[Bug 268717] [pf] [ipnat] rdr rules don't work for traffic originating at localhost

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 16 Jul 2023 10:44:42 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268717

--- Comment #35 from commit-hook@FreeBSD.org ---
A commit in branch stable/13 references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=b22299c457b21d77fc5770b9f1a9043487b25ed9

commit b22299c457b21d77fc5770b9f1a9043487b25ed9
Author:     Doug Rabson <dfr@FreeBSD.org>
AuthorDate: 2023-05-24 13:11:37 +0000
Commit:     Doug Rabson <dfr@FreeBSD.org>
CommitDate: 2023-07-14 10:07:58 +0000

    netinet*: Fix redirects for connections from localhost

    Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter
    rules to change the destination address and port for a connection.
    Typically, the rule triggers on an input event when a packet is received
    by a router and the destination address and/or port is changed to
    implement the redirect. When a reply packet on this connection is output
    to the network, the rule triggers again, reversing the modification.

    When the connection is initiated on the same host as the packet filter,
    it is initially output via lo0 which queues it for input processing.
    This causes an input event on the lo0 interface, allowing redirect
    processing to rewrite the destination and create state for the
    connection. However, when the reply is received, no corresponding output
    event is generated; instead, the packet is delivered to the higher level
    protocol (e.g. tcp or udp) without reversing the redirect, the reply is
    not matched to the connection and the packet is dropped (for tcp, a
    connection reset is also sent).

    This commit fixes the problem by adding a second packet filter call in
    the input path. The second call happens right before the handoff to
    higher level processing and provides the missing output event to allow
    the redirect's reply processing to perform its rewrite. This extra
    processing is disabled by default and can be enabled using pfilctl:

            pfilctl link -o pf:default-out inet-local
            pfilctl link -o pf:default-out6 inet6-local

    PR:             268717
    Reviewed-by:    kp, melifaro
    MFC-after:      2 weeks
    Differential Revision: https://reviews.freebsd.org/D40256

    (cherry picked from commit 5ab151574c8a1824c6cd8eded28506cb983284bc)

 sys/netinet/ip_input.c                  | 22 ++++++++-
 sys/netinet/ip_var.h                    |  4 ++
 sys/netinet6/ip6_input.c                | 19 ++++++++
 sys/netinet6/ip6_var.h                  |  4 ++
 tests/sys/netpfil/common/Makefile       |  1 +
 tests/sys/netpfil/{pf => common}/rdr.sh | 84 +++++++++++++++++++++++++++++----
 tests/sys/netpfil/common/utils.subr     |  4 ++
 tests/sys/netpfil/pf/Makefile           |  1 -
 8 files changed, 127 insertions(+), 12 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.