Page MenuHomeFreeBSD
Differential D46612

pf: Let pf_state_insert() handle redirect state conflicts
ClosedPublic
Actions

Authored by markj on Sep 9 2024, 6:38 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 21, 3:12 AM
Unknown Object (File)
Tue, Nov 11, 10:19 PM
Unknown Object (File)
Sat, Nov 1, 11:24 PM
Unknown Object (File)
Sat, Nov 1, 11:24 PM
Unknown Object (File)
Sat, Nov 1, 11:24 PM
Unknown Object (File)
Sat, Nov 1, 7:22 PM
Unknown Object (File)
Fri, Oct 31, 4:19 PM
Unknown Object (File)
Oct 26 2025, 1:15 PM
View All 56 Files
Subscribers
farrokhi
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
kp
Commits
rGf4f4c52c0f46: pf: Let pf_state_insert() handle redirect state conflicts
rG9569fddd8d0e: pf: Let pf_state_insert() handle redirect state conflicts
Summary

When handling a redirect state conflict, pf_get_translation() tries
modifying the source port to avoid it. If it fails to find a free port,
the translation is aborted.

Instead, if we fail to find a free source port, simply press on with the
original source port and let pf_state_insert() handle the conflict as it
pleases, rather than second-guessing what it will do. In particular,
pf_state_insert() has special handling for TCP connections in a terminal
state, and might succeed despite a state conflict.

Sponsored by: Klara, Inc.
Sponsored by: Modirum

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 59409
Build 56296: arc lint + arc unit

Event Timeline

markj created this revision.Sep 9 2024, 6:38 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptSep 9 2024, 6:38 PM
markj requested review of this revision.Sep 9 2024, 6:38 PM
Harbormaster completed remote builds in B59409: Diff 143152.Sep 9 2024, 6:38 PM
kp accepted this revision.Sep 10 2024, 9:48 AM

That seems mostly reasonable. The only possible concern I have is that we implicitly change the reason from PFRES_MAPFAILED to PFRES_STATEINS. That in turn affects the pf status counters, and could make debugging nat issues a bit harder.

It's not a huge concern, but on the other hand, this also seems like it'd only rarely matter as well. We'd have to fail to find a free port and then happen to be lucky enough that the used port happens to be in timeout state. On the third hand, it's somewhat plausible that this is a client that's re-using source ports and in that case it's much more likely that the existing state is actually for a closed connection.

This revision is now accepted and ready to land.Sep 10 2024, 9:48 AM
Closed by commit rG9569fddd8d0e: pf: Let pf_state_insert() handle redirect state conflicts (authored by markj). · Explain WhySep 10 2024, 2:59 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG9569fddd8d0e: pf: Let pf_state_insert() handle redirect state conflicts.
markj added a commit: rGf4f4c52c0f46: pf: Let pf_state_insert() handle redirect state conflicts.Nov 20 2024, 9:41 PM

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
11 lines

Diff 143152

View Options

sys/netpfil/pf/pf_lb.c

Loading...