From nobody Tue Mar 19 15:30:33 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TzbJp0yLbz5FfdQ; Tue, 19 Mar 2024 15:30:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TzbJn6HBcz4M0x; Tue, 19 Mar 2024 15:30:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710862233; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LKvXWaszGYsxWujcvPOL5Uvdv58kl3boLYMwJkJDRcA=; b=MIuOHFrn87BkQZkBhtz8XSQa9t6XQgWoGGBcTA7eKyqBDhAf9/Q/dORyIVLg9bBlxX8BFZ 994kKukam038uBrbA4ghMSQ4FotCWcOqWiH4Em3jFTw7vmCY4aGrZ43G1WWVHgqLpXRUIw WPKF4t8QLrvy0CdMKr9sa2KAbxh3ChyxGdI+rIPSJiBzdCTnW+HHPeePA/KFAGXx+o/92X Ag20a44VPqQDDiHKUlCSpeLmzzY2S7Gp1Ji830Emkxwq+pq3621Wn5sDehnPW5OVnphw5Z XCbaWQppYSchxMofL1KZJnhXTWADNVr9gyxxaGGXK4Maw8+2Qz3qCkzH8UDnuw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1710862233; a=rsa-sha256; cv=none; b=Qpj4dKD+XK2VnPjbBHvnJMtQsW4jtAtsqYQnY4htPkyd4YtY2nTVB/sb7/PzRVEPYqcYXF gw93qDLsFeWrHBln75VOWw6NfLqOb4lwQiQci9brHTxYhmqL9H0hGebfO5uaIl4F8xGjQe dJmByxJuMlGOu7aZU0m9AKmt+nAaoGE2D2oOvTTj+0J1u56AYUwiopl53KGk+yqaQ5vKaa RnoYznHvLdUjxuNWOX2hvD2fiNU85ufy89CARhI6KPNcitl7f9toxrf55tTsgjQCaNC6EP zQGJdQhgSEAwpOCB5Pk7tZWg6CyORGzQrN9/oUToca0Wm76uaxFOibtZf/Gwzg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710862233; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=LKvXWaszGYsxWujcvPOL5Uvdv58kl3boLYMwJkJDRcA=; b=lg+Rxlau78rx+rVEMAPD6g2SkylHQkRlwdz+lRrgQA3bBcVgfT4dCyRUWLqo1GiUBvzJMe 9w1tZLYh0hXLbvCoPpzgKwEQa93mwqLlhXLfdboqirGlJowaOMGe0md9UOS76w4VMntPAq qYxgOOBft3XsiCHK8V63AcyhLOugdQ73DwmXjRR5ozw6rP2DsXghWMPtadfOkC+NjmAY1l qYcY+FxT0UUYnu+yr6HaB+yrHKkYgm9ON24rrZrfahxYV5bZZeHiYzZp2RK8lXjPQhXCmQ Wl7Ch0UHRyT/5cRCDxr36q+YW7iSkJWqa9JCwM9H4J7TQUHBU/u4zsTVihiZnA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TzbJn5tqMz1Brt; Tue, 19 Mar 2024 15:30:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42JFUXMh096811; Tue, 19 Mar 2024 15:30:33 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42JFUXdx096808; Tue, 19 Mar 2024 15:30:33 GMT (envelope-from git) Date: Tue, 19 Mar 2024 15:30:33 GMT Message-Id: <202403191530.42JFUXdx096808@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: c6f111635790 - main - pf: fix dummynet + route-to List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c6f1116357904d3c2e95430e27213e4d0948fc64 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=c6f1116357904d3c2e95430e27213e4d0948fc64 commit c6f1116357904d3c2e95430e27213e4d0948fc64 Author: Kristof Provost AuthorDate: 2024-03-12 12:29:08 +0000 Commit: Kristof Provost CommitDate: 2024-03-19 15:29:29 +0000 pf: fix dummynet + route-to Ensure that we pick the correct dummynet pipe (i.e. forward vs. reverse direction) when applying route-to. We mark the processing as outbound so that dummynet will re-inject in the correct phase of processing after it's done with the packet, but that will cause us to pick the wrong pipe number. Reverse them so that the incorrect decision ends up picking the correct pipe. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44366 --- sys/netpfil/pf/pf.c | 26 ++++++++++++---- tests/sys/netpfil/pf/route_to.sh | 65 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 84 insertions(+), 7 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 5089b3ea2570..d7536e44623e 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7240,6 +7240,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, struct pf_ksrc_node *sn = NULL; int error = 0; uint16_t ip_len, ip_off; + uint16_t tmp; int r_rt, r_dir; KASSERT(m && *m && r && oifp, ("%s: invalid parameters", __func__)); @@ -7381,11 +7382,26 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, m0->m_pkthdr.csum_flags &= ~CSUM_SCTP; } - /* - * Make sure dummynet gets the correct direction, in case it needs to - * re-inject later. - */ - pd->dir = PF_OUT; + if (pd->dir == PF_IN) { + /* + * Make sure dummynet gets the correct direction, in case it needs to + * re-inject later. + */ + pd->dir = PF_OUT; + + /* + * The following processing is actually the rest of the inbound processing, even + * though we've marked it as outbound (so we don't look through dummynet) and it + * happens after the outbound processing (pf_test(PF_OUT) above). + * Swap the dummynet pipe numbers, because it's going to come to the wrong + * conclusion about what direction it's processing, and we can't fix it or it + * will re-inject incorrectly. Swapping the pipe numbers means that its incorrect + * decision will pick the right pipe, and everything will mostly work as expected. + */ + tmp = pd->act.dnrpipe; + pd->act.dnrpipe = pd->act.dnpipe; + pd->act.dnpipe = tmp; + } /* * If small enough for interface, or the interface will take diff --git a/tests/sys/netpfil/pf/route_to.sh b/tests/sys/netpfil/pf/route_to.sh index 4df9b790359a..44fe6786e896 100644 --- a/tests/sys/netpfil/pf/route_to.sh +++ b/tests/sys/netpfil/pf/route_to.sh @@ -345,7 +345,7 @@ dummynet_body() # The ping request will pass, but take 1.2 seconds # So this works: - atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 + atf_check -s exit:0 -o ignore ping -c 1 -t 2 192.0.2.1 # But this times out: atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.1 @@ -355,7 +355,7 @@ dummynet_body() # The ping request will pass, but take 1.2 seconds # So this works: - atf_check -s exit:0 -o ignore ping -c 1 192.0.2.1 + atf_check -s exit:0 -o ignore ping -c 1 -t 2 192.0.2.1 # But this times out: atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.1 } @@ -365,6 +365,66 @@ dummynet_cleanup() pft_cleanup } +atf_test_case "dummynet_in" "cleanup" +dummynet_in_head() +{ + atf_set descr 'Thest that dummynet works as expected on pass in route-to packets' + atf_set require.user root +} + +dummynet_in_body() +{ + dummynet_init + + epair_srv=$(vnet_mkepair) + epair_gw=$(vnet_mkepair) + + vnet_mkjail srv ${epair_srv}a + jexec srv ifconfig ${epair_srv}a 192.0.2.1/24 up + jexec srv route add default 192.0.2.2 + + vnet_mkjail gw ${epair_srv}b ${epair_gw}a + jexec gw ifconfig ${epair_srv}b 192.0.2.2/24 up + jexec gw ifconfig ${epair_gw}a 198.51.100.1/24 up + jexec gw sysctl net.inet.ip.forwarding=1 + + ifconfig ${epair_gw}b 198.51.100.2/24 up + route add -net 192.0.2.0/24 198.51.100.1 + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1 + + jexec gw dnctl pipe 1 config delay 1200 + pft_set_rules gw \ + "pass in route-to (${epair_srv}b 192.0.2.1) to 192.0.2.1 dnpipe 1" + jexec gw pfctl -e + + # The ping request will pass, but take 1.2 seconds + # So this works: + echo "Expect 1.2 s" + ping -c 1 192.0.2.1 + atf_check -s exit:0 -o ignore ping -c 1 -t 2 192.0.2.1 + # But this times out: + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.1 + + # return path dummynet + pft_set_rules gw \ + "pass in route-to (${epair_srv}b 192.0.2.1) to 192.0.2.1 dnpipe (0, 1)" + + # The ping request will pass, but take 1.2 seconds + # So this works: + echo "Expect 1.2 s" + ping -c 1 192.0.2.1 + atf_check -s exit:0 -o ignore ping -c 1 -t 2 192.0.2.1 + # But this times out: + atf_check -s exit:2 -o ignore ping -c 1 -t 1 192.0.2.1 +} + +dummynet_in_cleanup() +{ + pft_cleanup +} + atf_test_case "ifbound" "cleanup" ifbound_head() { @@ -675,6 +735,7 @@ atf_init_test_cases() atf_add_test_case "multiwanlocal" atf_add_test_case "icmp_nat" atf_add_test_case "dummynet" + atf_add_test_case "dummynet_in" atf_add_test_case "ifbound" atf_add_test_case "ifbound_v6" atf_add_test_case "ifbound_reply_to"