Page MenuHomeFreeBSD
Differential D53231

pf: Check if source nodes use a valid redirection address
ClosedPublic
Actions

Authored by vegeta_tuxpowered.net on Oct 21 2025, 8:46 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 27, 10:30 PM
Unknown Object (File)
Tue, Nov 25, 11:34 PM
Unknown Object (File)
Tue, Nov 18, 1:39 PM
Unknown Object (File)
Tue, Nov 18, 5:11 AM
Unknown Object (File)
Sat, Nov 15, 10:14 PM
Unknown Object (File)
Thu, Nov 13, 7:37 PM
Unknown Object (File)
Tue, Nov 4, 12:58 PM
Unknown Object (File)
Mon, Nov 3, 2:24 AM
View All 27 Files
Subscribers
ae
farrokhi
glebius
imp
melifaro

Details

Reviewers
kp
Commits
rGee1f417a8609: pf: Check if source nodes use a valid redirection address
Summary

Source nodes redirect (nat-to, rdr-to, route-to) all further connections
matching the rule which has created the source node. The source node is
valid as long as there are states resulting from the rule or until the
source node lifetime expires. When the rule's redirection pool is
modified (e.g. table contents are changed) the source node is still
valid and it will redirect new connections to invalid target (e.g. a
dead next-hop).

When performing source tracking after finding a source node check if the
redirection address still exists in pool of the rule which has created
this node. If not, delete the source node. This will result in finding a
new redirection address and creation of a new source node.

Obtained from: OpenBSD
Sponsored by: InnoGames GmbH

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

vegeta_tuxpowered.net created this revision.Oct 21 2025, 8:46 AM
Herald added subscribers: glebius, melifaro, farrokhi and 2 others. · View Herald TranscriptOct 21 2025, 8:46 AM
vegeta_tuxpowered.net requested review of this revision.Oct 21 2025, 8:46 AM
vegeta_tuxpowered.net added inline comments.Oct 21 2025, 8:48 AM
sys/netpfil/pf/pf_lb.c
586

The test I wrote only tests the case for PF_ADDR_TABLE because that can easily be modified with pfctl without changing the ruleset (which would invalidate all SNs). Any idea how I can modify the redirection pool of an existing rule for other cases? The logic here is copied from OpenBSD with addition of comments and redirection AF.

vegeta_tuxpowered.net updated this revision to Diff 164677.Oct 21 2025, 8:56 AM

Assert the rpool.

kp accepted this revision.Oct 29 2025, 10:58 AM

Do you have a specific OpenBSD patch you obtained this from?

sys/netpfil/pf/pf_lb.c
586

We can probably do PF_ADDR_DYNIFTL and change the addresses assigned to that interface. I don't think we can for the other cases.

Testing them all would be good, obviously, but just having one scenario that exercises this code path already gets us 80-90% of the utility of the test case, so I wouldn't worry too much about it.

This revision is now accepted and ready to land.Oct 29 2025, 10:58 AM
Closed by commit rGee1f417a8609: pf: Check if source nodes use a valid redirection address (authored by vegeta_tuxpowered.net). · Explain WhyThu, Oct 30, 5:45 PM
This revision was automatically updated to reflect the committed changes.
vegeta_tuxpowered.net added a commit: rGee1f417a8609: pf: Check if source nodes use a valid redirection address.

Revision Contents
Changeset List

PathSize
sys/
net/
4 lines
netpfil/
pf/
2 lines
101 lines
2 lines
tests/
sys/
netpfil/
pf/
74 lines

Diff 165472

View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...
View Options

sys/netpfil/pf/pf_lb.c

Loading...
View Options

sys/netpfil/pf/pf_table.c

Loading...
View Options

tests/sys/netpfil/pf/src_track.sh

Loading...