Summary: | Packets are disappearing when both PF "divert-to" and "Dnpipe" rules are activated simultaneously | ||
---|---|---|---|
Product: | Base System | Reporter: | Alfa <burak.sn> |
Component: | kern | Assignee: | Kristof Provost <kp> |
Status: | Closed FIXED | ||
Severity: | Affects Only Me | CC: | emaste, igor.ostapenko |
Priority: | --- | Flags: | kp:
mfc-stable13-
|
Version: | 14.0-RELEASE | ||
Hardware: | amd64 | ||
OS: | Any | ||
See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272770 |
Description
Alfa
2023-11-01 14:07:24 UTC
(In reply to Alfa from comment #0) Could you please provide a bit more details like what happens with diverted packets and what dummynet configuration is used for the pipes? If it's not behind some NDA. It’s on the early stage of the patch review, but probably you want to give it a try: https://reviews.freebsd.org/D42609?download=true. It could be helpful to know results of testing in the fields. (In reply to Igor Ostapenko from comment #2) Hi, It worked Thans for your work A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=fe3bb40b9e807d4010617de1ef040ba3aa623487 commit fe3bb40b9e807d4010617de1ef040ba3aa623487 Author: Igor Ostapenko <pm@igoro.pro> AuthorDate: 2023-11-17 16:04:01 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-11-17 16:06:16 +0000 pf: fix dummynet + ipdivert use case Dummynet re-injects an mbuf with MTAG_IPFW_RULE added, and the same mtag is used by divert(4) as parameters for packet diversion. If according to pf rule set a packet should go through dummynet first and through ipdivert after then mentioned mtag must be removed after dummynet not to make ipdivert think that this is its input parameters. At the very beginning ipfw consumes this mtag what means the same behavior with tag clearing after dummynet. And after fabf705f4b5a pf passes parameters to ipdivert using its personal MTAG_PF_DIVERT mtag. PR: 274850 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D42609 sys/netpfil/pf/pf.c | 27 +++++++-- tests/sys/netpfil/pf/divert-to.sh | 118 +++++++++++++++++++++++++++++++++++++- 2 files changed, 139 insertions(+), 6 deletions(-) A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f831517d862dac2df3110c569b44e8417c3f0afa commit f831517d862dac2df3110c569b44e8417c3f0afa Author: Igor Ostapenko <pm@igoro.pro> AuthorDate: 2023-11-17 16:04:01 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-11-20 10:30:19 +0000 pf: fix dummynet + ipdivert use case Dummynet re-injects an mbuf with MTAG_IPFW_RULE added, and the same mtag is used by divert(4) as parameters for packet diversion. If according to pf rule set a packet should go through dummynet first and through ipdivert after then mentioned mtag must be removed after dummynet not to make ipdivert think that this is its input parameters. At the very beginning ipfw consumes this mtag what means the same behavior with tag clearing after dummynet. And after fabf705f4b5a pf passes parameters to ipdivert using its personal MTAG_PF_DIVERT mtag. PR: 274850 Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D42609 (cherry picked from commit fe3bb40b9e807d4010617de1ef040ba3aa623487) sys/netpfil/pf/pf.c | 27 +++++++-- tests/sys/netpfil/pf/divert-to.sh | 118 +++++++++++++++++++++++++++++++++++++- 2 files changed, 139 insertions(+), 6 deletions(-) ^Triage: assign to committer for evaluation of mfc-stable13. There's no dummynet on pf in 13, so this will not be MFC'd there. |