From nobody Tue Dec 17 10:08:02 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YCCDf65wfz5h0ZC; Tue, 17 Dec 2024 10:08:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YCCDf3j34z49vx; Tue, 17 Dec 2024 10:08:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734430082; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OW9ykeg7aX9Dfo911Jnut82QTR40XLuuAN9zn/S+F5o=; b=I+AJm3Of5uCZIwQWZWHVG7ReNO2SaCvlxzu73r9Y9Or55zYU4vanNb9QKr5bI0+36NEJy1 NFNsZGSoQ344hkcdRc6gM9bqinmiyDw0N87o/Yxkyv1PhqR/KI+DqN1W8G+r2s8Enp/GMx K/RCNo04M8IvwZ2sZueOHKMbOTQptw6uxyxQHgLKLWBYUt2sfAqr7lVV53/eLZQa64C2fz Yoj9/BbNRn3s5O23pi6fm8Vw6nvUvY+6NTHD4FDIO727AvY/MI5qpgt2Ago5fjp916sop2 9jeN9aZTZ2Elgw2D6t7TQiKJfWIBcYn2CzuVNwqox+GXMONFvN9wt1G/R/1AXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734430082; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=OW9ykeg7aX9Dfo911Jnut82QTR40XLuuAN9zn/S+F5o=; b=B1TEkjDqfOVjdGjSqCQBAf0IzSzdZUvPxdtT3DiK1zuetCkG6iF+2/KN7HlpDOgtqjDb7a HpX/soWVBGpbxzIAx4x/nxhzF+dVsYH9TlkJwm41AQ+25EwTZQmI0jfTGiXhICjj1DdbuQ +MbOfG7IMyMy/doZXpz7gD2C3vQOPebidh4Xn0ADFytNRMR7D9SuWH6Yde+cujpm3ObGuR QOOO31m9/yC8yT5MqR5JEHXZ01fg7pDK0gDf+2vRKmnCV0QYRb7o7Lembp3jy9Dim4XDpQ JUQYzQjMoFa+bBqaoUh41hM14Ii/QMqr2QIDo2J0OPRqtiqhApQG29uVnUjTkg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734430082; a=rsa-sha256; cv=none; b=ZPmYKZBjWQO4fco+fdZJ5lZHIpHdveWdyUbZhOPkkUr5hJsA/np5+r1YpB23N6e0z4fqHF +WXEnLAoQ37gKdtCgCI1+n7wuFmdc+HTCnNo49eElrC4iDZ6xsapMs0GlEXSnYx2Ng+YA3 tHSNOWnDU1fqYxiSANJI2D+YEx8leQREppd2tB4f80YCCc0sJIPT+uec5gN5okW80cGoRo 16sltme7elsZlAZmkajz2ZsQwQyLnDJbo1OJbvbK5BP+20dmm8wtxLhfksmvIquYy8q4d7 NUhUwc1hzxV1Q9po0CjT5nmSKLeSPoLXMinwcYQTAlw8RmJoEFMEnp8WdwCzcg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YCCDf2b56zJxt; Tue, 17 Dec 2024 10:08:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BHA82MU024334; Tue, 17 Dec 2024 10:08:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BHA82xI024330; Tue, 17 Dec 2024 10:08:02 GMT (envelope-from git) Date: Tue, 17 Dec 2024 10:08:02 GMT Message-Id: <202412171008.4BHA82xI024330@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: c6210cfd58f6 - main - pf: fix if-bound with nat64 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c6210cfd58f6a570786106f35ebbe1c49f48287c Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=c6210cfd58f6a570786106f35ebbe1c49f48287c commit c6210cfd58f6a570786106f35ebbe1c49f48287c Author: Kristof Provost AuthorDate: 2024-11-15 15:29:54 +0000 Commit: Kristof Provost CommitDate: 2024-12-17 10:07:16 +0000 pf: fix if-bound with nat64 Just as with reply-to rules we don't know what interface we will send this out of until we create the state. Create new nat64 rules as floating, but bind them to the appropriate interface on the first pf_route(), when we do know. Set state policy if-bound for the nat64 tests to validate this. See also: 6460322a0 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D47801 --- sys/netpfil/pf/pf.c | 28 +++++++++++++++++++++++++--- tests/sys/netpfil/pf/nat64.sh | 1 + 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 445aef881fe8..08486d5d1467 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -438,8 +438,10 @@ enum { PF_ICMP_MULTI_NONE, PF_ICMP_MULTI_LINK }; } while (0) static struct pfi_kkif * -BOUND_IFACE(struct pf_kstate *st, struct pfi_kkif *k) +BOUND_IFACE(struct pf_kstate *st, struct pf_pdesc *pd) { + struct pfi_kkif *k = pd->kif; + SDT_PROBE2(pf, ip, , bound_iface, st, k); /* Floating unless otherwise specified. */ @@ -450,7 +452,7 @@ BOUND_IFACE(struct pf_kstate *st, struct pfi_kkif *k) * Initially set to all, because we don't know what interface we'll be * sending this out when we create the state. */ - if (st->rule->rt == PF_REPLYTO) + if (st->rule->rt == PF_REPLYTO || (pd->af != pd->naf)) return (V_pfi_all); /* Don't overrule the interface for states created on incoming packets. */ @@ -6125,7 +6127,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, __func__, nr, sk, nk)); /* Swap sk/nk for PF_OUT. */ - if (pf_state_insert(BOUND_IFACE(s, pd->kif), pd->kif, + if (pf_state_insert(BOUND_IFACE(s, pd), pd->kif, (pd->dir == PF_IN) ? sk : nk, (pd->dir == PF_IN) ? nk : sk, s)) { REASON_SET(&reason, PFRES_STATEINS); @@ -8800,6 +8802,16 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, dst.sin_addr = nh->gw4_sa.sin_addr; else dst.sin_addr = ip->ip_dst; + + /* + * Bind to the correct interface if we're + * if-bound. We don't know which interface + * that will be until here, so we've inserted + * the state on V_pf_all. Fix that now. + */ + if (s->kif == V_pfi_all && ifp != NULL && + r->rule_flag & PFRULE_IFBOUND) + s->kif = ifp->if_pf_kif; } } @@ -9050,6 +9062,16 @@ pf_route6(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, sizeof(dst.sin6_addr)); else dst.sin6_addr = ip6->ip6_dst; + + /* + * Bind to the correct interface if we're + * if-bound. We don't know which interface + * that will be until here, so we've inserted + * the state on V_pf_all. Fix that now. + */ + if (s->kif == V_pfi_all && ifp != NULL && + r->rule_flag & PFRULE_IFBOUND) + s->kif = ifp->if_pf_kif; } } diff --git a/tests/sys/netpfil/pf/nat64.sh b/tests/sys/netpfil/pf/nat64.sh index 3e04dc6e7bc0..0ae2c0399daf 100644 --- a/tests/sys/netpfil/pf/nat64.sh +++ b/tests/sys/netpfil/pf/nat64.sh @@ -52,6 +52,7 @@ nat64_setup() jexec rtr pfctl -e pft_set_rules rtr \ + "set state-policy if-bound" \ "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from (${epair_link}a)" }