diff options
author | Kristof Provost <kp@FreeBSD.org> | 2024-10-25 15:01:13 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2024-12-17 10:07:13 +0000 |
commit | ebe11b46988eb27d287272b8c827eb80ebd900ba (patch) | |
tree | 602b276766db7a89728110f19407d0ddf4bea362 | |
parent | fcdb520c1b4e1a5d5a2e54cb916dccbc848d32ba (diff) |
pf: fix state export in the face of NAT64
Now that we can NAT64 we can have states where the wire and stack address
families (and protocol) are different. Update the state export code to account
for this.
We keep exporting address family and protocol outside of the key, for backwards
compatibility. This'll return misleading information to userspace in the NAT64
case, but it's assumed that userspace will either understand NAT64 (and thus
look for them in the correct place), or not configure it.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47787
-rw-r--r-- | lib/libpfctl/libpfctl.c | 9 | ||||
-rw-r--r-- | sys/netpfil/pf/pf_nl.c | 2 | ||||
-rw-r--r-- | sys/netpfil/pf/pf_nl.h | 2 |
3 files changed, 7 insertions, 6 deletions
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index 21d0b24601a4..9fec8e77de26 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -1866,12 +1866,14 @@ static const struct snl_attr_parser nla_p_speer[] = { SNL_DECLARE_ATTR_PARSER(speer_parser, nla_p_speer); #undef _OUT -#define _OUT(_field) offsetof(struct pf_state_key_export, _field) +#define _OUT(_field) offsetof(struct pfctl_state_key, _field) static const struct snl_attr_parser nla_p_skey[] = { { .type = PF_STK_ADDR0, .off = _OUT(addr[0]), .cb = snl_attr_get_pfaddr }, { .type = PF_STK_ADDR1, .off = _OUT(addr[1]), .cb = snl_attr_get_pfaddr }, { .type = PF_STK_PORT0, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 }, { .type = PF_STK_PORT1, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 }, + { .type = PF_STK_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 }, + { .type = PF_STK_PROTO, .off = _OUT(proto), .cb = snl_attr_get_uint16 }, }; SNL_DECLARE_ATTR_PARSER(skey_parser, nla_p_skey); #undef _OUT @@ -1897,8 +1899,6 @@ static struct snl_attr_parser ap_state[] = { { .type = PF_ST_PACKETS1, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 }, { .type = PF_ST_BYTES0, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 }, { .type = PF_ST_BYTES1, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 }, - { .type = PF_ST_AF, .off = _OUT(key[0].af), .cb = snl_attr_get_uint8 }, - { .type = PF_ST_PROTO, .off = _OUT(key[0].proto), .cb = snl_attr_get_uint8 }, { .type = PF_ST_DIRECTION, .off = _OUT(direction), .cb = snl_attr_get_uint8 }, { .type = PF_ST_LOG, .off = _OUT(log), .cb = snl_attr_get_uint8 }, { .type = PF_ST_STATE_FLAGS, .off = _OUT(state_flags), .cb = snl_attr_get_uint16 }, @@ -1959,9 +1959,6 @@ pfctl_get_states_nl(struct pfctl_state_filter *filter, struct snl_state *ss, pfc if (!snl_parse_nlmsg(ss, hdr, &state_parser, &s)) continue; - s.key[1].af = s.key[0].af; - s.key[1].proto = s.key[0].proto; - ret = f(&s, arg); if (ret != 0) return (ret); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c index d2a050140dbc..3af27e11d27f 100644 --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -133,6 +133,8 @@ dump_state_key(struct nl_writer *nw, int attr, const struct pf_state_key *key) dump_addr(nw, PF_STK_ADDR1, &key->addr[1], key->af); nlattr_add_u16(nw, PF_STK_PORT0, key->port[0]); nlattr_add_u16(nw, PF_STK_PORT1, key->port[1]); + nlattr_add_u8(nw, PF_STK_AF, key->af); + nlattr_add_u16(nw, PF_STK_PROTO, key->proto); nlattr_set_len(nw, off); diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h index 096b9913d4a6..3af931978860 100644 --- a/sys/netpfil/pf/pf_nl.h +++ b/sys/netpfil/pf/pf_nl.h @@ -71,6 +71,8 @@ enum pfstate_key_type_t { PF_STK_ADDR1 = 2, /* ip */ PF_STK_PORT0 = 3, /* u16 */ PF_STK_PORT1 = 4, /* u16 */ + PF_STK_AF = 5, /* u8 */ + PF_STK_PROTO = 6, /* u16 */ }; enum pfstate_peer_type_t { |