From nobody Thu Mar 28 16:06:41 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V57hK5yxxz5GCSW; Thu, 28 Mar 2024 16:06:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V57hK4Cklz3xMM; Thu, 28 Mar 2024 16:06:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711642001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xMgplaYofM1q/CzS0aboAGcU1s9M3qw6MRSArQ46+QU=; b=v3r5uTV3CtiJQ3hlBIJltNySWj7bpzasPBmvbWLw4q+siS5QygHJRGqhoRQKc1RfhXM3Av Fl+qkOMl3rnMxEfHTS1gPtQoNFKdTDcqhDfLP3nOLO7AnV0WFx3B7y5m/Wk7SyWgrBeBPZ 7LL0zbAwkj8cezCb4zsj++V27PS4SlPsOjVBlctJtEefA1Yvh4GQxhCpbADN3fmUWPMSGJ dviGLqfgq9T/6m3ZQ+hp+8TOGusKGkR9dHD0kG9fTkytfXKaGltTJJxnw3Msawm44FLXZO /pEQvmN4toN2aol8+3S0QprImz1ub7+d4TxQDguo84/Xm3wR+IumGC5h1hcA7w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711642001; a=rsa-sha256; cv=none; b=ctvociZywACLWfPaF+nl3M0UWSpdTJBrimWNkZ5TIvAde3Y7xdx7vGpkJx4U5c5rq87oN3 +fsRyBhWtd0X8ZX0fc2Y9xGn3zLICVNTPjss6+Msi89yZjPNvbkQ4trGBHQ+oqG0RuMmZy OtTDhItsdxREnGUXXZjaxNAr4TozxFUujh05T7lSXz7ORle1DiiR1WVhsJss+ZuYFEYLXr cy/9qdqpNyuDTLOVbT1S5h/iXOwPH8zWZFXA+rES1MoNfdcNPZzlnw18d5jtwVzWIq6BtF 476OD8TjuFDsjzrftXZz9nczwEEgX8VGD0H5IkaJlxcvbQw/b8eEjp0XtDxTlQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711642001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xMgplaYofM1q/CzS0aboAGcU1s9M3qw6MRSArQ46+QU=; b=MAzjcfYeEBVt3NKtHsmrT7pGYn5R35qNUHWR2ARP6ZaNCQ2dYEVG3Dg10+Ao9nTDrOjgS8 xfmQMXHgKtRkdI6upb3NL6Nv5heGsB6Ocqsp+lHAhiy8Sp8oTNqVlo1tJuYfL/+s+4UY7T O0W/SRKxGvtmG0CiASw7ltAOn/pMLRBq5bk+Q6WQyeSjFyzt1j8fTxi7U4DS9uEuqUbhqq ahZNEaoZRRmoCpz42RsSZCSTj4dBZY3zBmxiEiBV2IGjez/P2W4W64hN19hfTYcM3lUXXh Ib+fp5732CGWack/uneSbbxtJBP8XQzwp9gLD9tRiFoMuKuaoKFT9fpLDALRKg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4V57hK3pMVzZSt; Thu, 28 Mar 2024 16:06:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42SG6feL015991; Thu, 28 Mar 2024 16:06:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42SG6fYM015988; Thu, 28 Mar 2024 16:06:41 GMT (envelope-from git) Date: Thu, 28 Mar 2024 16:06:41 GMT Message-Id: <202403281606.42SG6fYM015988@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: a983cea4e9a8 - main - pf: fix reply-to after rdr and dummynet List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a983cea4e9a8dcd52cfd6a3141d7aa03306b057b Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a983cea4e9a8dcd52cfd6a3141d7aa03306b057b commit a983cea4e9a8dcd52cfd6a3141d7aa03306b057b Author: Kristof Provost AuthorDate: 2024-03-27 14:47:21 +0000 Commit: Kristof Provost CommitDate: 2024-03-28 16:06:01 +0000 pf: fix reply-to after rdr and dummynet If we redirect a packet to localhost and it gets dummynet'd it may be re-injected later (e.g. when delayed) which means it will be passed through ip_input() again. ip_input() will then reject the packet because it's directed to the loopback address, but did not arrive on a loopback interface. Fix this by having pf set the rcvif to V_iflo if we redirect to loopback. See also: https://redmine.pfsense.org/issues/15363 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 12 ++++++++ tests/sys/netpfil/pf/route_to.sh | 61 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 50dc67b72439..4cec0936539e 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7954,6 +7954,18 @@ pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s, sizeof(struct sockaddr_in6)); } + if (s != NULL && s->nat_rule.ptr != NULL && + s->nat_rule.ptr->action == PF_RDR && + ((pd->af == AF_INET && IN_LOOPBACK(ntohl(pd->dst->v4.s_addr))) || + (pd->af == AF_INET6 && IN6_IS_ADDR_LOOPBACK(&pd->dst->v6)))) { + /* + * If we're redirecting to loopback mark this packet + * as being local. Otherwise it might get dropped + * if dummynet re-injects. + */ + (*m0)->m_pkthdr.rcvif = V_loif; + } + if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) { pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET; pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNETED; diff --git a/tests/sys/netpfil/pf/route_to.sh b/tests/sys/netpfil/pf/route_to.sh index 44fe6786e896..df95eaecc12e 100644 --- a/tests/sys/netpfil/pf/route_to.sh +++ b/tests/sys/netpfil/pf/route_to.sh @@ -626,6 +626,66 @@ ifbound_reply_to_v6_cleanup() pft_cleanup } +atf_test_case "ifbound_reply_to_rdr_dummynet" "cleanup" +ifbound_reply_to_rdr_dummynet_head() +{ + atf_set descr 'Test that reply-to states bind to the expected non-default-route interface after rdr and dummynet' + atf_set require.user root +} + +ifbound_reply_to_rdr_dummynet_body() +{ + dummynet_init + + j="route_to:ifbound_reply_to_rdr_dummynet" + + epair_one=$(vnet_mkepair) + epair_two=$(vnet_mkepair) + ifconfig ${epair_one}b inet 192.0.2.2/24 up + ifconfig ${epair_two}b up + + vnet_mkjail $j ${epair_one}a ${epair_two}a + jexec $j ifconfig lo0 inet 127.0.0.1/8 up + jexec $j ifconfig ${epair_one}a 192.0.2.1/24 up + jexec $j ifconfig ${epair_two}a 198.51.100.1/24 up + jexec $j route add default 198.51.100.254 + + jexec $j pfctl -e + jexec $j dnctl pipe 1 config delay 1 + pft_set_rules $j \ + "set state-policy if-bound" \ + "rdr on ${epair_one}a proto icmp from any to 192.0.2.1 -> 127.0.0.1" \ + "rdr on ${epair_two}a proto icmp from any to 198.51.100.1 -> 127.0.0.1" \ + "match in on ${epair_one}a inet all dnpipe (1, 1)" \ + "pass in on ${epair_one}a reply-to (${epair_one}a 192.0.2.2) inet from any to 127.0.0.1 keep state" + + atf_check -s exit:0 -o ignore \ + ping -c 3 192.0.2.1 + + atf_check -s exit:0 \ + ${common_dir}/pft_ping.py \ + --to 192.0.2.1 \ + --from 203.0.113.2 \ + --sendif ${epair_one}b \ + --replyif ${epair_one}b + + # pft_ping uses the same ID every time, so this will look like more traffic in the same state + atf_check -s exit:0 \ + ${common_dir}/pft_ping.py \ + --to 192.0.2.1 \ + --from 203.0.113.2 \ + --sendif ${epair_one}b \ + --replyif ${epair_one}b + + jexec $j pfctl -sr -vv + jexec $j pfctl -ss -vv +} + +ifbound_reply_to_rdr_dummynet_cleanup() +{ + pft_cleanup +} + atf_test_case "dummynet_frag" "cleanup" dummynet_frag_head() { @@ -740,6 +800,7 @@ atf_init_test_cases() atf_add_test_case "ifbound_v6" atf_add_test_case "ifbound_reply_to" atf_add_test_case "ifbound_reply_to_v6" + atf_add_test_case "ifbound_reply_to_rdr_dummynet" atf_add_test_case "dummynet_frag" atf_add_test_case "dummynet_double" }