pf: Check if source nodes use a valid redirection address
Needs ReviewPublic
Actions

Authored by vegeta_tuxpowered.net on Tue, Oct 21, 8:46 AM.

Details

Reviewers

Summary

Source nodes redirect (nat-to, rdr-to, route-to) all further connections
matching the rule which has created the source node. The source node is
valid as long as there are states resulting from the rule or until the
source node lifetime expires. When the rule's redirection pool is
modified (e.g. table contents are changed) the source node is still
valid and it will redirect new connections to invalid target (e.g. a
dead next-hop).

When performing source tracking after finding a source node check if the
redirection address still exists in pool of the rule which has created
this node. If not, delete the source node. This will result in finding a
new redirection address and creation of a new source node.

Obtained from: OpenBSD
Sponsored by: InnoGames GmbH

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Tue, Oct 21, 8:46 AM

Herald added subscribers: glebius, melifaro, farrokhi and 2 others. · View Herald TranscriptTue, Oct 21, 8:46 AM

vegeta_tuxpowered.net requested review of this revision.Tue, Oct 21, 8:46 AM

vegeta_tuxpowered.net added inline comments.Tue, Oct 21, 8:48 AM

sys/netpfil/pf/pf_lb.c
586	The test I wrote only tests the case for PF_ADDR_TABLE because that can easily be modified with `pfctl` without changing the ruleset (which would invalidate all SNs). Any idea how I can modify the redirection pool of an existing rule for other cases? The logic here is copied from OpenBSD with addition of comments and redirection AF.