From nobody Fri Feb 02 16:55:40 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TRMND4fZJz595xj; Fri, 2 Feb 2024 16:55:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TRMND417fz4VLM; Fri, 2 Feb 2024 16:55:40 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1706892940; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W/heGnb5JeuZ0+DtNKm1PKfPcHeA3VuruPmAwGPvRsE=; b=X4EaJ/sYVzeNVUM4bPSGfqWwrfZV3K4o3ClIdjimf0cSr7H33R5sXYivxSZ/PywN1/2pYH hMztcjpEgeOXeKm5aHSKmd8ZrV0a2xaA69OtfNeR46HXpT2VQbqjv2H5SV0rrUejv4pkrN drzTqwQT7JspMzUb4ics2xC12rMvOoqLkQ4BmY2b1Peuq4lpcE7djnx3IHR5mav+SJKcFb fuCKgfIdXiP5I3zC9YGzpz8XQpophJYhE6zWBBcJZrLZ86F7MfUseREopCtGL+XxttjSHn l9BUfXWg+7bJpslphYs8hU7dGrd1yyFi5EP0E+b3ujYY1tuHkP8PMgXNlqnsjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1706892940; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W/heGnb5JeuZ0+DtNKm1PKfPcHeA3VuruPmAwGPvRsE=; b=y2oG6uVTM7qVFd6aaRV1RGgktqBOLqVgHKA/huyfBabVUUZfFCHOQ6iN9Xnme+qwsRnbVK pATO953hOzqQLEU/5ZriP+VyRCHq8Z6xSoH94JYOcUOe2aAn7J3TQCipI95hzucqGJXVPx hrBE5EyYqG/rIiA2Q6LOhg8Deiq7sOvKVZSIWQdr7zxpGnaKlVRvk1BQ986udQPQHQm/0D IOCWsrU1BIXeaAOh9k1zgIsit32sRW5ADdirZKrFCVoAs6qWb9uOipM+BCG2bPw2Ceem7w kD5k4gs3i2mXHu6uquHtS61XwZnLUvUCOdFcpkwm2BqzQQzBZ/KMgpEwXeZFzQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1706892940; a=rsa-sha256; cv=none; b=BfJAfThAL+meUkr2mvy0U/mPB7ku5WcvDAGwG3lCFAsNeju9VK1iigo7MtZePnkdaQak2R B1A3gZ658aLhGj4P+mYoRt7uVReH4Z7qBbq5pAxtSWB5jwCqMNaaPU5DukH+e/vCzMPaLT lSSXocqVzCAlDICgv0h/9BjQQqVs4IcxDwV8R7ybOhCwNWskMKxaYzGENsJ1pc4HRqReJL pMAJ8cnji+yfXWlpvG2Ti2vhdYx57gC0CKRglVVC1p60wgbLQa8OzzyMTbEwQHyJc1tHzZ R3ZzlqcEosld7wHkRQYxkg04nCQPsz0Kus5IVHogkFGStPDYITRHXzHMO7URcA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TRMND2p6Zzdcb; Fri, 2 Feb 2024 16:55:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 412GteIx034577; Fri, 2 Feb 2024 16:55:40 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 412GteET034574; Fri, 2 Feb 2024 16:55:40 GMT (envelope-from git) Date: Fri, 2 Feb 2024 16:55:40 GMT Message-Id: <202402021655.412GteET034574@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: b8ef285f6cc6 - main - pf: ensure dummynet gets the correct direction after route-to List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b8ef285f6cc6ae733e75488a6ff879e6fb23133d Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b8ef285f6cc6ae733e75488a6ff879e6fb23133d commit b8ef285f6cc6ae733e75488a6ff879e6fb23133d Author: Kristof Provost AuthorDate: 2024-02-01 17:59:36 +0000 Commit: Kristof Provost CommitDate: 2024-02-02 16:55:16 +0000 pf: ensure dummynet gets the correct direction after route-to If we apply a route-to to an inbound packet pf_route() may hand that packet over to dummynet. Dummynet may then delay the packet, and later re-inject it. This re-injection (in dummynet_send()) needs to know if the packet was inbound or outbound, to call the correct path for continued processing. That's done based on the pf_pdesc we pass along (through pf_dummynet_route() and pf_pdesc_to_dnflow()). In the case of pf_route() on inbound packets that may be wrong, because we're called in the input path, and didn't update pf_pdesc->dir. This can manifest in issues with fragmented packets. For example, a fragmented packet will be re-fragmented in pf_route(), and if dummynet makes different decisions for some of the fragments (that is, it delays some and allows others to pass through directly) this will break. The packets that pass through dummynet without delay will be transmitted correctly (through the ifp->if_output() call in pf_route()), but the delayed packets will be re-injected in the input path (and not the output path, as they should be). These packets will pass through pf_test(PF_IN) as they're tagged PF_MTAG_FLAG_DUMMYNET. However, this tag is then removed and the packet will be routed and enter pf_test(PF_OUT) where pf_reassemble() will hold them indefinitely (as some fragments have been transmitted directly, and will never hit pf_test(PF_OUT)). The fix is simple: we must update pf_pfdesc->dir to PF_OUT before we pass the packet to dummynet. See also: https://redmine.pfsense.org/issues/15156 Reviewed by: rcm Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 6 +++++ tests/sys/netpfil/pf/route_to.sh | 50 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 36ff0eac16ad..ec7964a48e6d 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7361,6 +7361,12 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, m0->m_pkthdr.csum_flags &= ~CSUM_SCTP; } + /* + * Make sure dummynet gets the correct direction, in case it needs to + * re-inject later. + */ + pd->dir = PF_OUT; + /* * If small enough for interface, or the interface will take * care of the fragmentation for us, we can just send directly. diff --git a/tests/sys/netpfil/pf/route_to.sh b/tests/sys/netpfil/pf/route_to.sh index 7e8310bceb30..31a47e75c82e 100644 --- a/tests/sys/netpfil/pf/route_to.sh +++ b/tests/sys/netpfil/pf/route_to.sh @@ -407,6 +407,55 @@ ifbound_cleanup() pft_cleanup } +atf_test_case "dummynet_frag" "cleanup" +dummynet_frag_head() +{ + atf_set descr 'Test fragmentation with route-to and dummynet' + atf_set require.user root +} + +dummynet_frag_body() +{ + pft_init + dummynet_init + + epair_one=$(vnet_mkepair) + epair_two=$(vnet_mkepair) + + ifconfig ${epair_one}a 192.0.2.1/24 up + + vnet_mkjail alcatraz ${epair_one}b ${epair_two}a + jexec alcatraz ifconfig ${epair_one}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair_two}a 198.51.100.1/24 up + jexec alcatraz sysctl net.inet.ip.forwarding=1 + + vnet_mkjail singsing ${epair_two}b + jexec singsing ifconfig ${epair_two}b 198.51.100.2/24 up + jexec singsing route add default 198.51.100.1 + + route add 198.51.100.0/24 192.0.2.2 + + jexec alcatraz dnctl pipe 1 config bw 1000Byte/s burst 4500 + jexec alcatraz dnctl pipe 2 config + # This second pipe ensures that the pf_test(PF_OUT) call in pf_route() doesn't + # delay packets in dummynet (by inheriting pipe 1 from the input rule). + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "set reassemble yes" \ + "pass in route-to (${epair_two}a 198.51.100.2) inet proto icmp all icmp-type echoreq dnpipe 1" \ + "pass out dnpipe 2" + + + atf_check -s exit:0 -o ignore ping -c 1 198.51.100.2 + atf_check -s exit:0 -o ignore ping -c 1 -s 4000 198.51.100.2 +} + +dummynet_frag_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "v4" @@ -416,4 +465,5 @@ atf_init_test_cases() atf_add_test_case "icmp_nat" atf_add_test_case "dummynet" atf_add_test_case "ifbound" + atf_add_test_case "dummynet_frag" }