From nobody Tue Jun 20 15:57:47 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QlrrW5dPbz4gndd; Tue, 20 Jun 2023 15:58:03 +0000 (UTC) (envelope-from matteo@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QlrrW4xgJz41dG; Tue, 20 Jun 2023 15:58:03 +0000 (UTC) (envelope-from matteo@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687276683; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=CQixmJNLd8rbgZIyGDx/uHXcwovIMdtmZXblfwo6Dzo=; b=NpRN6DJesauvUbUhgEgVbm19BNVMRgfwfnXdjAKeZicIyfK7LR2Fr62ExzYS1ne04EPV1Y 3sagycCLePryGlMbYmhPzIJ2dRY/haXZlyIeDaFQEsQ5Xw6HfOkB2SGAq6iiRmchCkA2iI anE7kMHPnlz3B93lkpQzUwlbLDwhjRxjYLAHOe+NMxAYW50V0qtkEhUgXSLFyby+/uY+lU A2VWowsthH3+Xn3zxr1sHdSohN/C9/ydRrSE+yD1j3elUG9+b1fgnVEis+nA0CTNM9aciY C5n8XCwvHgM5r1c/mQLIn/Mttc8OspHQawGVtRk2tRSfMiOj3fpMAUeSSK2s0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687276683; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=CQixmJNLd8rbgZIyGDx/uHXcwovIMdtmZXblfwo6Dzo=; b=QHInsLWLl7YWmAs7B+Y/IRVzsUcsQqFPSo+BxIy2cCOyAYP77h4JmvfLysljhzzvrt2AGc AN4/cuzQO2v4GqPFuDyxR8zS8atFmVeZo2oTBef5FOmJ0bqJeqXC07p0kVDZnkAylufV6K 7Yw/Wz36wOTATi7PiFJ9cJrGZkM1J5KOSlStEuDaw/BUn7IAsqjHAsBHpJqi1NlC8WBHtY t9xD7qYl9a06CmuNvORx7xRTBvqvA9A5lgCAe/BgLMcg1Tx/v2OJaTxZPs79t18/77uP4O S4Y6M0H7vFPUuafEKy1xRnUeeqKD05GzdZGm4u/ykNU5Geidl/X9PiFJjdJVfA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687276683; a=rsa-sha256; cv=none; b=irh4/G2T8VqlO/i1qB7ZdMCT6hN2tEwgwcz9cDBCIUy2/iJVCeo3enZjjT4QoQRdTJFcE4 qdiVL+T+d/XoD/YM6z/LV23QDMRy6eMP325bWSwtmIiiTX8RjRb34qFc8FMVzuDjUKBW2s sac1qivjGhd7BwstKRo0AdFE2MKNEYvh4bMFRFHk38H15cNVxLSYc2O+eOMAe8ojPqhL68 BWdTbtSCG9PWnViIjUddxriwVVTa40wgXSuGNuUwuGYrDBNgLuCmxJHnzwnodN4D+PuxN7 iO6Oc15zHxPNgcVr43cS6yD7d5kjSZEqpaFiAZwqOROJ5lWbGZAJIfHeY7QIMg== Received: from ubertino.local (unknown [73.4.221.34]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: matteo/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4QlrrW2fkDz141f; Tue, 20 Jun 2023 15:58:03 +0000 (UTC) (envelope-from matteo@freebsd.org) Date: Tue, 20 Jun 2023 11:57:47 -0400 From: Matteo Riondato To: Doug Rabson , Kristof Provost Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 3a1f834b5228 - main - pf: Add code to enable filtering for locally delivered packets Message-ID: X-PGP-Key: http://rionda.to/files/matteogpg.asc References: <202306201435.35KEZtHN062484@gitrepo.freebsd.org> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="atpy5efsszlmg427" Content-Disposition: inline In-Reply-To: <202306201435.35KEZtHN062484@gitrepo.freebsd.org> X-ThisMailContainsUnwantedMimeParts: N --atpy5efsszlmg427 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2023-06-20 at 10:35 EDT, Doug Rabson wrote: >The branch main has been updated by dfr: > >URL: https://cgit.FreeBSD.org/src/commit/?id=3D3a1f834b5228986a7c14fd60da1= 3cf2700e80996 > >commit 3a1f834b5228986a7c14fd60da13cf2700e80996 >Author: Doug Rabson >AuthorDate: 2023-06-20 13:01:58 +0000 >Commit: Doug Rabson >CommitDate: 2023-06-20 14:34:01 +0000 > > pf: Add code to enable filtering for locally delivered packets > > This is disabled by default since it potentially changes the behavior = of > existing filter rule sets. To enable this extra filter for packets bei= ng > delivered locally, use: > > sysctl net.pf.filter_local=3D1 > service pf restart > > PR: 268717 > Reviewed-by: kp > MFC-after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D40373 >--- > UPDATING | 12 ++++++++++++ > sys/netpfil/pf/pf_ioctl.c | 20 ++++++++++++++++++++ > tests/sys/netpfil/common/utils.subr | 3 +-- > tests/sys/netpfil/pf/fragmentation_compat.sh | 3 ++- > tests/sys/netpfil/pf/fragmentation_pass.sh | 3 ++- > tests/sys/netpfil/pf/killstate.sh | 24 ++++++++++++++++-------- > tests/sys/netpfil/pf/map_e.sh | 3 ++- > tests/sys/netpfil/pf/pass_block.sh | 3 ++- > tests/sys/netpfil/pf/pfsync.sh | 1 + > tests/sys/netpfil/pf/route_to.sh | 3 ++- > tests/sys/netpfil/pf/set_skip.sh | 2 +- > tests/sys/netpfil/pf/table.sh | 6 ++++-- > 12 files changed, 65 insertions(+), 18 deletions(-) > >diff --git a/UPDATING b/UPDATING >index 1980411c1853..f4e13d97006d 100644 >--- a/UPDATING >+++ b/UPDATING >@@ -27,6 +27,18 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW: > world, or to merely disable the most expensive debugging functionality > at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) > >+20230619: >+ To enable pf rdr rules for connections initiated from the host, pf >+ filter rules can be optionally enabled for packets delivered >+ locally. This can change the behavior of rules which match packets >+ delivered to lo0. To enable this feature: >+ >+ sysctl net.pf.filter_local=3D1 >+ service pf restart It seems a bit weird to suggest an action that is not permanent (does=20 not survive reboot). See proposed rewording below. >+ >+ When enabled, its best to ensure that packets delivered locally are not s/its/it is/ >+ filtered, e.g. by adding a 'skip on lo' rule. TBH, I find the phrasing a bit confusing: "to enable pf rdr rules for=20 connections =E2=80=A6, pf filter rules can *optionally* be enabled for pac= kets=20 delivered locally". That "optionally" makes it sound as if it is not=20 *required* to enable pf filter rules for packets delivered locally in=20 order to enable pf rdr rules for connections etc etc., but, given this=20 change, I assume it is. Perhaps a better phrasing (assuming I understand the feature) would be: "The new sysctl net.pf.filter_local controls whether PF filter rules are=20 enabled for packets originating from localhost and delivered locally. This feature can be useful for, e.g., enabling rdr rules for connections=20 initiated from localhost and redirected to a different port on=20 localhost. Setting the sysctl to 1 may change the behavior of rules=20 which match packets delivered to lo0, so it may be necessary to add=20 enable the "skip on lo" option." Note that "skip on" is not a rule, even if it is translated to a pair of=20 rules: it's part of the options, and requires "set" before it, per=20 pf.conf(5). Also, I'm assuming (and mention in the rewording) we are=20 talking about rdr rules for port remapping, not rdr rules that redirect=20 to other destinations, but please confirm or adjust. More generally, this new feature should likely also be documented=20 somewhere else (pf(4) ? pfctl(8)? pf.conf(5)?).=20 But apart from the above, I'm a little puzzled: does it mean that until=20 now (and continuing to do so, unless one sets the sysctl to 1), packets=20 originating locally and destined locally were not filtered by pf? I.e.,=20 that filtering rules on lo0 had no effect on incoming traffic from=20 localhost? Thanks, Matteo --atpy5efsszlmg427 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJHBAABCgAxFiEEa9uKZL0hP4E8Nl5vGwL9SVQlVQEFAmSRzGgTGGhrcHM6Ly9w Z3AubWl0LmVkdQAKCRAbAv1JVCVVAd/yD/98jK6+btKowzD4NlfP/QTksFfjWia1 s86lfjfk85NSSdG4Y0mcE5WvcPYD79p38UCK2f3wxfW5u+Wu8NifMVcTuntarw1u BIl31Rx7lzDi61R9cTZVn4VDFMX+65Ln69uOpwp+WNze8BNxogGiRO9h6lE5fiGd c0dfxB+50U/JqPHOFvTNRB+Z4cQHvUZhH3iOS2L47qRC0THhtM5+0zJMkD4OC8V+ qnjxusRxJ8EfLQ9GfcZ8Va4+riqiz0ZPwTgZUtGtyLzs1Y5muW127Np2zbkZi24P pZ4xCmWKI6NKlFV0aBGGmpQoWBnXoWtYRGvTqdZBN9sZBw9wb6FmA7l6bj/YLXOH mmB+UjGO9PJohGZ2FXbvNm3B3mCyZ8PJdgruW/v1Rike0+kdtfe2VpJbz8FJ/nft 7WLJEIUfhPSaey4QwAGLLvsnxe+n0Cbmf54k9++y5cWMCajzKKxcIvKCLJCs3baN pzPIktkUZPc0I6IRRXLXm7zxMTo5n2JC2mAuFerYXrGUsXSWL1mNdb+ZGk35V5TA 4IE9oFgvmBU1pY1BZHPjC+zdNI1MXhlMjXhCH8vLoWa2b9thcVD5DeZ5CbBLwK1M Q5s3vyh0+inVTxBk+Giu2h8C0oL33b1PbNes6kK8IP2k6yub1yCGiddPpvIIp7YP JZIT0cTnE7gK6g== =VFn6 -----END PGP SIGNATURE----- --atpy5efsszlmg427--