Date: Sat, 18 Jun 2022 13:08:08 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: c5203f7d418d - stable/13 - pf: Improve route-to handling of pfsync'd states Message-ID: <202206181308.25ID88x9039586@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=c5203f7d418db97cc5419a7e1bafa56fdeb26563 commit c5203f7d418db97cc5419a7e1bafa56fdeb26563 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2022-06-04 10:38:40 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-06-18 07:29:18 +0000 pf: Improve route-to handling of pfsync'd states When a state if pfsync’d to a different host it doesn’t get all of the expected pointers, including the pointer to the struct pfi_kif / struct ifnet rt_kif pointer. (I.e. the interface to route out on). That in turn means that pf_route() ends up dropping the packet. Use the rule's struct pfi_kif pointer so we can still route out of the expected interface. MFC after: 2 weeks Sponsored by: Orange Business Services (cherry picked from commit 81ef217ad428c29be669aac2166d194db31817a7) --- sys/netpfil/pf/pf.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 3f7370e1cf12..0c5266fbbcb9 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5885,6 +5885,10 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, r->rpool.cur->kif->pfik_ifp : NULL; } else { ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? + r->rpool.cur->kif->pfik_ifp : NULL; PF_STATE_UNLOCK(s); } if (ifp == oifp) { @@ -5940,6 +5944,9 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; PF_STATE_UNLOCK(s); } + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; if (ifp == NULL) goto bad; @@ -6070,6 +6077,10 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, r->rpool.cur->kif->pfik_ifp : NULL; } else { ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? + r->rpool.cur->kif->pfik_ifp : NULL; PF_STATE_UNLOCK(s); } if (ifp == oifp) { @@ -6128,6 +6139,9 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, if (s) PF_STATE_UNLOCK(s); + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; if (ifp == NULL) goto bad;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202206181308.25ID88x9039586>