Summary: | "divert-to" rule creates packet loops on all FreeBSD 11.0 to 14.0 CURRENT versions | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | Alfa <burak.sn> | ||||
Component: | kern | Assignee: | Kristof Provost <kp> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | 32carleone, bsgcd, burak.sn, emaste, igor.ostapenko, kp | ||||
Priority: | --- | ||||||
Version: | CURRENT | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
See Also: |
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260867 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274850 |
||||||
Attachments: |
|
Description
Alfa
2023-07-28 07:21:25 UTC
Could you please provide a bit more details of your use case you want to achieve? What is the idea behind your divert app, does it alter incoming packets, is forwarding involved here, etc -- anything would help. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=fabf705f4b5aff2fa2dc997c2d0afd62a6927e68 commit fabf705f4b5aff2fa2dc997c2d0afd62a6927e68 Author: Igor Ostapenko <pm@igoro.pro> AuthorDate: 2023-10-19 10:12:15 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-10-19 10:12:15 +0000 pf: fix pf divert-to loop Resolved conflict between ipfw and pf if both are used and pf wants to do divert(4) by having separate mtags for pf and ipfw. Also fix the incorrect 'rulenum' check, which caused the reported loop. While here add a few test cases to ensure that divert-to works as expected, even if ipfw is loaded. divert(4) PR: 272770 MFC after: 3 weeks Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D42142 sys/netinet/ip_divert.c | 31 ++- sys/netinet/ip_var.h | 10 + sys/netpfil/pf/pf.c | 32 ++- tests/sys/netpfil/pf/Makefile | 4 + tests/sys/netpfil/pf/divapp.c (new) | 149 ++++++++++++ tests/sys/netpfil/pf/divert-to.sh (new) | 413 ++++++++++++++++++++++++++++++++ 6 files changed, 625 insertions(+), 14 deletions(-) Hello, I did the tests on Freebsd 15 Current, it works. It no longer enters an infinite loop. Thanks. Will this commit be backported to Freebsd 14 RELEASE? (In reply to cArleone from comment #3) It'll get merged to stable/14, but it's too late for 14.0. A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2f3f9c9d54bb274dfb5de40f4ce7ca944d4e05a5 commit 2f3f9c9d54bb274dfb5de40f4ce7ca944d4e05a5 Author: Igor Ostapenko <pm@igoro.pro> AuthorDate: 2023-10-19 10:12:15 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-11-09 09:55:45 +0000 pf: fix pf divert-to loop Resolved conflict between ipfw and pf if both are used and pf wants to do divert(4) by having separate mtags for pf and ipfw. Also fix the incorrect 'rulenum' check, which caused the reported loop. While here add a few test cases to ensure that divert-to works as expected, even if ipfw is loaded. divert(4) PR: 272770 MFC after: 3 weeks Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D42142 (cherry picked from commit fabf705f4b5aff2fa2dc997c2d0afd62a6927e68) sys/netinet/ip_divert.c | 31 ++- sys/netinet/ip_var.h | 10 + sys/netpfil/pf/pf.c | 32 ++- tests/sys/netpfil/pf/Makefile | 4 + tests/sys/netpfil/pf/divapp.c (new) | 149 ++++++++++++ tests/sys/netpfil/pf/divert-to.sh (new) | 413 ++++++++++++++++++++++++++++++++ 6 files changed, 625 insertions(+), 14 deletions(-) |