git: 2212dbd78884 - main - pf: Don't run copies of packets made by dup-to through pf_test.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 15 Jul 2025 10:07:58 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=2212dbd78884e36f4d9f15e0e6b65fdd09d37679
commit 2212dbd78884e36f4d9f15e0e6b65fdd09d37679
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-08 15:09:30 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-15 07:55:30 +0000
pf: Don't run copies of packets made by dup-to through pf_test.
dup-to is kind of like what you do with a span port, but is a bit
more fine grained. it copies packets in a connection out an interface
so that connection can be monitored. it doesnt make sense for pf
to see the copied packets and try to match or create new states for
them either. at best it needs config to stop pf seeing the copies
(eg, set skip on $dup_to_tgt_if). at worst it breaks the connections
you're monitoring because the states in pf get confused.
found while discussing larger route-to changes on tech@.
ok bluhm@ sashan@
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, 670ae1ca2f
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index ac05cad7d4c8..63d513fb1956 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -9068,6 +9068,9 @@ pf_route(struct pf_krule *r, struct ifnet *oifp,
goto bad;
}
+ if (r->rt == PF_DUPTO)
+ skip_test = true;
+
if (pd->dir == PF_IN && !skip_test) {
if (pf_test(AF_INET, PF_OUT, PFIL_FWD, ifp, &m0, inp,
&pd->act) != PF_PASS) {
@@ -9370,6 +9373,9 @@ pf_route6(struct pf_krule *r, struct ifnet *oifp,
goto bad;
}
+ if (r->rt == PF_DUPTO)
+ skip_test = true;
+
if (pd->dir == PF_IN && !skip_test) {
if (pf_test(AF_INET6, PF_OUT, PFIL_FWD | PF_PFIL_NOREFRAGMENT,
ifp, &m0, inp, &pd->act) != PF_PASS) {