 2023-06-20 14:34:01 +0000 > > pf: Add code to enable filtering for locally delivered packets > > This is disabled by default since it potentially changes the behavior = of > existing filter rule sets. To enable this extra filter for packets bei= ng > delivered locally, use: > > sysctl net.pf.filter_local=3D1 > service pf restart > > PR: 268717 > Reviewed-by: kp > MFC-after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D40373 >--- > UPDATING | 12 ++++++++++++ > sys/netpfil/pf/pf_ioctl.c | 20 ++++++++++++++++++++ > tests/sys/netpfil/common/utils.subr | 3 +-- > tests/sys/netpfil/pf/fragmentation_compat.sh | 3 ++- > tests/sys/netpfil/pf/fragmentation_pass.sh | 3 ++- > tests/sys/netpfil/pf/killstate.sh | 24 ++++++++++++++++-------- > tests/sys/netpfil/pf/map_e.sh | 3 ++- > tests/sys/netpfil/pf/pass_block.sh | 3 ++- > tests/sys/netpfil/pf/pfsync.sh | 1 + > tests/sys/netpfil/pf/route_to.sh | 3 ++- > tests/sys/netpfil/pf/set_skip.sh | 2 +- > tests/sys/netpfil/pf/table.sh | 6 ++++-- > 12 files changed, 65 insertions(+), 18 deletions(-) > >diff --git a/UPDATING b/UPDATING >index 1980411c1853..f4e13d97006d 100644 >--- a/UPDATING >+++ b/UPDATING >@@ -27,6 +27,18 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW: > world, or to merely disable the most expensive debugging functionality > at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) > >+20230619: >+ To enable pf rdr rules for connections initiated from the host, pf >+ filter rules can be optionally enabled for packets delivered >+ locally. This can change the behavior of rules which match packets >+ delivered to lo0. To enable this feature: >+ >+ sysctl net.pf.filter_local=3D1 >+ service pf restart It seems a bit weird to suggest an action that is not permanent (does=20 not survive reboot). See proposed rewording below. >+ >+ When enabled, its best to ensure that packets delivered locally are not s/its/it is/ >+ filtered, e.g. by adding a 'skip on lo' rule. TBH, I find the phrasing a bit confusing: "to enable pf rdr rules for=20 connections =E2=80=A6, pf filter rules can *optionally* be enabled for pac= kets=20 delivered locally". That "optionally" makes it sound as if it is not=20 *required* to enable pf filter rules for packets delivered locally in=20 order to enable pf rdr rules for connections etc etc., but, given this=20 change, I assume it is. Perhaps a better phrasing (assuming I understand the feature) would be: "The new sysctl net.pf.filter_local controls whether PF filter rules are=20 enabled for packets originating from localhost and delivered locally. This feature can be useful for, e.g., enabling rdr rules for connections=20 initiated from localhost and redirected to a different port on=20 localhost. Setting the sysctl to 1 may change the behavior of rules=20 which match packets delivered to lo0, so it may be necessary to add=20 enable the "skip on lo" option." Note that "skip on" is not a rule, even if it is translated to a pair of=20 rules: it's part of the options, and requires "set" before it, per=20 pf.conf(5). Also, I'm assuming (and mention in the rewording) we are=20 talking about rdr rules for port remapping, not rdr rules that redirect=20 to other destinations, but please confirm or adjust. More generally, this new feature should likely also be documented=20 somewhere else (pf(4) ? pfctl(8)? pf.conf(5)?).=20 But apart from the above, I'm a little puzzled: does it mean that until=20 now (and continuing to do so, unless one sets the sysctl to 1), packets=20 originating locally and destined locally were not filtered by pf? I.e.,=20 that filtering rules on lo0 had no effect on incoming traffic from=20 localhost? Thanks, Matteo --atpy5efsszlmg427 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJHBAABCgAxFiEEa9uKZL0hP4E8Nl5vGwL9SVQlVQEFAmSRzGgTGGhrcHM6Ly9w Z3AubWl0LmVkdQAKCRAbAv1JVCVVAd/yD/98jK6+btKowzD4NlfP/QTksFfjWia1 s86lfjfk85NSSdG4Y0mcE5WvcPYD79p38UCK2f3wxfW5u+Wu8NifMVcTuntarw1u BIl31Rx7lzDi61R9cTZVn4VDFMX+65Ln69uOpwp+WNze8BNxogGiRO9h6lE5fiGd c0dfxB+50U/JqPHOFvTNRB+Z4cQHvUZhH3iOS2L47qRC0THhtM5+0zJMkD4OC8V+ qnjxusRxJ8EfLQ9GfcZ8Va4+riqiz0ZPwTgZUtGtyLzs1Y5muW127Np2zbkZi24P pZ4xCmWKI6NKlFV0aBGGmpQoWBnXoWtYRGvTqdZBN9sZBw9wb6FmA7l6bj/YLXOH mmB+UjGO9PJohGZ2FXbvNm3B3mCyZ8PJdgruW/v1Rike0+kdtfe2VpJbz8FJ/nft 7WLJEIUfhPSaey4QwAGLLvsnxe+n0Cbmf54k9++y5cWMCajzKKxcIvKCLJCs3baN pzPIktkUZPc0I6IRRXLXm7zxMTo5n2JC2mAuFerYXrGUsXSWL1mNdb+ZGk35V5TA 4IE9oFgvmBU1pY1BZHPjC+zdNI1MXhlMjXhCH8vLoWa2b9thcVD5DeZ5CbBLwK1M Q5s3vyh0+inVTxBk+Giu2h8C0oL33b1PbNes6kK8IP2k6yub1yCGiddPpvIIp7YP JZIT0cTnE7gK6g== =VFn6 -----END PGP SIGNATURE----- --atpy5efsszlmg427--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bpp7osufd7dbvoo35ffldieku3ctkv6p2evbfygisfq7hixiic>