Page MenuHomeFreeBSD

pf: Add code to enable filtering for locally delivered packets
ClosedPublic

Authored by dfr on Jun 1 2023, 10:53 AM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 15, 8:41 PM
Unknown Object (File)
Fri, Nov 15, 6:55 PM
Unknown Object (File)
Wed, Nov 13, 11:50 AM
Unknown Object (File)
Wed, Nov 13, 5:20 AM
Unknown Object (File)
Wed, Nov 13, 1:04 AM
Unknown Object (File)
Sun, Nov 3, 2:20 PM
Unknown Object (File)
Sun, Nov 3, 2:20 PM
Unknown Object (File)
Oct 20 2024, 2:34 AM

Details

Summary

This is disabled by default so that it can be merged to stable/13
safely.

PR: 268717
MFC-after: 2 weeks

pf: Enable filtering locally delivered packets by default

PR: 268717

Test Plan

kyua test -k /usr/tests/sys/netpfil/common

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 52100
Build 48991: arc lint + arc unit

Event Timeline

dfr requested review of this revision.Jun 1 2023, 10:53 AM

This change looks fine, but we should figure out why some of the pf dummynet tests broke with the previous step before we go further down this path: https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23651/#showFailuresLink

We do already activate this new hook for pf in the common tests, but not in the netpfil/pf tests. I'm rather worried that a lot more tests would start failing if we did that.

In D40373#919092, @kp wrote:

This change looks fine, but we should figure out why some of the pf dummynet tests broke with the previous step before we go further down this path: https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23651/#showFailuresLink

We do already activate this new hook for pf in the common tests, but not in the netpfil/pf tests. I'm rather worried that a lot more tests would start failing if we did that.

This is a very good point. I will debug the dummynet tests and take a closer look at the netpfil/pf tests

In D40373#919110, @dfr wrote:
In D40373#919092, @kp wrote:

This change looks fine, but we should figure out why some of the pf dummynet tests broke with the previous step before we go further down this path: https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23651/#showFailuresLink

We do already activate this new hook for pf in the common tests, but not in the netpfil/pf tests. I'm rather worried that a lot more tests would start failing if we did that.

This is a very good point. I will debug the dummynet tests and take a closer look at the netpfil/pf tests

I think the dummynet test failures are caused by the new filter head adding a second PFIL_OUT for the ping packet. The code allows for dummynet's re-injection but only once:

if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL &&
    pd.pf_mtag->flags & PF_TAG_DUMMYNET) {
        /* Dummynet re-injects packets after they've
         * completed their delay. We've already
         * processed them, so pass unconditionally. */

        /* But only once. We may see the packet multiple times (e.g.
         * PFIL_IN/PFIL_OUT). */
        pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET;
        PF_RULES_RUNLOCK();

        return (PF_PASS);
}

It turned out that the dummynet test failures were just caused by the pf rules matching packets delivered to the local IP stack. Narrowing the rules to exclude that fixed them, details in D40393

Just getting back to this now - I'll spend some time running the netpfil/pf tests and see what breaks.

Rebase and fix unit tests

I did not test the ALTQ tests but all the other pf tests pass except sys/netpfil/pf/pfsync:defer which seems to be a known failing test.

@kp I plan to merge this to current this week - do you have any concerns or comments before I do that?

In D40373#924407, @dfr wrote:

@kp I plan to merge this to current this week - do you have any concerns or comments before I do that?

Really only that I don't think we should enable this by default. It'll break existing configurations and we cannot rely on users reading and fully understanding UPDATING.

Ok, I'm happy with that - I will change the default for net.pf.filter_local back to false and adjust the UPDATING text to reflect that. I'll leave the test changes in so that tests will pass on machines where this is enabled. I'll also squash the two commits - there is no need to separate if we are keeping filter_local disabled by default.

This revision was not accepted when it landed; it landed in state Needs Review.Jun 20 2023, 2:36 PM
This revision was automatically updated to reflect the committed changes.