From nobody Tue Dec 17 10:08:12 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YCCDr5wbrz5h0p4; Tue, 17 Dec 2024 10:08:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YCCDr3hqBz4B8V; Tue, 17 Dec 2024 10:08:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734430092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pH/1J77inAmQ8K4z82YjLSCMGoBSezBzu2UsH2GZSAU=; b=MU55AGayTviQtE1H3cbd9zDS+IlxE+nwBXv2PHtfZmAeo+NjICCeiaQt4qJcUOIZbbX7ZM 6pTbua2BBZglcSG+4AFJO+w8NR3e4lYVRt54FYvfICMzl9khA8WTQeErzXoitf/IaVpqKj KYxfNeOOSO6pc1M4Un/HY5qyZLSHVd/lBRz81nXM4V4Ng7IF22BqY3bfd1YQtOeP4532Xu WYMP7CAdVkEPWtgKzBEoqiILIgVaY8F3LA9mgC9GOHGGaHgbd9Pqq9i0L0h6mgb1mVIXOS z8Pdsf0sjnOyyznw6bmxJP+O99qoVTd7rn5HB5+YbEdygyMmD3lkJU/6DIG7fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1734430092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pH/1J77inAmQ8K4z82YjLSCMGoBSezBzu2UsH2GZSAU=; b=tRPJT7taPzP13AoGhQnRRY0qrLsLRkzlRRAZkbdPuRerFWEcQ7RscKX19r8vOn5oFo6mo6 ja7Q45eGY7yvZd7HkSFZt0Wlbr1ZO2nmhGXc1IzZIAWnRV5YHkuj/xLagJlgEaO5m+P1F6 +DH5F9+gpOQgn6ytc0IDCh+V1lrke3IzBUVXOUV4Ncc1Tig7fzNXiFODAGdH2uhjDAfXsU anygYPOV6SiMoiRIjfMgqNwFa2234UOZuaYYfqK0Pm5I6QiJ527KYpxLHuzjYusMcozGpk BKfiy/wIsWoAqO4/hFp3K7VQc1NyesTYc7DIAbAu63vlE0Qaxz4mQJ/v0WeBGw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1734430092; a=rsa-sha256; cv=none; b=R5nubR4RxTyGHT4dKxXdiPKejuNc3u9Lutd91dfylgeVpclS6W1IK1EEK728YSznuu4qdg MiZ9iIWm0ry9GYUDxbhx2TG8CJGOsV8OxqQMWVrQLPeNcC0r1olSpwDjviowIzr16MFIYO iCh6Hfqzgx2yK9o2EogIR/QmvkulNVb4SKdtQsBMeKkrqZCpKDGMM60ocgIf4tUqvASyEZ kOBTI/9x0kLs7lWCg8YfnND0vumey4Vj9zY3X0Zc4Oczv9pVz+9F/jShl3xiG4O14PbeQA ja/Iy8jC6QReXBEXHULVF7BzLZlWryk4T/yrL1+QZIntvocef9fJkjtb4uj//A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YCCDr3K9NzJjm; Tue, 17 Dec 2024 10:08:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4BHA8Cj8024824; Tue, 17 Dec 2024 10:08:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4BHA8C3a024821; Tue, 17 Dec 2024 10:08:12 GMT (envelope-from git) Date: Tue, 17 Dec 2024 10:08:12 GMT Message-Id: <202412171008.4BHA8C3a024821@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: b0e3fb7e65c3 - main - pf: fix nat64 round-robin addresses from a table List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b0e3fb7e65c3a745177e52ec2f20a773b4d59c1e Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b0e3fb7e65c3a745177e52ec2f20a773b4d59c1e commit b0e3fb7e65c3a745177e52ec2f20a773b4d59c1e Author: Kristof Provost AuthorDate: 2024-12-09 17:37:36 +0000 Commit: Kristof Provost CommitDate: 2024-12-17 10:07:17 +0000 pf: fix nat64 round-robin addresses from a table We do multiple lookups during the nat64 process, some of which will fail due to address family mismatches. Do not reset the lookup offset so we actually use different addresses from the table. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf_lb.c | 1 - tests/sys/netpfil/pf/nat64.sh | 67 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 0f08226c1c0d..35896bdcf5b1 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -598,7 +598,6 @@ pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr, else rpool->cur = TAILQ_NEXT(rpool->cur, entries); if (rpool->cur->addr.type == PF_ADDR_TABLE) { - rpool->tblidx = -1; if (pfr_pool_get(rpool->cur->addr.p.tbl, &rpool->tblidx, &rpool->counter, af, NULL)) { /* table contains no address of type 'af' */ diff --git a/tests/sys/netpfil/pf/nat64.sh b/tests/sys/netpfil/pf/nat64.sh index b6b2b97a2f63..827891373903 100644 --- a/tests/sys/netpfil/pf/nat64.sh +++ b/tests/sys/netpfil/pf/nat64.sh @@ -341,6 +341,72 @@ pool_cleanup() pft_cleanup } +atf_test_case "table_round_robin" "cleanup" +table_round_robin_head() +{ + atf_set descr 'Use a table of IPv4 addresses in round-robin mode' + atf_set require.user root +} + +table_round_robin_body() +{ + pft_init + + epair_link=$(vnet_mkepair) + epair=$(vnet_mkepair) + + ifconfig ${epair}a inet6 2001:db8::2/64 up no_dad + route -6 add default 2001:db8::1 + + vnet_mkjail rtr ${epair}b ${epair_link}a + jexec rtr ifconfig ${epair}b inet6 2001:db8::1/64 up no_dad + jexec rtr ifconfig ${epair_link}a 192.0.2.1/24 up + jexec rtr ifconfig ${epair_link}a inet alias 192.0.2.3/24 up + jexec rtr ifconfig ${epair_link}a inet alias 192.0.2.4/24 up + + vnet_mkjail dst ${epair_link}b + jexec dst ifconfig ${epair_link}b 192.0.2.2/24 up + jexec dst route add default 192.0.2.1 + + # Sanity checks + atf_check -s exit:0 -o ignore \ + ping6 -c 1 2001:db8::1 + atf_check -s exit:0 -o ignore \ + jexec dst ping -c 1 192.0.2.1 + + jexec rtr pfctl -e + pft_set_rules rtr \ + "set reassemble yes" \ + "set state-policy if-bound" \ + "table { 192.0.2.1, 192.0.2.3, 192.0.2.4 }" \ + "pass in on ${epair}b inet6 from any to 64:ff9b::/96 af-to inet from round-robin" + + # Use pf to count sources + jexec dst pfctl -e + pft_set_rules dst \ + "pass" + + atf_check -s exit:0 -o ignore \ + ping6 -c 1 64:ff9b::192.0.2.2 + atf_check -s exit:0 -o ignore \ + ping6 -c 1 64:ff9b::192.0.2.2 + atf_check -s exit:0 -o ignore \ + ping6 -c 1 64:ff9b::192.0.2.2 + + # Verify on dst that we saw different source addresses + atf_check -s exit:0 -o match:".*192.0.2.1.*" \ + jexec dst pfctl -ss + atf_check -s exit:0 -o match:".*192.0.2.3.*" \ + jexec dst pfctl -ss + atf_check -s exit:0 -o match:".*192.0.2.4.*" \ + jexec dst pfctl -ss +} + +table_round_robin_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "icmp_echo" @@ -351,4 +417,5 @@ atf_init_test_cases() atf_add_test_case "tos" atf_add_test_case "no_v4" atf_add_test_case "pool" + atf_add_test_case "table_round_robin" }