HomeFreeBSD

pf: Fix handling of v6 loopback connections with pf syncookies enabled

Description

pf: Fix handling of v6 loopback connections with pf syncookies enabled

The SYN|ACK generated by pf needs to inherit M_LOOP from the original
SYN, otherwise it gets dropped by ip6_input().

Fix this by adding an mbuf_flags argument to pf_build_tcp() that can be
used to set both M_SKIP_FIREWALL and M_LOOP as needed. Set M_LOOP on
the output mbuf if it was generated in response to an mbuf with M_LOOP
set.

Add a regression test case. The v4 case had no problems, but the v6
case fails without this change.

Reviewed by: kp
MFC after: 1 month
Sponsored by: Klara, Inc.
Sponsored by: Zenarmor
Differential Revision: https://reviews.freebsd.org/D47257

Details

Provenance
markjAuthored on Oct 29 2024, 2:59 PM
Reviewer
kp
Differential Revision
D47257: pf: Fix handling of v6 loopback connections with pf syncookies enabled
Parents
rG2775b9b0bcc2: nuageinit: add support for OpenStack network config
Branches
Unknown
Tags
Unknown