Re: git: 5ab151574c8a - main - netinet*: Fix redirects for connections from localhost
- In reply to: Doug Rabson : "git: 5ab151574c8a - main - netinet*: Fix redirects for connections from localhost"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 31 May 2023 16:07:39 UTC
On 31 May 2023, at 12:11, Doug Rabson wrote: > The branch main has been updated by dfr: > > URL: https://cgit.FreeBSD.org/src/commit/?id=5ab151574c8a1824c6cd8eded28506cb983284bc > > commit 5ab151574c8a1824c6cd8eded28506cb983284bc > Author: Doug Rabson <dfr@FreeBSD.org> > AuthorDate: 2023-05-24 13:11:37 +0000 > Commit: Doug Rabson <dfr@FreeBSD.org> > CommitDate: 2023-05-31 10:11:05 +0000 > > netinet*: Fix redirects for connections from localhost > > Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter > rules to change the destination address and port for a connection. > Typically, the rule triggers on an input event when a packet is received > by a router and the destination address and/or port is changed to > implement the redirect. When a reply packet on this connection is output > to the network, the rule triggers again, reversing the modification. > > When the connection is initiated on the same host as the packet filter, > it is initially output via lo0 which queues it for input processing. > This causes an input event on the lo0 interface, allowing redirect > processing to rewrite the destination and create state for the > connection. However, when the reply is received, no corresponding output > event is generated; instead, the packet is delivered to the higher level > protocol (e.g. tcp or udp) without reversing the redirect, the reply is > not matched to the connection and the packet is dropped (for tcp, a > connection reset is also sent). > > This commit fixes the problem by adding a second packet filter call in > the input path. The second call happens right before the handoff to > higher level processing and provides the missing output event to allow > the redirect's reply processing to perform its rewrite. This extra > processing is disabled by default and can be enabled using pfilctl: > > pfilctl link -o pf:default-out inet-local > pfilctl link -o pf:default-out6 inet6-local > > PR: 268717 > Reviewed-by: kp, melifaro > MFC-after: 2 weeks > Differential Revision: https://reviews.freebsd.org/D40256 It looks like there’s some fallout from this in the dummynet tests: https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23646/#showFailuresLink Those tests set up the new hook, and without those hooks (i.e. with this patch reverted) the tests pass again. Best regards, Kristof