Page MenuHomeFreeBSD

pf: bind route-to states to their route-to interface
ClosedPublic

Authored by kp on Jan 25 2024, 1:05 PM.
Tags
None
Referenced Files
F99772476: D43589.diff
Sun, Oct 13, 12:29 AM
F99703035: D43589.diff
Sat, Oct 12, 7:35 AM
Unknown Object (File)
Sun, Sep 29, 2:47 AM
Unknown Object (File)
Sun, Sep 29, 2:47 AM
Unknown Object (File)
Sun, Sep 29, 2:47 AM
Unknown Object (File)
Sun, Sep 29, 2:46 AM
Unknown Object (File)
Sun, Sep 29, 2:34 AM
Unknown Object (File)
Sun, Sep 22, 3:58 AM

Details

Summary

When we route-to the state should be bound to the route-to interface,
not the default route interface.
Explicitly check for this in BOUND_IFACE().

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 55604
Build 52493: arc lint + arc unit

Event Timeline

kp requested review of this revision.Jan 25 2024, 1:05 PM

This is wrong, as I'd have seen immediately if I'd had the test send more than 1 ping.
When the second outbound ping arrives pf looks for the state on epair_one, but we've created it for epair_two, so we don't find the state and reject the packet (or more accurately, try to create a new state for it and fail because such a state already exists).

  • improve test (ping 3x, to ensure that subsequent packets make it)
  • when matching states also look at the original interface This is required because the expected outbound interface before we match the state is the original interface, but for inbound packets it will be the route-to'd interface (which we've now bound the state to)
This revision was not accepted when it landed; it landed in state Needs Review.Jan 29 2024, 1:53 PM
This revision was automatically updated to reflect the committed changes.