git: 9569fddd8d0e - main - pf: Let pf_state_insert() handle redirect state conflicts

Tue, 10 Sep 2024 07:59:43 -0700 

The branch main has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=9569fddd8d0e48211e67fdc63dd72eba83883525

commit 9569fddd8d0e48211e67fdc63dd72eba83883525
Author:     Mark Johnston <ma...@freebsd.org>
AuthorDate: 2024-09-10 14:34:45 +0000
Commit:     Mark Johnston <ma...@freebsd.org>
CommitDate: 2024-09-10 14:59:13 +0000

    pf: Let pf_state_insert() handle redirect state conflicts
    
    When handling a redirect state conflict, pf_get_translation() tries
    modifying the source port to avoid it.  If it fails to find a free port,
    the translation is aborted.
    
    Instead, if we fail to find a free source port, simply press on with the
    original source port and let pf_state_insert() handle the conflict as it
    pleases, rather than second-guessing what it will do.  In particular,
    pf_state_insert() has special handling for TCP connections in a terminal
    state, and might succeed despite a state conflict.
    
    Reviewed by:    kp
    MFC after:      3 months
    Sponsored by:   Klara, Inc.
    Sponsored by:   Modirum
    Differential Revision:  https://reviews.freebsd.org/D46612
---
 sys/netpfil/pf/pf_lb.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index dbd85d530bb7..6541a42aa236 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -442,7 +442,7 @@ pf_map_addr(sa_family_t af, struct pf_krule *r, struct 
pf_addr *saddr,
     struct pf_addr *naddr, struct pfi_kkif **nkif, struct pf_addr *init_addr,
     struct pf_ksrc_node **sn)
 {
-       u_short                  reason = 0;
+       u_short                  reason = PFRES_MATCH;
        struct pf_kpool         *rpool = &r->rpool;
        struct pf_addr          *raddr = NULL, *rmask = NULL;
        struct pf_srchash       *sh = NULL;
@@ -908,10 +908,15 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, 
int off,
                        }
                }
 
+               /*
+                * We failed to find a match.  Push on ahead anyway, let
+                * pf_state_insert() be the arbiter of whether the state
+                * conflict is tolerable.  In particular, with TCP connections
+                * the state may be reused if the TCP state is terminal.
+                */
                DPFPRINTF(PF_DEBUG_MISC,
                    ("pf: RDR source port allocation failed\n"));
-               reason = PFRES_MAPFAILED;
-               goto notrans;
+               break;
 
 out:
                DPFPRINTF(PF_DEBUG_MISC,

Reply via email to