pf: tag dummynet'd route-to packets with their real destination
ClosedPublic
Actions

Authored by kp on May 10 2022, 8:53 AM.

Details

Reviewers

None

Group Reviewers

network
pfsense

Commits

rGa908f8f0dc62: pf: tag dummynet'd route-to packets with their real destination

Summary

If we delay route-to/dup-to/reply-to through dummynet we are eventually
returned to pf_test(). At that point we no longer have the context for
the route-to destination. We'd just skip the pf_test() and continue
processing. This means that route-to did not work as expected.

Extend pf_mtag to carry the route-to destination so we can apply it when
we re-enter pf_test().

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.May 10 2022, 8:53 AM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptMay 10 2022, 8:53 AM

kp requested review of this revision.May 10 2022, 8:53 AM

kp added a parent revision: D35158: pf: also apply dummynet to route-to/dup-to packets.

kp added a child revision: D35160: pf tests: factor out common dummynet check.

Harbormaster completed remote builds in B45508: Diff 105803.May 10 2022, 8:53 AM

glebius added inline comments.May 10 2022, 9:53 PM

sys/netpfil/pf/pf.c
6871	Can we assert network epoch here?
7427	What do you think about changing ifnet_byindexgen() to never return IFF_DYING interfaces? P.S. I desire the need for this flag to be eliminated.

kp added inline comments.May 11 2022, 7:58 AM

sys/netpfil/pf/pf.c
6871	Yeah, that makes sense. Pretty much all of pf runs under net_epoch, but an assert will make it more obvious that it's safe to access these fields here.
7427	That would make sense to me, yes.