pf: Allow non-ip traffic through eth dummynet rules without panicking
ClosedPublic
Actions

Authored by linnemannr_gmail.com on May 23 2022, 10:44 PM.

Details

Reviewers

Summary

Alter pf_test_eth_rule() to panic when setting up the dnflow for a packet only
if the protocol is unknown. As we are filtering ethernet, IP and IPv6 are not
the only encapsulated protocols that should be handled.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 45688
Build 42576: arc lint + arc unit

Event Timeline

linnemannr_gmail.com created this revision.May 23 2022, 10:44 PM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptMay 23 2022, 10:44 PM

linnemannr_gmail.com requested review of this revision.May 23 2022, 10:44 PM

Harbormaster completed remote builds in B45687: Diff 106308.May 23 2022, 10:44 PM

Remove default case from address family switch in pf_test_eth_rule dummynet handling entirely

Harbormaster completed remote builds in B45688: Diff 106309.May 24 2022, 6:09 AM

kp accepted this revision.May 24 2022, 8:55 AM

This revision is now accepted and ready to land.May 24 2022, 8:55 AM

This was committed already:

commit ba3b6b938db71a18a93cf88979af0e57136787bd
Author: Kristof Provost <kp@FreeBSD.org>
Date:   Fri Jul 1 13:13:20 2022 +0200

    pf: handle dummynet for non-IP packets

    Do not panic if we try to dummynet an Ethernet packet that's not IPv4 or
    IPv6. Simply give it to dummynet.

    Sponsored by:   Rubicon Communications, LLC ("Netgate")

Revision Contents
Changeset List

Path

Size

sys/

netpfil/

pf/

pf.c

2 lines

Diff 106309

View Options

pf: Allow non-ip traffic through eth dummynet rules without panickingClosedPublicActions