Date: Wed, 31 May 2023 18:07:39 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Doug Rabson <dfr@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 5ab151574c8a - main - netinet*: Fix redirects for connections from localhost Message-ID: <8674E4D4-FA56-407B-A68D-C665FCB8868D@FreeBSD.org> In-Reply-To: <202305311011.34VABVwJ006123@gitrepo.freebsd.org> References: <202305311011.34VABVwJ006123@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31 May 2023, at 12:11, Doug Rabson wrote: > The branch main has been updated by dfr: > > URL: https://cgit.FreeBSD.org/src/commit/?id=5ab151574c8a1824c6cd8eded28506cb983284bc > > commit 5ab151574c8a1824c6cd8eded28506cb983284bc > Author: Doug Rabson <dfr@FreeBSD.org> > AuthorDate: 2023-05-24 13:11:37 +0000 > Commit: Doug Rabson <dfr@FreeBSD.org> > CommitDate: 2023-05-31 10:11:05 +0000 > > netinet*: Fix redirects for connections from localhost > > Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter > rules to change the destination address and port for a connection. > Typically, the rule triggers on an input event when a packet is received > by a router and the destination address and/or port is changed to > implement the redirect. When a reply packet on this connection is output > to the network, the rule triggers again, reversing the modification. > > When the connection is initiated on the same host as the packet filter, > it is initially output via lo0 which queues it for input processing. > This causes an input event on the lo0 interface, allowing redirect > processing to rewrite the destination and create state for the > connection. However, when the reply is received, no corresponding output > event is generated; instead, the packet is delivered to the higher level > protocol (e.g. tcp or udp) without reversing the redirect, the reply is > not matched to the connection and the packet is dropped (for tcp, a > connection reset is also sent). > > This commit fixes the problem by adding a second packet filter call in > the input path. The second call happens right before the handoff to > higher level processing and provides the missing output event to allow > the redirect's reply processing to perform its rewrite. This extra > processing is disabled by default and can be enabled using pfilctl: > > pfilctl link -o pf:default-out inet-local > pfilctl link -o pf:default-out6 inet6-local > > PR: 268717 > Reviewed-by: kp, melifaro > MFC-after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D40256 It looks like there’s some fallout from this in the dummynet tests: https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23646/#showFailuresLink Those tests set up the new hook, and without those hooks (i.e. with this patch reverted) the tests pass again. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8674E4D4-FA56-407B-A68D-C665FCB8868D>