From nobody Tue Jul 15 10:07:58 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bhFHg2dv9z62DCV; Tue, 15 Jul 2025 10:07:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bhFHf5smWz3fGv; Tue, 15 Jul 2025 10:07:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752574078; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9I5vaj1g4oNeg0lpwZKxoWfizfl8oAr0eqBN+Ks5lfo=; b=qBXFyL9aNvlb3L6ijGUHk5nKKwP8QNu1NIIX1B36Vw5qCLNmYQdluA3+8DQTEK+bChtpPC Iq/6mCPh+HNt66YTVbM9ODVygeH7hOH2ZG7/wYz2ao4XBjOBQdKajPP1tccuXPf9np9Q3K wCxs9QnbsOkxJz44gdb3efGBBiNRVXx3kZcqQRGrF27uJacQZ8D5epRibNOqXTgYoksmI/ jOTKINnIpjIdSRdABMx4cj0PHd2gV3RQbsJQ+8X0mAKbeQ4AwvDsgjYANYnWnGCprR3R/0 YOyxNXdB53ACbfBV7CAr9XgXibE4cr5z8aaOwjeEHNHMAx92QMNbVcNFkydMSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752574078; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9I5vaj1g4oNeg0lpwZKxoWfizfl8oAr0eqBN+Ks5lfo=; b=jXsn+4xGmiA4QyJjDWPD8FZVs9Fi0cwhNsspQ6EUCzyJOFSsbnbFGWOCXZTk1vIJD4lhfn sClOtoTIKdxDKt3evo2E3WNQSOdEibWtcioa8ZtEbIgp1HJOAZRqK6/6g1d9Xi7kBHZ2uv IfXsffEfR1NpD0UQjdq6XfN4h1o9P10vpD1NFh+0F3mrIzzG4P7j6ae+ovgkvtobDAA+jI XfWLT1jHCiB9/S0kjA+vPdTl3RxvuwnkXhsCY3QvS9JtC2A34Cn/wKxRWSfPGy7xB6Qwqv Q9vAwb+EQPMuRmwOM3foHGWDCJf69zsie8S7GqQEkHF9oeKwoEeh4r3Pe8ZPUg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752574078; a=rsa-sha256; cv=none; b=kRYdIQVUgE9P7ryD3mylA1yD5TcC1vgAnyUMY4SDPkZNDp4G5Efciv9r7H9+CI3q2Ouz6w P47qOLV5Y+fZQWT2KMIwnUZ7A5C1U3/10zc36pZtCZ9EHEfluDNwXlWoMAZaejSifXjQ7H Z3nezV1j2faRct32HL/RMVcIBOzI8MiISPnkMVMJNqE5t2hNkCTHaSab/ELmvf6CGs+GOo WcruBkTIn6QiyN8gz0AHZzolqi2c7JKW+0dZCVJD04CIYREZN+lZFdAQjx6omUS8VwDeAP tAdRrh5dko1vwev74A4Ie5pY57y3VNY5hfqfY5SDjXtx41bw1gzKeVetGs5+Vg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bhFHf54vhzbYr; Tue, 15 Jul 2025 10:07:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56FA7wVT028063; Tue, 15 Jul 2025 10:07:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56FA7wNE028060; Tue, 15 Jul 2025 10:07:58 GMT (envelope-from git) Date: Tue, 15 Jul 2025 10:07:58 GMT Message-Id: <202507151007.56FA7wNE028060@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 2212dbd78884 - main - pf: Don't run copies of packets made by dup-to through pf_test. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2212dbd78884e36f4d9f15e0e6b65fdd09d37679 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=2212dbd78884e36f4d9f15e0e6b65fdd09d37679 commit 2212dbd78884e36f4d9f15e0e6b65fdd09d37679 Author: Kristof Provost AuthorDate: 2025-07-08 15:09:30 +0000 Commit: Kristof Provost CommitDate: 2025-07-15 07:55:30 +0000 pf: Don't run copies of packets made by dup-to through pf_test. dup-to is kind of like what you do with a span port, but is a bit more fine grained. it copies packets in a connection out an interface so that connection can be monitored. it doesnt make sense for pf to see the copied packets and try to match or create new states for them either. at best it needs config to stop pf seeing the copies (eg, set skip on $dup_to_tgt_if). at worst it breaks the connections you're monitoring because the states in pf get confused. found while discussing larger route-to changes on tech@. ok bluhm@ sashan@ Obtained from: OpenBSD, dlg , 670ae1ca2f Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index ac05cad7d4c8..63d513fb1956 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9068,6 +9068,9 @@ pf_route(struct pf_krule *r, struct ifnet *oifp, goto bad; } + if (r->rt == PF_DUPTO) + skip_test = true; + if (pd->dir == PF_IN && !skip_test) { if (pf_test(AF_INET, PF_OUT, PFIL_FWD, ifp, &m0, inp, &pd->act) != PF_PASS) { @@ -9370,6 +9373,9 @@ pf_route6(struct pf_krule *r, struct ifnet *oifp, goto bad; } + if (r->rt == PF_DUPTO) + skip_test = true; + if (pd->dir == PF_IN && !skip_test) { if (pf_test(AF_INET6, PF_OUT, PFIL_FWD | PF_PFIL_NOREFRAGMENT, ifp, &m0, inp, &pd->act) != PF_PASS) {