Page MenuHomeFreeBSD
Files F153033507

D40373.id122898.diff
No OneTemporary
Actions

D40373.id122898.diff
View Options

diff --git a/UPDATING b/UPDATING
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,15 @@
world, or to merely disable the most expensive debugging functionality
at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
+20230531:
+ To enable pf rdr rules for connections initiated from the host, pf
+ filter rules are now processed by default for packets delivered
+ locally. This could change the behavior of rules which match packets
+ delivered to lo0. To disable this feature:
+
+ sysctl net.pf.filter_local=0
+ service pf restart
+
20230422:
Remove portsnap(8). Users are encouraged to obtain the ports tree
using git instead.
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -195,6 +195,12 @@
#error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
#endif
+VNET_DEFINE_STATIC(bool, pf_filter_local) = true;
+#define V_pf_filter_local VNET(pf_filter_local)
+SYSCTL_BOOL(_net_pf, OID_AUTO, filter_local, CTLFLAG_VNET | CTLFLAG_RW,
+ &VNET_NAME(pf_filter_local), true,
+ "Enable filtering for packets delivered to local network stack");
+
static void pf_init_tagset(struct pf_tagset *, unsigned int *,
unsigned int);
static void pf_cleanup_tagset(struct pf_tagset *);
@@ -6676,6 +6682,13 @@
pla.pa_hook = V_pf_ip4_out_hook;
ret = pfil_link(&pla);
MPASS(ret == 0);
+ if (V_pf_filter_local) {
+ pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
+ pla.pa_head = V_inet_local_pfil_head;
+ pla.pa_hook = V_pf_ip4_out_hook;
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
+ }
#endif
#ifdef INET6
pha.pa_type = PFIL_TYPE_IP6;
@@ -6697,6 +6710,13 @@
pla.pa_hook = V_pf_ip6_out_hook;
ret = pfil_link(&pla);
MPASS(ret == 0);
+ if (V_pf_filter_local) {
+ pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
+ pla.pa_head = V_inet6_local_pfil_head;
+ pla.pa_hook = V_pf_ip6_out_hook;
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
+ }
#endif
atomic_store_bool(&V_pf_pfil_hooked, true);
diff --git a/tests/sys/netpfil/common/utils.subr b/tests/sys/netpfil/common/utils.subr
--- a/tests/sys/netpfil/common/utils.subr
+++ b/tests/sys/netpfil/common/utils.subr
@@ -55,11 +55,10 @@
jexec ${jname} ipfw -q -f flush
jexec ${jname} /bin/sh $cwd/ipfw.rule
elif [ ${fw} == "pf" ]; then
+ jexec ${jname} sysctl net.pf.filter_local=1
jexec ${jname} pfctl -e
jexec ${jname} pfctl -F all
jexec ${jname} pfctl -f $cwd/pf.rule
- jexec ${jname} pfilctl link -o pf:default-out inet-local
- jexec ${jname} pfilctl link -o pf:default-out6 inet6-local
elif [ ${fw} == "ipf" ]; then
jexec ${jname} ipf -E
jexec ${jname} ipf -Fa -f $cwd/ipf.rule

File Metadata

Mime Type
text/plain
Expires
Sun, Apr 19, 6:20 PM (7 h, 2 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31788918
Default Alt Text
D40373.id122898.diff (2 KB)

Event Timeline