Re: git: 5ab151574c8a - main - netinet*: Fix redirects for connections from localhost

In reply to: Doug Rabson : "git: 5ab151574c8a - main - netinet*: Fix redirects for connections from localhost"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 31 May 2023 16:07:39 UTC

On 31 May 2023, at 12:11, Doug Rabson wrote:
> The branch main has been updated by dfr:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=5ab151574c8a1824c6cd8eded28506cb983284bc
>
> commit 5ab151574c8a1824c6cd8eded28506cb983284bc
> Author:     Doug Rabson <dfr@FreeBSD.org>
> AuthorDate: 2023-05-24 13:11:37 +0000
> Commit:     Doug Rabson <dfr@FreeBSD.org>
> CommitDate: 2023-05-31 10:11:05 +0000
>
>     netinet*: Fix redirects for connections from localhost
>
>     Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
>     rules to change the destination address and port for a connection.
>     Typically, the rule triggers on an input event when a packet is received
>     by a router and the destination address and/or port is changed to
>     implement the redirect. When a reply packet on this connection is output
>     to the network, the rule triggers again, reversing the modification.
>
>     When the connection is initiated on the same host as the packet filter,
>     it is initially output via lo0 which queues it for input processing.
>     This causes an input event on the lo0 interface, allowing redirect
>     processing to rewrite the destination and create state for the
>     connection. However, when the reply is received, no corresponding output
>     event is generated; instead, the packet is delivered to the higher level
>     protocol (e.g. tcp or udp) without reversing the redirect, the reply is
>     not matched to the connection and the packet is dropped (for tcp, a
>     connection reset is also sent).
>
>     This commit fixes the problem by adding a second packet filter call in
>     the input path. The second call happens right before the handoff to
>     higher level processing and provides the missing output event to allow
>     the redirect's reply processing to perform its rewrite. This extra
>     processing is disabled by default and can be enabled using pfilctl:
>
>             pfilctl link -o pf:default-out inet-local
>             pfilctl link -o pf:default-out6 inet6-local
>
>     PR:             268717
>     Reviewed-by:    kp, melifaro
>     MFC-after:      2 weeks
>     Differential Revision: https://reviews.freebsd.org/D40256

It looks like there’s some fallout from this in the dummynet tests:
https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23646/#showFailuresLink

Those tests set up the new hook, and without those hooks (i.e. with this patch reverted) the tests pass again.

Best regards,
Kristof