Page MenuHomeFreeBSD
Differential D40973

ipfw: teach ipfw that pfsync is an upper layer protocol
ClosedPublic
Actions

Authored by kp on Jul 11 2023, 12:40 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Mar 23, 5:06 AM
Unknown Object (File)
Mon, Mar 23, 5:06 AM
Unknown Object (File)
Sun, Mar 22, 1:24 PM
Unknown Object (File)
Sun, Mar 22, 10:41 AM
Unknown Object (File)
Sun, Mar 22, 2:43 AM
Unknown Object (File)
Sat, Mar 21, 5:27 PM
Unknown Object (File)
Fri, Mar 20, 7:32 AM
Unknown Object (File)
Wed, Mar 18, 2:38 AM
View All Files
Subscribers
ae
donner
farrokhi
glebius
imp
melifaro

Details

Reviewers
ae
Group Reviewers
network
Commits
rG66f2f9ee0877: ipfw: teach ipfw that pfsync is an upper layer protocol
Summary

Explicitly add pfsync as a know upper layer protocol so we don't
automatically discard pfsync packets (carried over IPv6).

net.inet6.ip6.fw.deny_unknown_exthdrs defaults to 1, so even if
net.inet.ip.fw.default_to_accept is set to 1 we'd discard pfsync (over
IPv6).

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Jul 11 2023, 12:40 PM
Herald added subscribers: glebius, donner, melifaro and 3 others. · View Herald TranscriptJul 11 2023, 12:40 PM
kp requested review of this revision.Jul 11 2023, 12:40 PM
kp mentioned this in D40102: pfsync: Transport over IPv6 Unicast support.Jul 11 2023, 12:41 PM
Harbormaster completed remote builds in B52559: Diff 124490.Jul 11 2023, 12:41 PM
ae added a comment.Jul 11 2023, 2:23 PM

I don't like adding extra printfs on fast path processing. This can easily make your system unresponsive.

sys/netpfil/ipfw/ip_fw2.c
1727

this can be quite verbose

kp added a comment.Jul 11 2023, 2:29 PM

Oh sorry, that's git-arc adding uncommitted changes to the diff. Let me clean that up.

kp updated this revision to Diff 124494.Jul 11 2023, 2:30 PM

Remove unrelated changes.

Harbormaster completed remote builds in B52561: Diff 124494.Jul 11 2023, 2:30 PM
kp added a comment.Jul 11 2023, 2:32 PM

This is something we ran into with the pfsync-over-ip6 diff in https://reviews.freebsd.org/D40102.

The test cases failed on my system because I load both ipfw and pf (mostly by accident, but the CI tests do this too), and ipfw blocked the pfsync packets even though net.inet.ip.fw.default_to_accept was set to 1.

ae accepted this revision.Jul 11 2023, 2:38 PM
This revision is now accepted and ready to land.Jul 11 2023, 2:38 PM
Closed by commit rG66f2f9ee0877: ipfw: teach ipfw that pfsync is an upper layer protocol (authored by kp). · Explain WhyJul 11 2023, 3:01 PM
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG66f2f9ee0877: ipfw: teach ipfw that pfsync is an upper layer protocol.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
ipfw/
5 lines

Diff 124495

View Options

sys/netpfil/ipfw/ip_fw2.c

Loading...