Bug 176268

Summary: [pf] [patch] synproxy not working with route-to
Product: Base System Reporter: Kajetan Staszkiewicz <kajetan.staszkiewicz>
Component: kernAssignee: freebsd-pf (Nobody) <pf>
Status: Open ---    
Severity: Affects Only Me CC: vegeta
Priority: Normal Keywords: patch
Version: 9.1-PRERELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff
none
Fix synproxy operation for route-to targets for IPv4 and IPv6 none

Description Kajetan Staszkiewicz 2013-02-19 16:00:00 UTC 
When using FreeBSD as a loadbalancer with route-to pf rules redirecting traffic to machines behind the loadbalancer and public addresses assigned on carp interface and it is impossible to use synproxy.

As far as I understand the code, proxied packets to the target server are sent using normal routing table lookup which ends up with sending them on lo0 or carp (the public one, as it has the public address configured) interface.

Fix: A known workaround is to provide a second pf rule on lo or carp interface to do synproxy and loadbalancing again. But this solution requires a double (or tripple, when including carp interface) amount of pf rules.

The attached patch modifies the following things:
- Adds an additional route* route_to_ro parameter to pf_send_tcp which is then passed to ip_output.
- Inside pf_test_state_tcp if a synproxy-related packet is about to be sent behind the loadbalancer, create a route structure and fill it with loadbalancing information stored in the state.

The patch has a status of "works for me" and was not yet tested on heavy traffic.


Patch attached with submission follows:
How-To-Repeat: Use synproxy with route-to, outgoing packetes appear on lo0 or carp interfaces instead of the one provided in route-to pf rule.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2013-02-19 21:46:58 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-pf

Over to maintainer(s).
Comment 2 Kajetan Staszkiewicz 2014-08-01 20:19:44 UTC 
Created attachment 145230 [details]
Fix synproxy operation for route-to targets for IPv4 and IPv6

The patch introduces the following changes:

- New functions pf_rebuild_route and pf_rebuild_route6 create a minimal route struct which can be passed to ip_output or ip6_output if state already contains loadbalancing information.

- Allocate pfse with M_ZERO to have zeroed pfse's route structs.

- Check m for M_SKIP_FIREWALL in pf_test6(), this fixes bug 127920.

- Introduce new route flag RT_PFROUTE, check for this flag before touching routes' counters as routes in pfse are not really allocated as routes should be.
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2018-05-28 19:41:55 UTC 
batch change:

For bugs that match the following
-  Status Is In progress 
AND
- Untouched since 2018-01-01.
AND
- Affects Base System OR Documentation

DO:

Reset to open status.


Note:
I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
Comment 4 Graham Perrin freebsd_committer freebsd_triage 2022-10-17 12:38:00 UTC 
Keyword: 

    patch
or  patch-ready

– in lieu of summary line prefix: 

    [patch]

* bulk change for the keyword
* summary lines may be edited manually (not in bulk). 

Keyword descriptions and search interface: 

    <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>