Page MenuHomeFreeBSD
Differential D40973

ipfw: teach ipfw that pfsync is an upper layer protocol
ClosedPublic
Actions

Authored by kp on Jul 11 2023, 12:40 PM.
Tags
None
Referenced Files
F157410600: D40973.id124494.diff
Thu, May 21, 2:47 AM
F157382374: D40973.id124495.diff
Wed, May 20, 8:29 PM
Unknown Object (File)
Wed, May 20, 1:12 AM
Unknown Object (File)
Tue, May 19, 9:54 PM
Unknown Object (File)
Sun, May 17, 3:32 PM
Unknown Object (File)
Wed, May 13, 10:09 PM
Unknown Object (File)
Wed, May 13, 10:09 PM
Unknown Object (File)
Wed, May 13, 10:09 PM
View All Files
Subscribers
ae
donner
farrokhi
glebius
imp
melifaro

Details

Reviewers
ae
Group Reviewers
network
Commits
rG66f2f9ee0877: ipfw: teach ipfw that pfsync is an upper layer protocol
Summary

Explicitly add pfsync as a know upper layer protocol so we don't
automatically discard pfsync packets (carried over IPv6).

net.inet6.ip6.fw.deny_unknown_exthdrs defaults to 1, so even if
net.inet.ip.fw.default_to_accept is set to 1 we'd discard pfsync (over
IPv6).

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 52561
Build 49452: arc lint + arc unit

Event Timeline

kp created this revision.Jul 11 2023, 12:40 PM
Herald added subscribers: glebius, donner, melifaro and 3 others. · View Herald TranscriptJul 11 2023, 12:40 PM
kp requested review of this revision.Jul 11 2023, 12:40 PM
kp mentioned this in D40102: pfsync: Transport over IPv6 Unicast support.Jul 11 2023, 12:41 PM
Harbormaster completed remote builds in B52559: Diff 124490.Jul 11 2023, 12:41 PM
ae added a comment.Jul 11 2023, 2:23 PM

I don't like adding extra printfs on fast path processing. This can easily make your system unresponsive.

sys/netpfil/ipfw/ip_fw2.c
1727

this can be quite verbose

kp added a comment.Jul 11 2023, 2:29 PM

Oh sorry, that's git-arc adding uncommitted changes to the diff. Let me clean that up.

kp updated this revision to Diff 124494.Jul 11 2023, 2:30 PM

Remove unrelated changes.

Harbormaster completed remote builds in B52561: Diff 124494.Jul 11 2023, 2:30 PM
kp added a comment.Jul 11 2023, 2:32 PM

This is something we ran into with the pfsync-over-ip6 diff in https://reviews.freebsd.org/D40102.

The test cases failed on my system because I load both ipfw and pf (mostly by accident, but the CI tests do this too), and ipfw blocked the pfsync packets even though net.inet.ip.fw.default_to_accept was set to 1.

ae accepted this revision.Jul 11 2023, 2:38 PM
This revision is now accepted and ready to land.Jul 11 2023, 2:38 PM
Closed by commit rG66f2f9ee0877: ipfw: teach ipfw that pfsync is an upper layer protocol (authored by kp). · Explain WhyJul 11 2023, 3:01 PM
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG66f2f9ee0877: ipfw: teach ipfw that pfsync is an upper layer protocol.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
ipfw/
5 lines

Diff 124494

View Options

sys/netpfil/ipfw/ip_fw2.c

Loading...