Diffusion FreeBSD src repository 9897a66923a3

pf: Let rdr rules modify the src port if doing so would avoid a conflict
9897a66923a3
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

pf: Let rdr rules modify the src port if doing so would avoid a conflict

If NAT rules cause inbound connections to different external IPs to be
mapped to the same internal IP, and some application uses the same
source port for multiple such connections, rdr translation may result in
conflicts that cause some of the connections to be dropped.

Address this by letting rdr rules detect state conflicts and modulate
the source port to avoid them.

Reviewed by: kp, allanjude
MFC after: 3 months
Sponsored by: Klara, Inc.
Sponsored by: Modirum
Differential Revision: https://reviews.freebsd.org/D44488

Details

Provenance

Authored on Aug 19 2024, 2:08 PM

Reviewer

Differential Revision

D44488: pf: if a new RDR state connect be created, modulate src port

Parents

rGd7d5c9efef03: pkgbase: Let source packages be built in parallel

Branches

Unknown

Tags

Unknown

Event Timeline

markj committed rG9897a66923a3: pf: Let rdr rules modify the src port if doing so would avoid a conflict (authored by markj).Aug 19 2024, 2:37 PM

markj added an edge: D44488: pf: if a new RDR state connect be created, modulate src port.

markj mentioned this in rG08d0ebe560a8: pf: Let rdr rules modify the src port if doing so would avoid a conflict.Wed, Nov 20, 9:41 PM

Changes (5)

Path

Size

share/

man/

man5/

sys/

netpfil/

pf/

tests/

sys/

netpfil/

pf/

rG9897a66923a3

share/man/man5/pf.conf.5

Loading...

sys/netpfil/pf/pf_lb.c

Loading...

tests/sys/netpfil/pf/Makefile

Loading...

tests/sys/netpfil/pf/rdr-srcport.py

Loading...

tests/sys/netpfil/pf/rdr.sh

Loading...