pf: Fix packet reassembly
ClosedPublic
Actions

Authored by vegeta_tuxpowered.net on Oct 24 2023, 8:05 PM.

Details

Reviewers

Commits

rGede5d4ff5b39: pf: Fix packet reassembly

Summary

Don't drop fragmented packets when reassembly is disabled, they can be matched by rules with "fragment" keyword. Ensure that presence of scrub rules forces old behaviour.

Test Plan

D42354 is needed for tests. I kindly ask you to run the tests because I ran into some issues with my testing environment. I was able to "debug" each of tests in this patch, though. The patch was written against 14-STABLE, I don't have a 15 environment yet and I believe this fix is quite important.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

vegeta_tuxpowered.net created this revision.Oct 24 2023, 8:05 PM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptOct 24 2023, 8:05 PM

vegeta_tuxpowered.net requested review of this revision.Oct 24 2023, 8:05 PM

I've not yet investigated why, but I'm seeing a lot of failures with both of these patches:

fragmentation_compat:reassemble  ->  failed: atf-check failed; see the output of the test for details  [1.535s]
fragmentation_no_reassembly:match_fragment_v4  ->  failed: atf-check failed; see the output of the test for details  [4.429s]
fragmentation_no_reassembly:match_full_v4  ->  failed: atf-check failed; see the output of the test for details  [4.646s]
fragmentation_pass:no_df  ->  failed: atf-check failed; see the output of the test for details  [6.014s]
fragmentation_pass:overindex  ->  failed: atf-check failed; see the output of the test for details  [7.288s]
fragmentation_pass:overreplace  ->  failed: atf-check failed; see the output of the test for details  [5.086s]
fragmentation_pass:reassemble  ->  failed: atf-check failed; see the output of the test for details  [1.891s]
fragmentation_pass:too_many_fragments  ->  failed: atf-check failed; see the output of the test for details  [0.266s]
killstate:gateway  ->  failed: atf-check failed; see the output of the test for details  [7.032s]
killstate:id  ->  failed: atf-check failed; see the output of the test for details  [6.784s]
killstate:interface  ->  failed: atf-check failed; see the output of the test for details  [5.782s]
killstate:label  ->  failed: atf-check failed; see the output of the test for details  [6.473s]
killstate:multilabel  ->  failed: atf-check failed; see the output of the test for details  [6.051s]
killstate:v4  ->  failed: atf-check failed; see the output of the test for details  [5.888s]
map_e:map_e  ->  failed: nc failed (0)  [3.012s]
modulate:modulate_v4  ->  failed: atf-check failed; see the output of the test for details  [5.336s]
nat:exhaust  ->  failed: atf-check failed; see the output of the test for details  [13.429s]
pass_block:urpf  ->  failed: atf-check failed; see the output of the test for details  [1.157s]
pass_block:v4  ->  failed: atf-check failed; see the output of the test for details  [2.076s]
proxy:ftp  ->  failed: atf-check failed; see the output of the test for details  [15.177s]
route_to:icmp_nat  ->  failed: atf-check failed; see the output of the test for details  [11.440s]
rtable:forward_v4  ->  failed: atf-check failed; see the output of the test for details  [6.317s]
rules_counter:get_clear  ->  failed: atf-check failed; see the output of the test for details  [4.109s]
rules_counter:keepcounters  ->  failed: atf-check failed; see the output of the test for details  [4.161s]
scrub_compat:max_mss_v4  ->  failed: atf-check failed; see the output of the test for details  [5.232s]
scrub_compat:min_ttl_v4  ->  failed: atf-check failed; see the output of the test for details  [5.169s]
scrub_compat:no_scrub_v4  ->  failed: atf-check failed; see the output of the test for details  [5.103s]
scrub_compat:set_tos_v4  ->  failed: atf-check failed; see the output of the test for details  [5.431s]
scrub_pass:max_mss_v4  ->  failed: atf-check failed; see the output of the test for details  [5.114s]
scrub_pass:min_ttl_v4  ->  failed: atf-check failed; see the output of the test for details  [5.109s]
scrub_pass:set_tos_v4  ->  failed: atf-check failed; see the output of the test for details  [5.189s]
scrub_pass:set_tos_v6  ->  failed: atf-check failed; see the output of the test for details  [5.148s]
set_skip:pr255852  ->  failed: atf-check failed; see the output of the test for details  [1.151s]
set_skip:set_skip_dynamic  ->  failed: atf-check failed; see the output of the test for details  [12.637s]
set_tos:v4  ->  failed: atf-check failed; see the output of the test for details  [13.420s]
syncookie:adaptive  ->  failed: atf-check failed; see the output of the test for details  [12.458s]
syncookie:basic  ->  failed: atf-check failed; see the output of the test for details  [11.325s]
syncookie:forward  ->  failed: atf-check failed; see the output of the test for details  [11.440s]
syncookie:nostate  ->  failed: atf-check failed; see the output of the test for details  [12.298s]
syncookie:port_reuse  ->  failed: atf-check failed; see the output of the test for details  [11.394s]
synproxy:local  ->  failed: atf-check failed; see the output of the test for details  [11.808s]
synproxy:synproxy  ->  failed: atf-check failed; see the output of the test for details  [12.135s]
table:anchor  ->  failed: atf-check failed; see the output of the test for details  [0.173s]
table:v4_counters  ->  failed: atf-check failed; see the output of the test for details  [3.364s]
tos:v4  ->  failed: atf-check failed; see the output of the test for details  [1.002s]

Fix test cleanups.

In D42355#966621, @kp wrote:
I've not yet investigated why, but I'm seeing a lot of failures with both of these patches:
fragmentation_compat:reassemble  ->  failed: atf-check failed; see the output of the test for details  [1.535s]
…

With fixed cleanups of freshly added tests this issue is gone. While fixing working this I also found that one more tests does not work correctly, the issue is addressed in a separate review D42363, as it's not related to this review.