From nobody Mon Aug 19 16:02:45 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WncnK44wXz5TH07; Mon, 19 Aug 2024 16:02:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WncnK3ZdLz47s7; Mon, 19 Aug 2024 16:02:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724083365; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z6Gbq1IzQnVyPwRoWAMGl+ASryR4zWnOn6tJ8nQ6IT4=; b=aOXoqglrekF8rQp9EuvmzxGxlX+OWh892Kp8E3MXKDTK3mKUuNoPGWKwvOFTHxijtyTksa 4WjQYaaO8kymRkJZJniL4fd2qwLL9Yleo5/2RLBbjiz+fEdI2Nkwg+C4L7ox6Nudo8R6kj rr7WH9KijBrLrBUg/17T3U3z9Jg72AvG/Ag+j7avN/7WbqskLdJP2l4owoyHY9w9e9u/ON CA0gnv4mjp2jxgSFIiX+7JfrSVS9pu5cyAyFNzQaZegOYiwz4OfjCvheeF6CUpGLn73xy4 S97cHdd4gYsAvq0rZByw4gWkSD76APDchWVAfZGHn9NFaHMQECcCcmNd2cTIFg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724083365; a=rsa-sha256; cv=none; b=P+zUGEXruS5YoWgVGRRJ5IOygqIsenI8nSkU6qKEa+bmm36O2Jt0H9EKwwgtu5n1dKLz9W FE5o0ezrJmvyV9PKYi3XP1uE8YKQ+tEnFp2QYBwMUWeR7waro3n/om67IxTma5+Gxo7A0F SLJqgcIp63+hlErAxiRG/mnQArYOkfdIr3OzgH4cDt/cUZtMOQEjOJnUIXBr49eihbKCV8 4riniIBEAN+kvOAVCq9C5W+zvgC9qlI7u1A4s5v9AeiO8LOZbzNcHKrVaQciBHoq/i3/NB kSjHaCS2kpBT9SrePb6S11c7gndUr0HuZDi2UgHj1EaCrkDGZsFIoABfUKBjBw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1724083365; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z6Gbq1IzQnVyPwRoWAMGl+ASryR4zWnOn6tJ8nQ6IT4=; b=yb49axs2rI7dkfnvbrVsuQ921HWn2jm0HjNxOHL3Kt8UlZOyXf65vs2Nz2Uys6mItcND/Z YJSE8cIuseyy5VufcSgCH5GB6t+TIMdAx81ZbBnCqdZXQcI9XLlPFdJgu5/lcIyxJc1Gd2 2zXB7Rv8DXyucCrz6O0UY7nYLbaHg0iVbkcaf3ATYyA6XtqAPiL9/qvpnJdBoKP3ikj6C2 YyF/LBLT30x0VoqKo1Y7XM3XtG+/WN1D+5VXhbs+JR2+Zvyki5mqdXf8kKghiFZbZeX7oe 5Pi5TCQu3YKG+iuOSPknQYjgJyKQj7TJJ4/1DNHepNuiku4X/8gJYt3YYpxFKA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WncnK39yVzNbx; Mon, 19 Aug 2024 16:02:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 47JG2j4c047583; Mon, 19 Aug 2024 16:02:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 47JG2jgF047580; Mon, 19 Aug 2024 16:02:45 GMT (envelope-from git) Date: Mon, 19 Aug 2024 16:02:45 GMT Message-Id: <202408191602.47JG2jgF047580@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 6a88e22728d2 - main - pfctl: pfik_ifp is always NULL List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6a88e22728d285c4df17216515ce2b8d1e5a6835 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=6a88e22728d285c4df17216515ce2b8d1e5a6835 commit 6a88e22728d285c4df17216515ce2b8d1e5a6835 Author: Kristof Provost AuthorDate: 2024-08-16 12:55:31 +0000 Commit: Kristof Provost CommitDate: 2024-08-19 16:02:15 +0000 pfctl: pfik_ifp is always NULL The pfik_ifp field is not provided by the kernel, it is always NULL. Do not check for it. This caused us to not clear the skip flag on interfaces, leading to unexpected behaviour when a 'set skip' was removed. PR: 280834 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46311 --- sbin/pfctl/pfctl.c | 7 +---- tests/sys/netpfil/pf/set_skip.sh | 61 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 6 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index b60e64fba338..45bfdf31f8dc 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -394,8 +394,6 @@ pfctl_check_skip_ifaces(char *ifname) continue; for (n = h; n != NULL; n = n->next) { - if (p->pfik_ifp == NULL) - continue; if (strncmp(p->pfik_name, ifname, IFNAMSIZ)) continue; @@ -422,9 +420,6 @@ pfctl_adjust_skip_ifaces(struct pfctl *pf) for (n = h; n != NULL; n = n->next) PFRB_FOREACH(pp, &skip_b) { - if (pp->pfik_ifp == NULL) - continue; - if (strncmp(pp->pfik_name, n->ifname, IFNAMSIZ)) continue; @@ -437,7 +432,7 @@ pfctl_adjust_skip_ifaces(struct pfctl *pf) } PFRB_FOREACH(p, &skip_b) { - if (p->pfik_ifp == NULL || ! (p->pfik_flags & PFI_IFLAG_SKIP)) + if (! (p->pfik_flags & PFI_IFLAG_SKIP)) continue; pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0); diff --git a/tests/sys/netpfil/pf/set_skip.sh b/tests/sys/netpfil/pf/set_skip.sh index e5b1440360e9..e984377721b8 100644 --- a/tests/sys/netpfil/pf/set_skip.sh +++ b/tests/sys/netpfil/pf/set_skip.sh @@ -26,6 +26,50 @@ . $(atf_get_srcdir)/utils.subr +atf_test_case "unset" "cleanup" +unset_head() +{ + atf_set descr 'Unset set skip test' + atf_set require.user root +} + +unset_body() +{ + pft_init + + vnet_mkjail alcatraz + jexec alcatraz ifconfig lo0 127.0.0.1/8 up + jexec alcatraz pfctl -e + pft_set_rules alcatraz "set skip on lo0" \ + "block in proto icmp" + + echo "set skip" + jexec alcatraz pfctl -v -sI + + jexec alcatraz ifconfig + atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 + + # Unset the skip on the group + pft_set_rules noflush alcatraz \ + "block in proto icmp" + + echo "No setskip" + jexec alcatraz pfctl -v -sI + + # Do flush states + jexec alcatraz pfctl -Fs + + # And now our ping is blocked + atf_check -s exit:2 -o ignore jexec alcatraz ping -c 1 127.0.0.1 + + jexec alcatraz pfctl -v -sI +} + +unset_cleanup() +{ + pft_cleanup +} + atf_test_case "set_skip_group" "cleanup" set_skip_group_head() { @@ -45,8 +89,24 @@ set_skip_group_body() pft_set_rules alcatraz "set skip on foo" \ "block in proto icmp" + echo "set skip" + jexec alcatraz pfctl -v -sI + jexec alcatraz ifconfig atf_check -s exit:0 -o ignore jexec alcatraz ping -c 1 127.0.0.1 + + # Unset the skip on the group + pft_set_rules noflush alcatraz \ + "block in proto icmp" + + # Do flush states + jexec alcatraz pfctl -Fs + + # And now our ping is blocked + atf_check -s exit:2 -o ignore jexec alcatraz ping -c 1 127.0.0.1 + + echo "No setskip" + jexec alcatraz pfctl -v -sI } set_skip_group_cleanup() @@ -163,6 +223,7 @@ pr255852_cleanup() atf_init_test_cases() { + atf_add_test_case "unset" atf_add_test_case "set_skip_group" atf_add_test_case "set_skip_group_lo" atf_add_test_case "set_skip_dynamic"