Page MenuHomeFreeBSD

pf: carry over rule actions from route-to rules
ClosedPublic

Authored by kp on May 30 2023, 7:28 PM.
Tags
None
Referenced Files
Unknown Object (File)
Jan 26 2024, 11:09 PM
Unknown Object (File)
Jan 26 2024, 9:38 PM
Unknown Object (File)
Jan 24 2024, 5:38 PM
Unknown Object (File)
Jan 21 2024, 4:45 AM
Unknown Object (File)
Jan 14 2024, 8:47 AM
Unknown Object (File)
Dec 20 2023, 4:00 AM
Unknown Object (File)
Dec 4 2023, 5:17 PM
Unknown Object (File)
Dec 4 2023, 3:45 AM

Details

Summary

If we route-to (or dup-to/reply-to) we re-run pf_test(), which will also
create states for the connection.
This means that we may end up matching a different (i.e. not the state
that was created by the route-to rule) state, without the attributes
(such as dummynet pipes/queues) set by the route-to rule.

Address this by inheriting the pf_rule_actions from the route-to rule
while evaluating the connection again in pf_test(). That is, we set
default pf_rule_actions based on the route-to rule for the new
evaluation. The new rule may still overrule these, but if it does not
have such actions the route-to actions are applied.

Do the same for IPv6 rules in pf_test6()/pf_route6().

See also: https://redmine.pfsense.org/issues/14039
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp requested review of this revision.May 30 2023, 7:28 PM
This revision was not accepted when it landed; it landed in state Needs Review.Jun 2 2023, 2:56 PM
This revision was automatically updated to reflect the committed changes.