git: c5203f7d418d - stable/13 - pf: Improve route-to handling of pfsync'd states

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Sat, 18 Jun 2022 13:08:08 UTC
The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=c5203f7d418db97cc5419a7e1bafa56fdeb26563

commit c5203f7d418db97cc5419a7e1bafa56fdeb26563
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-06-04 10:38:40 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-06-18 07:29:18 +0000

    pf: Improve route-to handling of pfsync'd states
    
    When a state if pfsync’d to a different host it doesn’t get all of the
    expected pointers, including the pointer to the struct pfi_kif / struct
    ifnet rt_kif pointer. (I.e. the interface to route out on).
    
    That in turn means that pf_route() ends up dropping the packet.
    
    Use the rule's struct pfi_kif pointer so we can still route out of the
    expected interface.
    
    MFC after:      2 weeks
    Sponsored by:   Orange Business Services
    
    (cherry picked from commit 81ef217ad428c29be669aac2166d194db31817a7)
---
 sys/netpfil/pf/pf.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 3f7370e1cf12..0c5266fbbcb9 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5885,6 +5885,10 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
 				    r->rpool.cur->kif->pfik_ifp : NULL;
 			} else {
 				ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
+				/* If pfsync'd */
+				if (ifp == NULL)
+					ifp = r->rpool.cur->kif ?
+					    r->rpool.cur->kif->pfik_ifp : NULL;
 				PF_STATE_UNLOCK(s);
 			}
 			if (ifp == oifp) {
@@ -5940,6 +5944,9 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
 		ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
 		PF_STATE_UNLOCK(s);
 	}
+	/* If pfsync'd */
+	if (ifp == NULL)
+		ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
 	if (ifp == NULL)
 		goto bad;
 
@@ -6070,6 +6077,10 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
 				    r->rpool.cur->kif->pfik_ifp : NULL;
 			} else {
 				ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
+				/* If pfsync'd */
+				if (ifp == NULL)
+					ifp = r->rpool.cur->kif ?
+					    r->rpool.cur->kif->pfik_ifp : NULL;
 				PF_STATE_UNLOCK(s);
 			}
 			if (ifp == oifp) {
@@ -6128,6 +6139,9 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp,
 	if (s)
 		PF_STATE_UNLOCK(s);
 
+	/* If pfsync'd */
+	if (ifp == NULL)
+		ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
 	if (ifp == NULL)
 		goto bad;