Summary: | Local-origin connections matching 'pass out' rules with 'route-to' fail | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Mark C <fbsd> | ||||
Component: | kern | Assignee: | freebsd-pf (Nobody) <pf> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | kp | ||||
Priority: | --- | ||||||
Version: | 12.2-STABLE | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Description
Mark C
2021-07-11 10:28:01 UTC
^Triage: assign. While here, note that we are phasing out [tags] in Summaries. Created attachment 226431 [details]
Extended version of the route_to.sh test script, including multiwanlocal test
Adding an updated version of the original route_to.sh test script to illustrate the issue. The new multiwanlocal test passes in r369642, and fails from 369646 on.
That test case was *extremely* useful. I've got a fix ready for review here: https://reviews.freebsd.org/D31177 It should just apply to stable/12 as well. I've lightly edited your test case here: https://reviews.freebsd.org/D31178 Great. Thank-you for the quick turnaround. I learned more than I have in 20 years of FreeBSD use regarding jails while writing that test. I've tested the patch with r369646 and it works. I'm busy building the HEAD of 12-STABLE (with the patch applied) currently, and should be ready to test in the morning. Thanks for the assistance Kristoff. I've tested this patch with the HEAD of 12, and it works. If you need anything further from me on this to get it committed, let me know. Mark (In reply to Mark C from comment #5) I don't think so. I'm going to give this a little bit more time for review and then commit in a day or two. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2c0d115bbc8f8ee3f011a5c4a69bcbf58c4b721f commit 2c0d115bbc8f8ee3f011a5c4a69bcbf58c4b721f Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-07-14 10:17:03 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-07-17 12:28:07 +0000 pf: locally originating connections with 'route-to' fail Similar to the REPLY_TO shortcut (6d786845cf) we also can't shortcut ROUTE_TO. If we do we will fail to apply transformations or update the state, which can lead to premature termination of the connections. PR: 257106 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31177 sys/netpfil/pf/pf.c | 6 ------ 1 file changed, 6 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f808bb9b7e5ee2243e5a2aaad2275a78cdbe981b commit f808bb9b7e5ee2243e5a2aaad2275a78cdbe981b Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-07-14 10:33:37 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-07-17 12:28:08 +0000 pf tests: test locally originated connections with route-to PR: 257106 Submitted by: Mark Cammidge <mark@peralex.com> MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D31178 tests/sys/netpfil/pf/route_to.sh | 70 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e650ef36ba9ef7ec994d3e7048a56fea761f9c7e commit e650ef36ba9ef7ec994d3e7048a56fea761f9c7e Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-07-14 10:17:03 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-08-07 07:08:09 +0000 pf: locally originating connections with 'route-to' fail Similar to the REPLY_TO shortcut (6d786845cf) we also can't shortcut ROUTE_TO. If we do we will fail to apply transformations or update the state, which can lead to premature termination of the connections. PR: 257106 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31177 (cherry picked from commit 2c0d115bbc8f8ee3f011a5c4a69bcbf58c4b721f) sys/netpfil/pf/pf.c | 6 ------ 1 file changed, 6 deletions(-) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3bedd8a3b6d7816341cf6eebc3f91633a175320d commit 3bedd8a3b6d7816341cf6eebc3f91633a175320d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-07-14 10:33:37 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-08-07 07:08:19 +0000 pf tests: test locally originated connections with route-to PR: 257106 Submitted by: Mark Cammidge <mark@peralex.com> MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D31178 (cherry picked from commit f808bb9b7e5ee2243e5a2aaad2275a78cdbe981b) tests/sys/netpfil/pf/route_to.sh | 70 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=bd28b2d73223b898169986eb5f04ee6045929612 commit bd28b2d73223b898169986eb5f04ee6045929612 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-07-14 10:33:37 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-08-07 07:11:28 +0000 pf tests: test locally originated connections with route-to PR: 257106 Submitted by: Mark Cammidge <mark@peralex.com> MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D31178 (cherry picked from commit f808bb9b7e5ee2243e5a2aaad2275a78cdbe981b) tests/sys/netpfil/pf/route_to.sh | 70 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=44c47bc6d61ea295c6bb955a40f32c93a589f3ea commit 44c47bc6d61ea295c6bb955a40f32c93a589f3ea Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-07-14 10:17:03 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-08-07 07:09:35 +0000 pf: locally originating connections with 'route-to' fail Similar to the REPLY_TO shortcut (6d786845cf) we also can't shortcut ROUTE_TO. If we do we will fail to apply transformations or update the state, which can lead to premature termination of the connections. PR: 257106 MFC after: 3 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31177 (cherry picked from commit 2c0d115bbc8f8ee3f011a5c4a69bcbf58c4b721f) sys/netpfil/pf/pf.c | 6 ------ 1 file changed, 6 deletions(-) |