aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2024-10-25 15:01:13 +0000
committerKristof Provost <kp@FreeBSD.org>2024-12-17 10:07:13 +0000
commitebe11b46988eb27d287272b8c827eb80ebd900ba (patch)
tree602b276766db7a89728110f19407d0ddf4bea362
parentfcdb520c1b4e1a5d5a2e54cb916dccbc848d32ba (diff)
pf: fix state export in the face of NAT64
Now that we can NAT64 we can have states where the wire and stack address families (and protocol) are different. Update the state export code to account for this. We keep exporting address family and protocol outside of the key, for backwards compatibility. This'll return misleading information to userspace in the NAT64 case, but it's assumed that userspace will either understand NAT64 (and thus look for them in the correct place), or not configure it. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D47787
-rw-r--r--lib/libpfctl/libpfctl.c9
-rw-r--r--sys/netpfil/pf/pf_nl.c2
-rw-r--r--sys/netpfil/pf/pf_nl.h2
3 files changed, 7 insertions, 6 deletions
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 21d0b24601a4..9fec8e77de26 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -1866,12 +1866,14 @@ static const struct snl_attr_parser nla_p_speer[] = {
SNL_DECLARE_ATTR_PARSER(speer_parser, nla_p_speer);
#undef _OUT
-#define _OUT(_field) offsetof(struct pf_state_key_export, _field)
+#define _OUT(_field) offsetof(struct pfctl_state_key, _field)
static const struct snl_attr_parser nla_p_skey[] = {
{ .type = PF_STK_ADDR0, .off = _OUT(addr[0]), .cb = snl_attr_get_pfaddr },
{ .type = PF_STK_ADDR1, .off = _OUT(addr[1]), .cb = snl_attr_get_pfaddr },
{ .type = PF_STK_PORT0, .off = _OUT(port[0]), .cb = snl_attr_get_uint16 },
{ .type = PF_STK_PORT1, .off = _OUT(port[1]), .cb = snl_attr_get_uint16 },
+ { .type = PF_STK_AF, .off = _OUT(af), .cb = snl_attr_get_uint8 },
+ { .type = PF_STK_PROTO, .off = _OUT(proto), .cb = snl_attr_get_uint16 },
};
SNL_DECLARE_ATTR_PARSER(skey_parser, nla_p_skey);
#undef _OUT
@@ -1897,8 +1899,6 @@ static struct snl_attr_parser ap_state[] = {
{ .type = PF_ST_PACKETS1, .off = _OUT(packets[1]), .cb = snl_attr_get_uint64 },
{ .type = PF_ST_BYTES0, .off = _OUT(bytes[0]), .cb = snl_attr_get_uint64 },
{ .type = PF_ST_BYTES1, .off = _OUT(bytes[1]), .cb = snl_attr_get_uint64 },
- { .type = PF_ST_AF, .off = _OUT(key[0].af), .cb = snl_attr_get_uint8 },
- { .type = PF_ST_PROTO, .off = _OUT(key[0].proto), .cb = snl_attr_get_uint8 },
{ .type = PF_ST_DIRECTION, .off = _OUT(direction), .cb = snl_attr_get_uint8 },
{ .type = PF_ST_LOG, .off = _OUT(log), .cb = snl_attr_get_uint8 },
{ .type = PF_ST_STATE_FLAGS, .off = _OUT(state_flags), .cb = snl_attr_get_uint16 },
@@ -1959,9 +1959,6 @@ pfctl_get_states_nl(struct pfctl_state_filter *filter, struct snl_state *ss, pfc
if (!snl_parse_nlmsg(ss, hdr, &state_parser, &s))
continue;
- s.key[1].af = s.key[0].af;
- s.key[1].proto = s.key[0].proto;
-
ret = f(&s, arg);
if (ret != 0)
return (ret);
diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c
index d2a050140dbc..3af27e11d27f 100644
--- a/sys/netpfil/pf/pf_nl.c
+++ b/sys/netpfil/pf/pf_nl.c
@@ -133,6 +133,8 @@ dump_state_key(struct nl_writer *nw, int attr, const struct pf_state_key *key)
dump_addr(nw, PF_STK_ADDR1, &key->addr[1], key->af);
nlattr_add_u16(nw, PF_STK_PORT0, key->port[0]);
nlattr_add_u16(nw, PF_STK_PORT1, key->port[1]);
+ nlattr_add_u8(nw, PF_STK_AF, key->af);
+ nlattr_add_u16(nw, PF_STK_PROTO, key->proto);
nlattr_set_len(nw, off);
diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h
index 096b9913d4a6..3af931978860 100644
--- a/sys/netpfil/pf/pf_nl.h
+++ b/sys/netpfil/pf/pf_nl.h
@@ -71,6 +71,8 @@ enum pfstate_key_type_t {
PF_STK_ADDR1 = 2, /* ip */
PF_STK_PORT0 = 3, /* u16 */
PF_STK_PORT1 = 4, /* u16 */
+ PF_STK_AF = 5, /* u8 */
+ PF_STK_PROTO = 6, /* u16 */
};
enum pfstate_peer_type_t {