From nobody Tue Dec 17 10:07:44 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YCCDJ43w1z5h0cH; Tue, 17 Dec 2024 10:07:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YCCDJ2TVCz49R5; Tue, 17 Dec 2024 10:07:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734430064; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Q8MPpZZdXFzQmE3NIksyEq7z8OEWDQs+ItnZT7c+nM4=; b=UEileN1monQgohlTZdSqYHk1qTd6fXHrcJEpbmKv1pGDBLm23ZCUSj3CTY8FzTGJP1oGux 7rfyi9F4qjbVOAlK2UgGnYDy2IzqsZAkNDX5DMEubn30hBALi3XbI0cnk4CMfqFxMztipj B0zu1pZYsinfdnIXKQ7X3vFMpOSjwXeopQuD3U/wyuNzIrYQ3tVebPWXN+qlLLbUr5BjGA mAK0KKOXQS9BubEAozP0W2J91h4n+88kl0vNjhdR/1H7zdfI3XaZ3bBVBL6dIJ/LQjlg0e 0NPODXVyoviThBviuT3Bd1kgnINzwuImYBAww5fpcFYQSzlu0Lh3cWOCwKWkTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734430064; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Q8MPpZZdXFzQmE3NIksyEq7z8OEWDQs+ItnZT7c+nM4=; b=lhSWGHTP0MmXs2+QfN/C9HGzYvgMDa4L3Fh4ZK37l68pG1243QQ//GhIWWt4y6uUsqUnBj KUDB5D5NpDOFkYKfv/BiVZFCY4/dmAjDEtxh454GnNWKRWFfLnCfnSNiO87BKU8mOpnzQV WSfemqmBjCJaWSqcV8luh0php7BI7+d1K3yYPUfJSBtbI5gwsTQ2LzSrYuKyDKGqqeO/RH /wvPJuk68hqvOZnnFYbc4iS030cTeDyL5DIZxkOxZCx/ScUA6KH62T5w9uIcTDK23YW2+b qNVnsFeFuAe3tMTeBVVX1KrP2fv6ns0fYC2Wh9d26x8kPlYa/BzHFf5DMwzXiQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734430064; a=rsa-sha256; cv=none; b=um8DTGi2US2AVvif8sQzRQ1Nnw8q6BDInenz7kGYZDQ34p18qSbolzi5VMxCKLf8I+QHlV RlCtDSUrnfZIn8xXlSdRaAdjeqzRHqFTem/ErerWmMJA0Rp5WEbkdqvSpktXXEFAZryOW8 IHGvyk7KR4PxtiojIooTeR1tzXTls7ryep8AlHeggRtg69vJHW8cMyGMBjBfiViFmcTmST DkLiXoxTAOqZV0Rr0SF8B7Q3//Q7PwvufN+9rrWAayUwpaCCI44jg1odCFeVNkjqqOhCOy ixCKGuOaKkFVG/zFV3aXN7hIRG9hOoJKRpdesbHc0Y/QJbF9jUcHuFDTlHD5Ig== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YCCDJ25kXzJvX; Tue, 17 Dec 2024 10:07:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BHA7ixu023429; Tue, 17 Dec 2024 10:07:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BHA7iN8023426; Tue, 17 Dec 2024 10:07:44 GMT (envelope-from git) Date: Tue, 17 Dec 2024 10:07:44 GMT Message-Id: <202412171007.4BHA7iN8023426@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: ebe11b46988e - main - pf: fix state export in the face of NAT64 List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ebe11b46988eb27d287272b8c827eb80ebd900ba Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=ebe11b46988eb27d287272b8c827eb80ebd900ba commit ebe11b46988eb27d287272b8c827eb80ebd900ba Author: Kristof Provost AuthorDate: 2024-10-25 15:01:13 +0000 Commit: Kristof Provost CommitDate: 2024-12-17 10:07:13 +0000 pf: fix state export in the face of NAT64 Now that we can NAT64 we can have states where the wire and stack address families (and protocol) are different. Update the state export code to account for this. We keep exporting address family and protocol outside of the key, for backwards compatibility. This'll return misleading information to userspace in the NAT64 case, but it's assumed that userspace will either understand NAT64 (and thus look for them in the correct place), or not configure it. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D47787 --- lib/libpfctl/libpfctl.c | 9 +++------ sys/netpfil/pf/pf_nl.c | 2 ++ sys/netpfil/pf/pf_nl.h | 2 ++ 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index 21d0b24601a4..9fec8e77de26 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -1866,12 +1866,14 @@ static const struct snl_attr_parser nla_p_speer[] = { SNL_DECLARE_ATTR_PARSER(speer_parser, nla_p_speer); #undef _OUT -#define _OUT(_field) offsetof(struct pf_state_key_export, _field) +#define _OUT(_field) offsetof(struct pfctl_state_key, _field) static const struct snl_attr_parser nla_p_skey[] = { { .type = PF_STK_ADDR0, .off = _OUT(addr[0]), .cb = snl_attr_get_pfaddr }, { .type = PF_STK_ADDR1, .off = _OUT(addr[1]), .cb = snl_attr_get_pfaddr }, { .type = PF_STK_PORT0, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 }, { .type = PF_STK_PORT1, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 }, + { .type = PF_STK_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 }, + { .type = PF_STK_PROTO, .off = _OUT(proto), .cb = snl_attr_get_uint16 }, }; SNL_DECLARE_ATTR_PARSER(skey_parser, nla_p_skey); #undef _OUT @@ -1897,8 +1899,6 @@ static struct snl_attr_parser ap_state[] = { { .type = PF_ST_PACKETS1, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 }, { .type = PF_ST_BYTES0, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 }, { .type = PF_ST_BYTES1, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 }, - { .type = PF_ST_AF, .off = _OUT(key[0].af), .cb = snl_attr_get_uint8 }, - { .type = PF_ST_PROTO, .off = _OUT(key[0].proto), .cb = snl_attr_get_uint8 }, { .type = PF_ST_DIRECTION, .off = _OUT(direction), .cb = snl_attr_get_uint8 }, { .type = PF_ST_LOG, .off = _OUT(log), .cb = snl_attr_get_uint8 }, { .type = PF_ST_STATE_FLAGS, .off = _OUT(state_flags), .cb = snl_attr_get_uint16 }, @@ -1959,9 +1959,6 @@ pfctl_get_states_nl(struct pfctl_state_filter *filter, struct snl_state *ss, pfc if (!snl_parse_nlmsg(ss, hdr, &state_parser, &s)) continue; - s.key[1].af = s.key[0].af; - s.key[1].proto = s.key[0].proto; - ret = f(&s, arg); if (ret != 0) return (ret); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c index d2a050140dbc..3af27e11d27f 100644 --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -133,6 +133,8 @@ dump_state_key(struct nl_writer *nw, int attr, const struct pf_state_key *key) dump_addr(nw, PF_STK_ADDR1, &key->addr[1], key->af); nlattr_add_u16(nw, PF_STK_PORT0, key->port[0]); nlattr_add_u16(nw, PF_STK_PORT1, key->port[1]); + nlattr_add_u8(nw, PF_STK_AF, key->af); + nlattr_add_u16(nw, PF_STK_PROTO, key->proto); nlattr_set_len(nw, off); diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h index 096b9913d4a6..3af931978860 100644 --- a/sys/netpfil/pf/pf_nl.h +++ b/sys/netpfil/pf/pf_nl.h @@ -71,6 +71,8 @@ enum pfstate_key_type_t { PF_STK_ADDR1 = 2, /* ip */ PF_STK_PORT0 = 3, /* u16 */ PF_STK_PORT1 = 4, /* u16 */ + PF_STK_AF = 5, /* u8 */ + PF_STK_PROTO = 6, /* u16 */ }; enum pfstate_peer_type_t {