diff options
| -rw-r--r-- | UPDATING | 12 | ||||
| -rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 20 | ||||
| -rw-r--r-- | tests/sys/netpfil/common/utils.subr | 3 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/fragmentation.sh | 3 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/killstate.sh | 24 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/map_e.sh | 3 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/pass_block.sh | 3 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/pfsync.sh | 1 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/route_to.sh | 3 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/set_skip.sh | 2 | ||||
| -rw-r--r-- | tests/sys/netpfil/pf/table.sh | 6 |
11 files changed, 63 insertions, 17 deletions
@@ -12,6 +12,18 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before updating system packages and/or ports. +20230619: + To enable pf rdr rules for connections initiated from the host, pf + filter rules can be optionally enabled for packets delivered + locally. This can change the behavior of rules which match packets + delivered to lo0. To enable this feature: + + sysctl net.pf.filter_local=1 + service pf restart + + When enabled, its best to ensure that packets delivered locally are not + filtered, e.g. by adding a 'skip on lo' rule. + 20230404: llvm-objump is now always installed as objdump. Previously there was no /usr/bin/objdump unless the WITH_LLVM_BINUTILS knob was used. diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 07463ecbbcf3..5c9b5d2cebb1 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -184,6 +184,12 @@ static MALLOC_DEFINE(M_PFRULE, "pf_rule", "pf(4) rules"); #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE #endif +VNET_DEFINE_STATIC(bool, pf_filter_local) = false; +#define V_pf_filter_local VNET(pf_filter_local) +SYSCTL_BOOL(_net_pf, OID_AUTO, filter_local, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(pf_filter_local), false, + "Enable filtering for packets delivered to local network stack"); + static void pf_init_tagset(struct pf_tagset *, unsigned int *, unsigned int); static void pf_cleanup_tagset(struct pf_tagset *); @@ -5670,6 +5676,13 @@ hook_pf(void) pla.pa_hook = V_pf_ip4_out_hook; ret = pfil_link(&pla); MPASS(ret == 0); + if (V_pf_filter_local) { + pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR; + pla.pa_head = V_inet_local_pfil_head; + pla.pa_hook = V_pf_ip4_out_hook; + ret = pfil_link(&pla); + MPASS(ret == 0); + } #endif #ifdef INET6 pha.pa_type = PFIL_TYPE_IP6; @@ -5691,6 +5704,13 @@ hook_pf(void) pla.pa_hook = V_pf_ip6_out_hook; ret = pfil_link(&pla); MPASS(ret == 0); + if (V_pf_filter_local) { + pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR; + pla.pa_head = V_inet6_local_pfil_head; + pla.pa_hook = V_pf_ip6_out_hook; + ret = pfil_link(&pla); + MPASS(ret == 0); + } #endif V_pf_pfil_hooked = 1; diff --git a/tests/sys/netpfil/common/utils.subr b/tests/sys/netpfil/common/utils.subr index d0028e663c45..2a2ee0af8ebf 100644 --- a/tests/sys/netpfil/common/utils.subr +++ b/tests/sys/netpfil/common/utils.subr @@ -55,11 +55,10 @@ firewall_config() jexec ${jname} ipfw -q -f flush jexec ${jname} /bin/sh $cwd/ipfw.rule elif [ ${fw} == "pf" ]; then + jexec ${jname} sysctl net.pf.filter_local=1 jexec ${jname} pfctl -e jexec ${jname} pfctl -F all jexec ${jname} pfctl -f $cwd/pf.rule - jexec ${jname} pfilctl link -o pf:default-out inet-local - jexec ${jname} pfilctl link -o pf:default-out6 inet6-local elif [ ${fw} == "ipf" ]; then jexec ${jname} ipf -E jexec ${jname} ipf -Fa -f $cwd/ipf.rule diff --git a/tests/sys/netpfil/pf/fragmentation.sh b/tests/sys/netpfil/pf/fragmentation.sh index ae394324cddc..e62eb141eebd 100644 --- a/tests/sys/netpfil/pf/fragmentation.sh +++ b/tests/sys/netpfil/pf/fragmentation.sh @@ -112,7 +112,8 @@ v6_body() "scrub fragment reassemble" \ "block in" \ "pass in inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \ - "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" + "pass in inet6 proto icmp6 icmp6-type { echoreq, echorep }" \ + "set skip on lo" # Host test atf_check -s exit:0 -o ignore \ diff --git a/tests/sys/netpfil/pf/killstate.sh b/tests/sys/netpfil/pf/killstate.sh index c2942aab41f2..7b32bacdf82c 100644 --- a/tests/sys/netpfil/pf/killstate.sh +++ b/tests/sys/netpfil/pf/killstate.sh @@ -49,7 +49,8 @@ v4_body() jexec alcatraz pfctl -e pft_set_rules alcatraz "block all" \ - "pass in proto icmp" + "pass in proto icmp" \ + "set skip on lo" # Sanity check & establish state # Note: use pft_ping so we always use the same ID, so pf considers all @@ -121,7 +122,8 @@ v6_body() jexec alcatraz pfctl -e pft_set_rules alcatraz "block all" \ - "pass in proto icmp6" + "pass in proto icmp6" \ + "set skip on lo" # Sanity check & establish state # Note: use pft_ping so we always use the same ID, so pf considers all @@ -189,7 +191,8 @@ label_body() pft_set_rules alcatraz "block all" \ "pass in proto tcp label bar" \ - "pass in proto icmp label foo" + "pass in proto icmp label foo" \ + "set skip on lo" # Sanity check & establish state # Note: use pft_ping so we always use the same ID, so pf considers all @@ -255,7 +258,8 @@ multilabel_body() jexec alcatraz pfctl -e pft_set_rules alcatraz "block all" \ - "pass in proto icmp label foo label bar" + "pass in proto icmp label foo label bar" \ + "set skip on lo" # Sanity check & establish state # Note: use pft_ping so we always use the same ID, so pf considers all @@ -289,7 +293,8 @@ multilabel_body() --replyif ${epair}a pft_set_rules alcatraz "block all" \ - "pass in proto icmp label foo label bar" + "pass in proto icmp label foo label bar" \ + "set skip on lo" # Reestablish state atf_check -s exit:0 -o ignore ${common_dir}/pft_ping.py \ @@ -333,7 +338,8 @@ gateway_body() jexec alcatraz pfctl -e pft_set_rules alcatraz "block all" \ - "pass in reply-to (${epair}b 192.0.2.1) proto icmp" + "pass in reply-to (${epair}b 192.0.2.1) proto icmp" \ + "set skip on lo" # Sanity check & establish state # Note: use pft_ping so we always use the same ID, so pf considers all @@ -475,7 +481,8 @@ interface_body() jexec alcatraz pfctl -e pft_set_rules alcatraz "block all" \ - "pass in proto icmp" + "pass in proto icmp" \ + "set skip on lo" # Sanity check & establish state # Note: use pft_ping so we always use the same ID, so pf considers all @@ -535,7 +542,8 @@ id_body() pft_set_rules alcatraz "block all" \ "pass in proto tcp" \ - "pass in proto icmp" + "pass in proto icmp" \ + "set skip on lo" # Sanity check & establish state # Note: use pft_ping so we always use the same ID, so pf considers all diff --git a/tests/sys/netpfil/pf/map_e.sh b/tests/sys/netpfil/pf/map_e.sh index cc68fe26be5e..7a2b33069c59 100644 --- a/tests/sys/netpfil/pf/map_e.sh +++ b/tests/sys/netpfil/pf/map_e.sh @@ -66,7 +66,8 @@ map_e_body() pft_set_rules echo "block return all" \ "pass in on ${epair_echo}b inet proto tcp from 198.51.100.1 port 19720:19723 to (${epair_echo}b) port 7" \ "pass in on ${epair_echo}b inet proto tcp from 198.51.100.1 port 36104:36107 to (${epair_echo}b) port 7" \ - "pass in on ${epair_echo}b inet proto tcp from 198.51.100.1 port 52488:52491 to (${epair_echo}b) port 7" + "pass in on ${epair_echo}b inet proto tcp from 198.51.100.1 port 52488:52491 to (${epair_echo}b) port 7" \ + "set skip on lo" i=0 while [ ${i} -lt ${NC_TRY_COUNT} ] diff --git a/tests/sys/netpfil/pf/pass_block.sh b/tests/sys/netpfil/pf/pass_block.sh index 589b89891729..51c8c432038a 100644 --- a/tests/sys/netpfil/pf/pass_block.sh +++ b/tests/sys/netpfil/pf/pass_block.sh @@ -230,7 +230,8 @@ urpf_body() --replyif ${epair_one}a pft_set_rules alcatraz \ - "block quick from urpf-failed" + "block quick from urpf-failed" \ + "set skip on lo" jexec alcatraz pfctl -e # Correct source still works diff --git a/tests/sys/netpfil/pf/pfsync.sh b/tests/sys/netpfil/pf/pfsync.sh index 513280331255..c70d7690c37b 100644 --- a/tests/sys/netpfil/pf/pfsync.sh +++ b/tests/sys/netpfil/pf/pfsync.sh @@ -149,6 +149,7 @@ defer_body() route add -net 203.0.113.0/24 198.51.100.1 # Enable pf + jexec alcatraz sysctl net.pf.filter_local=0 jexec alcatraz pfctl -e pft_set_rules alcatraz \ "set skip on ${epair_sync}a" \ diff --git a/tests/sys/netpfil/pf/route_to.sh b/tests/sys/netpfil/pf/route_to.sh index 570d1feb36ff..4edd9a56de3b 100644 --- a/tests/sys/netpfil/pf/route_to.sh +++ b/tests/sys/netpfil/pf/route_to.sh @@ -230,7 +230,8 @@ multiwanlocal_body() "block in" \ "block out" \ "pass out quick route-to (${epair_cl_two}a 203.0.113.129) inet proto tcp from 203.0.113.128 to any port 7" \ - "pass out on ${epair_cl_one}a inet proto tcp from any to any port 7" + "pass out on ${epair_cl_one}a inet proto tcp from any to any port 7" \ + "set skip on lo" # This should work result=$(jexec client nc -N -w 1 192.0.2.2 7 | wc -c) diff --git a/tests/sys/netpfil/pf/set_skip.sh b/tests/sys/netpfil/pf/set_skip.sh index ce7b1900ae00..9e9d5a5322f1 100644 --- a/tests/sys/netpfil/pf/set_skip.sh +++ b/tests/sys/netpfil/pf/set_skip.sh @@ -101,7 +101,7 @@ set_skip_dynamic_body() vnet_mkjail alcatraz jexec alcatraz pfctl -e pft_set_rules alcatraz "set skip on epair" \ - "block" + "block on ! lo" epair=$(vnet_mkepair) ifconfig ${epair}a 192.0.2.2/24 up diff --git a/tests/sys/netpfil/pf/table.sh b/tests/sys/netpfil/pf/table.sh index cc95daba048b..a70c003e71ae 100644 --- a/tests/sys/netpfil/pf/table.sh +++ b/tests/sys/netpfil/pf/table.sh @@ -52,7 +52,8 @@ v4_counters_body() "table <foo> counters { 192.0.2.1 }" \ "block all" \ "pass in from <foo> to any" \ - "pass out from any to <foo>" + "pass out from any to <foo>" \ + "set skip on lo" atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2 @@ -91,7 +92,8 @@ v6_counters_body() "table <foo6> counters { 2001:db8:42::1 }" \ "block all" \ "pass in from <foo6> to any" \ - "pass out from any to <foo6>" + "pass out from any to <foo6>" \ + "set skip on lo" atf_check -s exit:0 -o ignore ping -6 -c 3 2001:db8:42::2 |