git: 81ef217ad428 - main - pf: Improve route-to handling of pfsync'd states

Sat, 04 Jun 2022 07:18:38 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=81ef217ad428c29be669aac2166d194db31817a7

commit 81ef217ad428c29be669aac2166d194db31817a7
Author:     Kristof Provost <[email protected]>
AuthorDate: 2022-06-04 10:38:40 +0000
Commit:     Kristof Provost <[email protected]>
CommitDate: 2022-06-04 12:23:17 +0000

    pf: Improve route-to handling of pfsync'd states
    
    When a state if pfsync’d to a different host it doesn’t get all of the
    expected pointers, including the pointer to the struct pfi_kif / struct
    ifnet rt_kif pointer. (I.e. the interface to route out on).
    
    That in turn means that pf_route() ends up dropping the packet.
    
    Use the rule's struct pfi_kif pointer so we can still route out of the
    expected interface.
    
    MFC after:      2 weeks
    Sponsored by:   Orange Business Services
---
 sys/netpfil/pf/pf.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 56dab43a2810..8e3cd98879a6 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6344,6 +6344,10 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, 
struct ifnet *oifp,
                                    r->rpool.cur->kif->pfik_ifp : NULL;
                        } else {
                                ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
+                               /* If pfsync'd */
+                               if (ifp == NULL)
+                                       ifp = r->rpool.cur->kif ?
+                                           r->rpool.cur->kif->pfik_ifp : NULL;
                                PF_STATE_UNLOCK(s);
                        }
                        if (ifp == oifp) {
@@ -6400,6 +6404,9 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir, 
struct ifnet *oifp,
                ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
                PF_STATE_UNLOCK(s);
        }
+       /* If pfsync'd */
+       if (ifp == NULL)
+               ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
        if (ifp == NULL)
                goto bad;
 
@@ -6539,6 +6546,10 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, 
struct ifnet *oifp,
                                    r->rpool.cur->kif->pfik_ifp : NULL;
                        } else {
                                ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
+                               /* If pfsync'd */
+                               if (ifp == NULL)
+                                       ifp = r->rpool.cur->kif ?
+                                           r->rpool.cur->kif->pfik_ifp : NULL;
                                PF_STATE_UNLOCK(s);
                        }
                        if (ifp == oifp) {
@@ -6598,6 +6609,9 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir, 
struct ifnet *oifp,
        if (s)
                PF_STATE_UNLOCK(s);
 
+       /* If pfsync'd */
+       if (ifp == NULL)
+               ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL;
        if (ifp == NULL)
                goto bad;

Reply via email to