Page MenuHomeFreeBSD
Differential D52447

pf: Fix rule and state counters
ClosedPublic
Actions

Authored by vegeta_tuxpowered.net on Tue, Sep 9, 1:22 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 3, 4:46 PM
Unknown Object (File)
Thu, Oct 2, 5:03 PM
Unknown Object (File)
Sun, Sep 28, 3:22 PM
Unknown Object (File)
Sun, Sep 28, 8:17 AM
Unknown Object (File)
Fri, Sep 26, 4:23 PM
Unknown Object (File)
Thu, Sep 25, 3:28 AM
Unknown Object (File)
Tue, Sep 23, 6:25 AM
Unknown Object (File)
Sat, Sep 20, 7:27 PM
View All 17 Files
Subscribers
ae
farrokhi
glebius
imp
melifaro

Details

Reviewers
kp
Commits
rG013708fd3167: pf: Fix rule and state counters
rG6353f5d9a5c6: pf: Fix rule and state counters
Summary

Increasing counters on "match" rules causes the 1st packet making a
connection to be double-counted, but only for rule counters, not rules'
tables, because those are not increased at all during rule parsing. Remove
"match" rule counter handling during rule parsing, do it only in
pf_counters_inc().

NAT can be performed either by "nat" rules in the NAT ruleset or by "match"
rules. Rules before the NAT rule, and the NAT rule itself match on pre-NAT
addresses, and later rules match on post-NAT addresses. When increasing
counters go over rules in the same order as a packet would and use source
and destination addresses for updating table counters from appropriate state
key, taking into consideration on which rule NAT happens.

Use AF from state key, so that table counters can be properly updated for
af-to rules.

Synchronize match rule updating behaviour to that of OpenBSD: if rules
match, but state is not created, don't update counters.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

vegeta_tuxpowered.net created this revision.Tue, Sep 9, 1:22 PM
Herald added subscribers: glebius, melifaro, farrokhi and 2 others. · View Herald TranscriptTue, Sep 9, 1:22 PM
vegeta_tuxpowered.net requested review of this revision.Tue, Sep 9, 1:22 PM
vegeta_tuxpowered.net added a child revision: D52448: pf: Fix interface counters for af-to rules.
vegeta_tuxpowered.net added a parent revision: D52446: pf: Always skip outbound filtering for inbound af-to rules.
kp added inline comments.Mon, Sep 15, 1:03 PM
sys/netpfil/pf/pf.c
5770

This line is identical in if and else, perhaps it belongs outside the if block?

vegeta_tuxpowered.net updated this revision to Diff 162172.Tue, Sep 16, 4:25 PM
vegeta_tuxpowered.net marked an inline comment as done.
vegeta_tuxpowered.net added inline comments.
sys/netpfil/pf/pf.c
5770

Fixed.

kp accepted this revision.Wed, Sep 24, 11:38 AM
This revision is now accepted and ready to land.Wed, Sep 24, 11:38 AM
Closed by commit rG6353f5d9a5c6: pf: Fix rule and state counters (authored by vegeta_tuxpowered.net). · Explain WhySun, Sep 28, 5:28 PM
This revision was automatically updated to reflect the committed changes.
vegeta_tuxpowered.net marked an inline comment as done.
vegeta_tuxpowered.net added a commit: rG6353f5d9a5c6: pf: Fix rule and state counters.
vegeta_tuxpowered.net added a commit: rG013708fd3167: pf: Fix rule and state counters.Wed, Oct 1, 4:11 PM

Revision Contents
Changeset List

PathSize
sys/
net/
7 lines
netpfil/
pf/
346 lines
tests/
sys/
netpfil/
pf/
1 line
817 lines
26 lines
3 lines

Diff 161785

View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...
View Options

tests/sys/netpfil/pf/Makefile

Loading...
View Options

tests/sys/netpfil/pf/counters.sh

Loading...
View Options

tests/sys/netpfil/pf/nat64.sh

Loading...
View Options

tests/sys/netpfil/pf/utils.subr

Loading...