Page MenuHomeFreeBSD
Differential D46612

pf: Let pf_state_insert() handle redirect state conflicts
ClosedPublic
Actions

Authored by markj on Sep 9 2024, 6:38 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 16, 5:40 AM
Unknown Object (File)
Tue, Dec 3, 5:48 PM
Unknown Object (File)
Nov 21 2024, 1:20 PM
Unknown Object (File)
Nov 21 2024, 9:25 AM
Unknown Object (File)
Nov 20 2024, 11:32 PM
Unknown Object (File)
Nov 19 2024, 3:09 PM
Unknown Object (File)
Nov 8 2024, 11:20 AM
Unknown Object (File)
Oct 7 2024, 1:07 PM
View All 20 Files
Subscribers
farrokhi
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
kp
Commits
rGf4f4c52c0f46: pf: Let pf_state_insert() handle redirect state conflicts
rG9569fddd8d0e: pf: Let pf_state_insert() handle redirect state conflicts
Summary

When handling a redirect state conflict, pf_get_translation() tries
modifying the source port to avoid it. If it fails to find a free port,
the translation is aborted.

Instead, if we fail to find a free source port, simply press on with the
original source port and let pf_state_insert() handle the conflict as it
pleases, rather than second-guessing what it will do. In particular,
pf_state_insert() has special handling for TCP connections in a terminal
state, and might succeed despite a state conflict.

Sponsored by: Klara, Inc.
Sponsored by: Modirum

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Sep 9 2024, 6:38 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptSep 9 2024, 6:38 PM
markj requested review of this revision.Sep 9 2024, 6:38 PM
Harbormaster completed remote builds in B59409: Diff 143152.Sep 9 2024, 6:38 PM
kp accepted this revision.Sep 10 2024, 9:48 AM

That seems mostly reasonable. The only possible concern I have is that we implicitly change the reason from PFRES_MAPFAILED to PFRES_STATEINS. That in turn affects the pf status counters, and could make debugging nat issues a bit harder.

It's not a huge concern, but on the other hand, this also seems like it'd only rarely matter as well. We'd have to fail to find a free port and then happen to be lucky enough that the used port happens to be in timeout state. On the third hand, it's somewhat plausible that this is a client that's re-using source ports and in that case it's much more likely that the existing state is actually for a closed connection.

This revision is now accepted and ready to land.Sep 10 2024, 9:48 AM
Closed by commit rG9569fddd8d0e: pf: Let pf_state_insert() handle redirect state conflicts (authored by markj). · Explain WhySep 10 2024, 2:59 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG9569fddd8d0e: pf: Let pf_state_insert() handle redirect state conflicts.
markj added a commit: rGf4f4c52c0f46: pf: Let pf_state_insert() handle redirect state conflicts.Nov 20 2024, 9:41 PM

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
11 lines

Diff 143194

View Options

sys/netpfil/pf/pf_lb.c

Loading...