From nobody Tue Jul 18 22:50:44 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R5Dgv57hkz4nNS3; Tue, 18 Jul 2023 22:50:51 +0000 (UTC) (envelope-from matteo@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R5Dgv4Y56z4NrR; Tue, 18 Jul 2023 22:50:51 +0000 (UTC) (envelope-from matteo@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689720651; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=gMC9lmmvajP5iUlr9ec7qHWXb69139Gvlw5EEPQFxOs=; b=sJ5h6hDWCft+AwR+amJw82lasw4uoWjmDsq+Z/Xa4Bru2ABlgsXNQoq3KGoh7b+8OLp0ne UQwiwi+2C5Mn/V4EOYiqafmyt0ntR7yzxxOH7ntZmW07CkZm8gR/baZx7bS4xBjyE04sR4 GCBJ5ffHTbpsAyQ9RyhWhOxDjrsKeCdXLukjCoDRlYefaI2bD+bpKXCAXZEixQmjQ/3/4O /QSnPf7H81xB0l+iQ8I/1Rmg5g/4e63UvGtgF8lsDhCnSgtlLcpZgRqUogB3pxkkBfPLqS zQnx5UhB7RFm7bnTndhUkT+0S0wyUX804CsMwgudqkHomELd25/XX70lXLSGBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689720651; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=gMC9lmmvajP5iUlr9ec7qHWXb69139Gvlw5EEPQFxOs=; b=qb4aDkGd2yqJKmEqQWzFGqQwHdp08G/Sfv1BU8XJ1YSiifnw+sfS9fSf4AD+Om1CtrtNS4 /0aY9UFDtrWvf4xJvXYgv3qZDZGbNaKO8Equ91Hby+KZmK+rjXcAAsn2olhCwPctQ4OlLI eykdNZJWe7KVeu5vYYaQHqi+SpBcz52FEuC3kGyUchsPw6gJw57ly9WSVCTmNjx1Il/k12 Ii+9pX1ZJm28FS8B9IcgFalA4jBWoMpLJawQ3WnOmaxcxhk5qgr9oOZ0jE1pYlNAQx3Tnc i/ztQOLpbXJZSB3f9BbuliRbpDGme6DJzKD7hjL8bn6P8Yf0gT43pcCo/xseXg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1689720651; a=rsa-sha256; cv=none; b=UtbPBDv6m/Hxn52TXi3VKIwVTjUVmoZSDc/rd1criI2/karYbPqPpARa6x2J8tYRzfF8xf l6jUz9iD+B7GmtvYYjOk8FkpKeVlkHDTSapg7l4o5JIHUEmtJ8H2G60XwNrm/WjHAIbN3s 7BGsZB5nc7NJWMEUtteBPE7/I9N6a5zScCGbs3S+C+P/MZTGPI6F6BnfPdVIAasXQxky+9 KvHfbPSBn49p4MXfkNFCDd/XqRQfpMiIoJVPi0pnzF6mPrVnFr51d6b0gUEqWVAZ5oE/g9 0/+78rjoCHLzZ7O2PcfcMCewOgP99WaLlTqkNlI8/aHjb9BJrpbyDPhA7O14MQ== Received: from ubertino.local (unknown [73.4.221.34]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: matteo/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4R5Dgv27y9zhrx; Tue, 18 Jul 2023 22:50:51 +0000 (UTC) (envelope-from matteo@freebsd.org) Date: Tue, 18 Jul 2023 18:50:44 -0400 From: Matteo Riondato To: Doug Rabson , Kristof Provost Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: 3a1f834b5228 - main - pf: Add code to enable filtering for locally delivered packets Message-ID: <7vbajkgkvsxkbsl2am3wnpn2ogh6tsty6tquurko2we22rjcjm@ilb45u4llxsv> X-PGP-Key: http://rionda.to/files/matteogpg.asc References: <202306201435.35KEZtHN062484@gitrepo.freebsd.org> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="dcahvzwmiwrnfdrr" Content-Disposition: inline In-Reply-To: --dcahvzwmiwrnfdrr Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2023-06-20 at 11:57 EDT, Matteo Riondato wrote: >On 2023-06-20 at 10:35 EDT, Doug Rabson wrote: > >>The branch main has been updated by dfr: >> >>URL: https://cgit.FreeBSD.org/src/commit/?id=3D3a1f834b5228986a7c14fd60da= 13cf2700e80996 >> >>commit 3a1f834b5228986a7c14fd60da13cf2700e80996 >>Author: Doug Rabson >>AuthorDate: 2023-06-20 13:01:58 +0000 >>Commit: Doug Rabson >>CommitDate: 2023-06-20 14:34:01 +0000 >> >> pf: Add code to enable filtering for locally delivered packets >> >> This is disabled by default since it potentially changes the behavior = of=20 >> existing filter rule sets. To enable this extra filter for packets bei= ng=20 >> delivered locally, use: >> >> sysctl net.pf.filter_local=3D1 >> service pf restart >> >> PR: 268717 >> Reviewed-by: kp >> MFC-after: 2 weeks >> Differential Revision: https://reviews.freebsd.org/D40373 >>--- >>UPDATING | 12 ++++++++++++ >>sys/netpfil/pf/pf_ioctl.c | 20 ++++++++++++++++++++ >>tests/sys/netpfil/common/utils.subr | 3 +-- >>tests/sys/netpfil/pf/fragmentation_compat.sh | 3 ++- >>tests/sys/netpfil/pf/fragmentation_pass.sh | 3 ++- >>tests/sys/netpfil/pf/killstate.sh | 24=20 >>++++++++++++++++-------- >>tests/sys/netpfil/pf/map_e.sh | 3 ++- >>tests/sys/netpfil/pf/pass_block.sh | 3 ++- >>tests/sys/netpfil/pf/pfsync.sh | 1 + >>tests/sys/netpfil/pf/route_to.sh | 3 ++- >>tests/sys/netpfil/pf/set_skip.sh | 2 +- >>tests/sys/netpfil/pf/table.sh | 6 ++++-- >>12 files changed, 65 insertions(+), 18 deletions(-) >> >>diff --git a/UPDATING b/UPDATING >>index 1980411c1853..f4e13d97006d 100644 >>--- a/UPDATING >>+++ b/UPDATING >>@@ -27,6 +27,18 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW: >> world, or to merely disable the most expensive debugging=20 >> functionality >> at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) >> >>+20230619: >>+ To enable pf rdr rules for connections initiated from the host, pf >>+ filter rules can be optionally enabled for packets delivered >>+ locally. This can change the behavior of rules which match packets >>+ delivered to lo0. To enable this feature: >>+ >>+ sysctl net.pf.filter_local=3D1 >>+ service pf restart > >It seems a bit weird to suggest an action that is not permanent (does=20 >not survive reboot). See proposed rewording below. > >>+ >>+ When enabled, its best to ensure that packets delivered locally are not > >s/its/it is/ > >>+ filtered, e.g. by adding a 'skip on lo' rule. > >TBH, I find the phrasing a bit confusing: "to enable pf rdr rules for=20 >connections =E2=80=A6, pf filter rules can *optionally* be enabled for=20 >packets delivered locally". That "optionally" makes it sound as if it=20 >is not *required* to enable pf filter rules for packets delivered=20 >locally in order to enable pf rdr rules for connections etc etc., but,=20 >given this change, I assume it is. > >Perhaps a better phrasing (assuming I understand the feature) would be: > >"The new sysctl net.pf.filter_local controls whether PF filter rules=20 >are enabled for packets originating from localhost and delivered=20 >locally. > >This feature can be useful for, e.g., enabling rdr rules for=20 >connections initiated from localhost and redirected to a different=20 >port on localhost. Setting the sysctl to 1 may change the behavior of=20 >rules which match packets delivered to lo0, so it may be necessary to=20 >add enable the "skip on lo" option." > >Note that "skip on" is not a rule, even if it is translated to a pair=20 >of rules: it's part of the options, and requires "set" before it, per=20 >pf.conf(5). Also, I'm assuming (and mention in the rewording) we are=20 >talking about rdr rules for port remapping, not rdr rules that=20 >redirect to other destinations, but please confirm or adjust. > >More generally, this new feature should likely also be documented=20 >somewhere else (pf(4) ? pfctl(8)? pf.conf(5)?). > >But apart from the above, I'm a little puzzled: does it mean that=20 >until now (and continuing to do so, unless one sets the sysctl to 1),=20 >packets originating locally and destined locally were not filtered by=20 >pf? I.e., that filtering rules on lo0 had no effect on incoming=20 >traffic from localhost? Hi Doug and Kristof, A ping about what I said below, as I think there is a need to better=20 document this sysctl. Additionally, I'm also a little worried about the name of the sysctl,=20 which seems extremely generic, while its use may be much more specific.=20 If the name could be made more specific, that should probably be done=20 before 14 is branched. Thanks, Matteo --dcahvzwmiwrnfdrr Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJHBAABCgAxFiEEa9uKZL0hP4E8Nl5vGwL9SVQlVQEFAmS3FzsTGGhrcHM6Ly9w Z3AubWl0LmVkdQAKCRAbAv1JVCVVAQv2EACPHxidWvhTdzuSrm4tt/HgNC474rjG OJ6zPG+Io2Z6GMIfyanZWjnaXX5pzDsA0ggjNE8qp+15I+jJEMnsaqHAC0LHyWQI zz7fSp7K+CPjs4GJvmK81JB0ntuZgOb2/++ZiQtcfFxWnhgMGxjHyc7A5S+QEFao RilE6E8yh4OaFFroq6rfM+DhOpxQC3PH184ZuBKGsBItPu1eJBRHd6izKiwFidhs SxTh+RVhm1WuqHMREWo7d+snSJBNsIPKHxDHmOZX5uDjURwfd/sUqU8s0wVm7CQX y+po+5NPdaFBFQ8gyvrLZ3aLpeIprqrMAsTTaNlYWWJ5LMOGNbi1KlM1x/2Is3FH MOjFpStZ1EteMQB7/jCCl6eDq4Ps39WASPJ3YEXpZjo9kNOwQYi9MdEfYiCgX3Fv MtxGGvqzl7dZlFEGw68LHFOvL/XoF82Rtmg3pU79hc5VS8rLdOd4cTP9wB7hj4NH 0SdD8R9j3aKYRn5DbiALK6zh68cr6ovLS2mf1n/vic+H9ooWYf6+lXkX090oiITG U/jcxz06YakFIzi0mvKnZ7NbKMfzn82lUSSrxBIBNU1fvVIoBB/toXiHc4kPqhCd vJyl5OuxQqaPi/4gsjW4udBskH4gMIMz1yA07ClBzPRuNR/IUXNalvE6cG+e5AXC 6Ir3vpW/Gx2zSw== =NHyY -----END PGP SIGNATURE----- --dcahvzwmiwrnfdrr--