From nobody Tue Mar 19 15:30:32 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TzbJn0MFQz5FfT5; Tue, 19 Mar 2024 15:30:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TzbJm5gwgz4Lv6; Tue, 19 Mar 2024 15:30:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710862232; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6dJqDaCZFvvmXhWmrs8E5R368mUyXD/UyTgcP43bXvY=; b=TIkyfKIFfh4yiKpYpAVMTLSriQszAexB13tu0+1n4truGmI9zuXUp6fxwwf+uJ8lgqR9gc w13y1M8D+/zWfss2D7j7tXE//Sur+Dg5kzSKSbV1gfYoWr6QlRiH8J5OgJYC5X2QhRh3dm Q783Eo3cJbyEfcciEQkwS+xLbdqeuwRyg77Ut1u64Hz2Qz0AqwWGrvu4Yo1p3SmiJmcuTQ ykKZoXnYfoUnku8XYZkJnJCPCV23mutCKh2M5d5LzEd86s3HUCmjiJ4WQCod6BvAt6kC4T ox8o7zr1tztC5gz+V+YIbkNr1gKdFFVSa601mZYFJxUp5zK3nUbJri/EKSwsNA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1710862232; a=rsa-sha256; cv=none; b=hxgsL8mwDdva0zJEV7wvPHnkEzVdeLAbisOiYGEJMzvqaZsJdWdFkbLrtjtrv/jF1sfQk6 e7vdawEAJmMGduZHbvTWlUZd/kbWn+Leh7qBwh+IVTkzdvevt1y5O4CBZ/w1BuxfFaU9wB pJAnslJb+jmU9br9rR/4bipa1LOq5FakfmRbGD+6rwSoKs3cnZkaVwCvHQYSjmEanbXKHQ 0cmvJ9jhSx31O1vcO9xkj3fhgVONR1e5Z0nM1oBlf8JYuvBO7rTUBKWkz7DHKJJ23tg18i xrP3SSVOy9/2oJbnRVYYw055mBN7jLU5mzpXDn4rwToNFpOqMj21VMFFuJcjuQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710862232; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6dJqDaCZFvvmXhWmrs8E5R368mUyXD/UyTgcP43bXvY=; b=JMcNzcZvt+W/UU4mQhegQfuGgqbNdNfhppQjRX9tIlJgkf7W2fUMqNtuvDZXT6TDAdUiO+ aA+kk8MTDWYDfHMIBFxjCl4qLTOCACcaDIO0I+ynlFtRK+wxdHum3P2oCfidSysb9HVoxd ccRlR9NKSHREfmSRL4DUKWeLniHX5G+AiyFYiGr+yWUgs55QBlfwZziMQoSGpfGAxQndAc lQS4fXjsObeBFdvL2p21Rg3OH083LLTk3AqQUfx7hYXI2CqGLoEw0ygkdN9FtobyBSlGo0 IBI1CFMWPkA8d50oJcVQA0Dm9D8R9aMOTw/eM+g8wtUlW+alhFoBWE4mO8iSpQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TzbJm5Hhhz1Bq4; Tue, 19 Mar 2024 15:30:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42JFUWe4096114; Tue, 19 Mar 2024 15:30:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42JFUW90096091; Tue, 19 Mar 2024 15:30:32 GMT (envelope-from git) Date: Tue, 19 Mar 2024 15:30:32 GMT Message-Id: <202403191530.42JFUW90096091@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 0ea0c026557b - main - pf: avoid passing through dummynet multiple times List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0ea0c026557b46292881d5a75babeb3cc0fd9696 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0ea0c026557b46292881d5a75babeb3cc0fd9696 commit 0ea0c026557b46292881d5a75babeb3cc0fd9696 Author: Kristof Provost AuthorDate: 2024-03-11 13:44:17 +0000 Commit: Kristof Provost CommitDate: 2024-03-19 15:29:29 +0000 pf: avoid passing through dummynet multiple times In some setups we end up with multiple states created for a single packet, which in turn can mean we run the packet through dummynet multiple times. That's not expected or intended. Mark each packet when it goes through dummynet, and do not pass packet through dummynet if they're marked as having already passed through. See also: https://redmine.pfsense.org/issues/14854 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44365 --- sys/netpfil/pf/pf.c | 4 +++ sys/netpfil/pf/pf_mtag.h | 2 +- tests/sys/netpfil/pf/route_to.sh | 53 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index b1f93f605b4f..5089b3ea2570 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7795,6 +7795,9 @@ pf_pdesc_to_dnflow(const struct pf_pdesc *pd, const struct pf_krule *r, dndir = pd->dir; } + if (pd->pf_mtag->flags & PF_MTAG_FLAG_DUMMYNETED) + return (false); + memset(dnflow, 0, sizeof(*dnflow)); if (pd->dport != NULL) @@ -7936,6 +7939,7 @@ pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s, if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) { pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET; + pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNETED; ip_dn_io_ptr(m0, &dnflow); if (*m0 != NULL) { pd->pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO; diff --git a/sys/netpfil/pf/pf_mtag.h b/sys/netpfil/pf/pf_mtag.h index 5c6fb1c386f1..6ecc33c25a73 100644 --- a/sys/netpfil/pf/pf_mtag.h +++ b/sys/netpfil/pf/pf_mtag.h @@ -41,7 +41,7 @@ #define PF_MTAG_FLAG_TRANSLATE_LOCALHOST 0x04 #define PF_MTAG_FLAG_PACKET_LOOPED 0x08 #define PF_MTAG_FLAG_FASTFWD_OURS_PRESENT 0x10 -/* 0x20 unused */ +#define PF_MTAG_FLAG_DUMMYNETED 0x20 #define PF_MTAG_FLAG_DUPLICATED 0x40 #define PF_MTAG_FLAG_SYNCOOKIE_RECREATED 0x80 diff --git a/tests/sys/netpfil/pf/route_to.sh b/tests/sys/netpfil/pf/route_to.sh index d5d29709fe06..4df9b790359a 100644 --- a/tests/sys/netpfil/pf/route_to.sh +++ b/tests/sys/netpfil/pf/route_to.sh @@ -615,6 +615,58 @@ dummynet_frag_cleanup() pft_cleanup } +atf_test_case "dummynet_double" "cleanup" +dummynet_double_head() +{ + atf_set descr 'Ensure dummynet is not applied multiple times' + atf_set require.user root +} + +dummynet_double_body() +{ + pft_init + dummynet_init + + epair_one=$(vnet_mkepair) + epair_two=$(vnet_mkepair) + + ifconfig ${epair_one}a 192.0.2.1/24 up + + vnet_mkjail alcatraz ${epair_one}b ${epair_two}a + jexec alcatraz ifconfig ${epair_one}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair_two}a 198.51.100.1/24 up + jexec alcatraz sysctl net.inet.ip.forwarding=1 + + vnet_mkjail singsing ${epair_two}b + jexec singsing ifconfig ${epair_two}b 198.51.100.2/24 up + jexec singsing route add default 198.51.100.1 + + route add 198.51.100.0/24 192.0.2.2 + + jexec alcatraz dnctl pipe 1 config delay 800 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "set reassemble yes" \ + "nat on ${epair_two}a from 192.0.2.0/24 -> (${epair_two}a)" \ + "pass in route-to (${epair_two}a 198.51.100.2) inet proto icmp all icmp-type echoreq dnpipe (1, 1)" \ + "pass out route-to (${epair_two}a 198.51.100.2) inet proto icmp all icmp-type echoreq" + + ping -c 1 198.51.100.2 + jexec alcatraz pfctl -sr -vv + jexec alcatraz pfctl -ss -vv + + # We expect to be delayed 1.6 seconds, so timeout of two seconds passes, but + # timeout of 1 does not. + atf_check -s exit:0 -o ignore ping -t 2 -c 1 198.51.100.2 + atf_check -s exit:2 -o ignore ping -t 1 -c 1 198.51.100.2 +} + +dummynet_double_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "v4" @@ -628,4 +680,5 @@ atf_init_test_cases() atf_add_test_case "ifbound_reply_to" atf_add_test_case "ifbound_reply_to_v6" atf_add_test_case "dummynet_frag" + atf_add_test_case "dummynet_double" }