Created attachment 243661 [details] divert-to test code Hi, "divert-to" rule creates packet loops on all FreeBSD 11.0 to 14.0 CURRENT versions, bug 260867 and forum topic talking about the same problem https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260867 https://forums.freebsd.org/threads/pf-divert-to-loop-problem.81508 i have reproduced the scenario on FreeBSD 11.0 to 14.0 CURRENT versions with PF Divert rules given below and my code shown in the attachment LAN =igb1 pass in quick on igb1 proto udp from any to port { 53 } divert-to 127.0.0.1 port 3355 # I have found that rule -> (pass out quick on igb1 inet proto udp from any to port 53 flags S/SA keep state divert-reply) from google but i got this error: /etc/pf.conf:83: divert-reply has no meaning in FreeBSD pf(4) pfctl: Syntax error in config file: pf rules not loaded FreeBSD 14.0-CURRENT pf.conf(5) man page divert-to <host> port <port> Used to redirect packets to a local socket bound to host and port. The packets will not be modified, so getsockname(2) on the socket will return the original destination address of the packet. divert-reply Used to receive replies for sockets that are bound to addresses which are not local to the machine. See setsockopt(2) for informa- tion on how to bind these sockets. There is same problem with all versions.It seems to me no work has been done to fix pf divert. Because of that i am currently using both IPFW and PF at the same time, i use IPFW for DIVERT but i am trying to move on FreeBSD 14.0 to work with only PF . But DIVERT is not working on either FreeBSD 14.0-CURRENT pf. So i couldn't give up IPFW's DIVERT. I have atteched a code above the attachment and i have tried all available codes on the internet. I am looking forward to your helps Thanks.
Could you please provide a bit more details of your use case you want to achieve? What is the idea behind your divert app, does it alter incoming packets, is forwarding involved here, etc -- anything would help.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=fabf705f4b5aff2fa2dc997c2d0afd62a6927e68 commit fabf705f4b5aff2fa2dc997c2d0afd62a6927e68 Author: Igor Ostapenko <pm@igoro.pro> AuthorDate: 2023-10-19 10:12:15 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-10-19 10:12:15 +0000 pf: fix pf divert-to loop Resolved conflict between ipfw and pf if both are used and pf wants to do divert(4) by having separate mtags for pf and ipfw. Also fix the incorrect 'rulenum' check, which caused the reported loop. While here add a few test cases to ensure that divert-to works as expected, even if ipfw is loaded. divert(4) PR: 272770 MFC after: 3 weeks Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D42142 sys/netinet/ip_divert.c | 31 ++- sys/netinet/ip_var.h | 10 + sys/netpfil/pf/pf.c | 32 ++- tests/sys/netpfil/pf/Makefile | 4 + tests/sys/netpfil/pf/divapp.c (new) | 149 ++++++++++++ tests/sys/netpfil/pf/divert-to.sh (new) | 413 ++++++++++++++++++++++++++++++++ 6 files changed, 625 insertions(+), 14 deletions(-)
Hello, I did the tests on Freebsd 15 Current, it works. It no longer enters an infinite loop. Thanks. Will this commit be backported to Freebsd 14 RELEASE?
(In reply to cArleone from comment #3) It'll get merged to stable/14, but it's too late for 14.0.
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2f3f9c9d54bb274dfb5de40f4ce7ca944d4e05a5 commit 2f3f9c9d54bb274dfb5de40f4ce7ca944d4e05a5 Author: Igor Ostapenko <pm@igoro.pro> AuthorDate: 2023-10-19 10:12:15 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-11-09 09:55:45 +0000 pf: fix pf divert-to loop Resolved conflict between ipfw and pf if both are used and pf wants to do divert(4) by having separate mtags for pf and ipfw. Also fix the incorrect 'rulenum' check, which caused the reported loop. While here add a few test cases to ensure that divert-to works as expected, even if ipfw is loaded. divert(4) PR: 272770 MFC after: 3 weeks Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D42142 (cherry picked from commit fabf705f4b5aff2fa2dc997c2d0afd62a6927e68) sys/netinet/ip_divert.c | 31 ++- sys/netinet/ip_var.h | 10 + sys/netpfil/pf/pf.c | 32 ++- tests/sys/netpfil/pf/Makefile | 4 + tests/sys/netpfil/pf/divapp.c (new) | 149 ++++++++++++ tests/sys/netpfil/pf/divert-to.sh (new) | 413 ++++++++++++++++++++++++++++++++ 6 files changed, 625 insertions(+), 14 deletions(-)