Page MenuHomeFreeBSD

pf: carry over rule actions from route-to rules
ClosedPublic

Authored by kp on May 30 2023, 7:28 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Oct 14, 9:47 PM
Unknown Object (File)
Sep 30 2024, 2:31 AM
Unknown Object (File)
Sep 27 2024, 5:26 AM
Unknown Object (File)
Sep 24 2024, 8:24 AM
Unknown Object (File)
Sep 23 2024, 10:38 PM
Unknown Object (File)
Sep 21 2024, 1:14 PM
Unknown Object (File)
Sep 15 2024, 3:18 AM
Unknown Object (File)
Sep 5 2024, 9:47 PM

Details

Summary

If we route-to (or dup-to/reply-to) we re-run pf_test(), which will also
create states for the connection.
This means that we may end up matching a different (i.e. not the state
that was created by the route-to rule) state, without the attributes
(such as dummynet pipes/queues) set by the route-to rule.

Address this by inheriting the pf_rule_actions from the route-to rule
while evaluating the connection again in pf_test(). That is, we set
default pf_rule_actions based on the route-to rule for the new
evaluation. The new rule may still overrule these, but if it does not
have such actions the route-to actions are applied.

Do the same for IPv6 rules in pf_test6()/pf_route6().

See also: https://redmine.pfsense.org/issues/14039
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp requested review of this revision.May 30 2023, 7:28 PM
This revision was not accepted when it landed; it landed in state Needs Review.Jun 2 2023, 2:56 PM
This revision was automatically updated to reflect the committed changes.