From nobody Thu May 12 19:58:14 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 101031ADEB94; Thu, 12 May 2022 19:58:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KzjJ63BPjz4YGr; Thu, 12 May 2022 19:58:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1652385494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aLPKlRPgi78vucJKLapc5KjoI1h+7dmtOZV0nULDNtU=; b=cSguJ8oM0o/UjQC8Mh1qeZFA+940QQ9yaSvTnpidwrhnGYA2xWX/alHcXgBmBnL3EVa5yj 02t0yQvZwANlclTC7uv5WQM+3d5vgHRa3kOA6wThpc0pJB0c2VgFBvCDNAIMUp2EgrCV1w V5RkLuyGfmjpbwHSTiBLZjUsbr9xNKT9QPqKSrkkEqcKWayCTDTbJqdQnNuYrFbIfpUO1Q DAc4vzv1SpLIyaIK1FdnxIVTsmdnBJOpvATdknkRd9vXY6WVkGVCSnngUXyBv0Holt1Qae ydENvrYD34ODn059LlvqelIDi5tyEnCHOO7vPtg57cruwBpBvi7bKuLhX6oRXA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 22CAE147F3; Thu, 12 May 2022 19:58:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 24CJwE84075581; Thu, 12 May 2022 19:58:14 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 24CJwEZl075580; Thu, 12 May 2022 19:58:14 GMT (envelope-from git) Date: Thu, 12 May 2022 19:58:14 GMT Message-Id: <202205121958.24CJwEZl075580@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: a908f8f0dc62 - main - pf: tag dummynet'd route-to packets with their real destination List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a908f8f0dc62ebf61b6f92c60c9c053be6ccb194 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1652385494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aLPKlRPgi78vucJKLapc5KjoI1h+7dmtOZV0nULDNtU=; b=yJfxgXZXY4uLCKTg1Ha5HVLuM9X0Nh1s9c5labRmNMOLFRqgEZ9F75TkGYBAslPMuexc8E Co46BFukg5VlB+VKfO3fahzw5swFpIzSA1GLXUml3UkKeJER0WnBSn8MVpz7GoZHw05EEm MUO939QcDkHST+NnCdmOVw7kpnBHZjxdggs221Fjvl03fij2cqPKttAAWL2p17ejnJ4NzH x7ewcmIglIDndKFTs/wyPBJ1W/53XGvb55MQNvW8VOF+sZTAZ49YBEHPUGJa70o9WCwYEe K7MUj0+DdYkrHELDo1wSVjYsVawPsS4/HeIlWMsg7u/FhXcZG3HX/WngNb82HQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1652385494; a=rsa-sha256; cv=none; b=naYZBdYijYwc78prbP4VNNbFHaASPAQV1F9galo8d56NPlvHRPW+U+HKW+ys7fDNblZ6dP Oroz9AOqOjU6c/xwq7q6GJpjo3kAA+rQO3K8JJshQklLaY8sNk3vl/a4UXqSdKJj29WsAN UHhRO+sfCftRkVGQgxl81SfBkNM8yNwtWIIm2O6pZnKfkVFoXlX947wOVLqwpuhut4SJaT r6wC2z4gmUnQaLJnYHiXLaN96rvmo8qpBIhqpt3ZkTnRYpZQOa5Q9BTI3TjaSgO3cP8Kmy YigQNR/Zbrf8hOMljaXuQ+zIv9NZRU0c970jx0+kxo3rXNIGiXyPfeEx5A/+JA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a908f8f0dc62ebf61b6f92c60c9c053be6ccb194 commit a908f8f0dc62ebf61b6f92c60c9c053be6ccb194 Author: Kristof Provost AuthorDate: 2022-05-10 07:23:36 +0000 Commit: Kristof Provost CommitDate: 2022-05-12 19:50:10 +0000 pf: tag dummynet'd route-to packets with their real destination If we delay route-to/dup-to/reply-to through dummynet we are eventually returned to pf_test(). At that point we no longer have the context for the route-to destination. We'd just skip the pf_test() and continue processing. This means that route-to did not work as expected. Extend pf_mtag to carry the route-to destination so we can apply it when we re-enter pf_test(). Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D35159 --- sys/netpfil/pf/pf.c | 67 +++++++++++++++++++++++++++++++++++++++++++++--- sys/netpfil/pf/pf_mtag.h | 5 +++- 2 files changed, 68 insertions(+), 4 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 343668030d0d..bd9334982be9 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -283,6 +283,9 @@ void pf_rule_to_actions(struct pf_krule *, struct pf_rule_actions *); static int pf_dummynet(struct pf_pdesc *, int, struct pf_kstate *, struct pf_krule *, struct mbuf **); +static int pf_dummynet_route(struct pf_pdesc *, int, + struct pf_kstate *, struct pf_krule *, + struct ifnet *, struct sockaddr *, struct mbuf **); static int pf_test_eth_rule(int, struct pfi_kkif *, struct mbuf **); static int pf_test_rule(struct pf_krule **, struct pf_kstate **, @@ -6382,7 +6385,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, m_clrprotoflags(m0); /* Avoid confusing lower layers. */ md = m0; - error = pf_dummynet(pd, dir, s, r, &md); + error = pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md); if (md != NULL) error = (*ifp->if_output)(ifp, md, sintosa(&dst), NULL); goto done; @@ -6415,7 +6418,8 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, if (error == 0) { m_clrprotoflags(m0); md = m0; - error = pf_dummynet(pd, dir, s, r, &md); + error = pf_dummynet_route(pd, dir, s, r, ifp, + sintosa(&dst), &md); if (md != NULL) error = (*ifp->if_output)(ifp, md, sintosa(&dst), NULL); @@ -6565,7 +6569,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, struct ifnet *oifp, dst.sin6_addr.s6_addr16[1] = htons(ifp->if_index); if ((u_long)m0->m_pkthdr.len <= ifp->if_mtu) { md = m0; - pf_dummynet(pd, dir, s, r, &md); + pf_dummynet_route(pd, dir, s, r, ifp, sintosa(&dst), &md); if (md != NULL) nd6_output_ifp(ifp, ifp, md, &dst, NULL); } @@ -6827,6 +6831,16 @@ static int pf_dummynet(struct pf_pdesc *pd, int dir, struct pf_kstate *s, struct pf_krule *r, struct mbuf **m0) { + return (pf_dummynet_route(pd, dir, s, r, NULL, NULL, m0)); +} + +static int +pf_dummynet_route(struct pf_pdesc *pd, int dir, struct pf_kstate *s, + struct pf_krule *r, struct ifnet *ifp, struct sockaddr *sa, + struct mbuf **m0) +{ + NET_EPOCH_ASSERT(); + if (s && (s->dnpipe || s->dnrpipe)) { pd->act.dnpipe = s->dnpipe; pd->act.dnrpipe = s->dnrpipe; @@ -6851,6 +6865,22 @@ pf_dummynet(struct pf_pdesc *pd, int dir, struct pf_kstate *s, return (ENOMEM); } + if (ifp != NULL) { + pd->pf_mtag->flags |= PF_TAG_ROUTE_TO; + + pd->pf_mtag->if_index = ifp->if_index; + pd->pf_mtag->if_idxgen = ifp->if_idxgen; + + MPASS(sa != NULL); + + if (pd->af == AF_INET) + memcpy(&pd->pf_mtag->dst, sa, + sizeof(struct sockaddr_in)); + else + memcpy(&pd->pf_mtag->dst, sa, + sizeof(struct sockaddr_in6)); + } + if (pf_pdesc_to_dnflow(dir, pd, r, s, &dnflow)) { pd->pf_mtag->flags |= PF_TAG_DUMMYNET; ip_dn_io_ptr(m0, &dnflow); @@ -6900,6 +6930,21 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb * memset(&pd, 0, sizeof(pd)); pd.pf_mtag = pf_find_mtag(m); + if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_TAG_ROUTE_TO)) { + pd.pf_mtag->flags &= ~PF_TAG_ROUTE_TO; + + ifp = ifnet_byindexgen(pd.pf_mtag->if_index, + pd.pf_mtag->if_idxgen); + if (ifp == NULL || ifp->if_flags & IFF_DYING) { + m_freem(*m0); + *m0 = NULL; + return (PF_PASS); + } + (ifp->if_output)(ifp, m, sintosa(&pd.pf_mtag->dst), NULL); + *m0 = NULL; + return (PF_PASS); + } + if (pd.pf_mtag && pd.pf_mtag->dnpipe) { pd.act.dnpipe = pd.pf_mtag->dnpipe; pd.act.flags = pd.pf_mtag->dnflags; @@ -7374,6 +7419,22 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb memset(&pd, 0, sizeof(pd)); pd.pf_mtag = pf_find_mtag(m); + if (pd.pf_mtag != NULL && (pd.pf_mtag->flags & PF_TAG_ROUTE_TO)) { + pd.pf_mtag->flags &= ~PF_TAG_ROUTE_TO; + + ifp = ifnet_byindexgen(pd.pf_mtag->if_index, + pd.pf_mtag->if_idxgen); + if (ifp == NULL || ifp->if_flags & IFF_DYING) { + m_freem(*m0); + *m0 = NULL; + return (PF_PASS); + } + nd6_output_ifp(ifp, ifp, m, + (struct sockaddr_in6 *)&pd.pf_mtag->dst, NULL); + *m0 = NULL; + return (PF_PASS); + } + if (pd.pf_mtag && pd.pf_mtag->dnpipe) { pd.act.dnpipe = pd.pf_mtag->dnpipe; pd.act.flags = pd.pf_mtag->dnflags; diff --git a/sys/netpfil/pf/pf_mtag.h b/sys/netpfil/pf/pf_mtag.h index 50928d4b204b..c9ea98b80b69 100644 --- a/sys/netpfil/pf/pf_mtag.h +++ b/sys/netpfil/pf/pf_mtag.h @@ -36,7 +36,7 @@ #ifdef _KERNEL -/* 0x01 unused. */ +#define PF_TAG_ROUTE_TO 0x01 #define PF_TAG_DUMMYNET 0x02 #define PF_TAG_TRANSLATE_LOCALHOST 0x04 #define PF_PACKET_LOOPED 0x08 @@ -54,6 +54,9 @@ struct pf_mtag { u_int8_t routed; u_int16_t dnpipe; u_int32_t dnflags; + u_int16_t if_index; /* For ROUTE_TO */ + u_int16_t if_idxgen; /* For ROUTE_TO */ + struct sockaddr_storage dst; /* For ROUTE_TO */ }; static __inline struct pf_mtag *