The branch stable/15 has been updated by ks: URL: https://cgit.FreeBSD.org/src/commit/?id=048b8123ee87154b220d73ea6543423164f25fdb
commit 048b8123ee87154b220d73ea6543423164f25fdb Author: Kajetan Staszkiewicz <[email protected]> AuthorDate: 2025-09-07 13:59:00 +0000 Commit: Kajetan Staszkiewicz <[email protected]> CommitDate: 2025-10-01 16:00:20 +0000 pf: Always skip outbound filtering for inbound af-to rules The af-to rules on inbound direction create a single state spanning both the inbound and the outbound interface. Calling pf_test() for the outbound direction in pf_route() makes the packet pass through state search, match the existing state, never evaluate the ruleset, and increase state counters. Check that the state comes from an af-to rule in inbound direction, and if yes, skip outbound testing. Reviewed by: kp Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D52446 (cherry picked from commit 938ae26ffda81fd42c235eaa3223dae51331e4eb) --- sys/netpfil/pf/pf.c | 4 ++-- tests/sys/netpfil/pf/nat64.sh | 12 +++++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 3311260aa157..c90ed1ff7769 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -9193,7 +9193,7 @@ pf_route(struct pf_krule *r, struct ifnet *oifp, } } - if (r->rt == PF_DUPTO) + if (r->rt == PF_DUPTO || (pd->af != pd->naf && s->direction == PF_IN)) skip_test = true; if (pd->dir == PF_IN && !skip_test) { @@ -9510,7 +9510,7 @@ pf_route6(struct pf_krule *r, struct ifnet *oifp, } } - if (r->rt == PF_DUPTO) + if (r->rt == PF_DUPTO || (pd->af != pd->naf && s->direction == PF_IN)) skip_test = true; if (pd->dir == PF_IN && !skip_test) { diff --git a/tests/sys/netpfil/pf/nat64.sh b/tests/sys/netpfil/pf/nat64.sh index d930e2ee5763..d873d34a51d5 100644 --- a/tests/sys/netpfil/pf/nat64.sh +++ b/tests/sys/netpfil/pf/nat64.sh @@ -214,11 +214,11 @@ tcp_in_if_bound_body() fi # Interfaces of the state are reversed when doing inbound NAT64! - # FIXME: Packets counters seem wrong! + # FIXME: Packets from both directions are counted only on the inbound direction! states=$(mktemp) || exit 1 jexec rtr pfctl -qvvss | normalize_pfctl_s > $states for state_regexp in \ - "${epair_link}a tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\) .* 9:9 pkts.* rule 3 .* origif: ${epair}b" \ + "${epair_link}a tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\) .* 9:0 pkts.* rule 3 .* origif: ${epair}b" \ ; do grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" done @@ -296,11 +296,11 @@ tcp_in_floating_body() fi # Interfaces of the state are reversed when doing inbound NAT64! - # FIXME: Packets counters seem wrong! + # FIXME: Packets from both directions are counted only on the inbound direction! states=$(mktemp) || exit 1 jexec rtr pfctl -qvvss | normalize_pfctl_s > $states for state_regexp in \ - "all tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\).* 9:9 pkts.* rule 3 .* origif: ${epair}b" \ + "all tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\).* 9:0 pkts.* rule 3 .* origif: ${epair}b" \ ; do grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" done @@ -1045,8 +1045,10 @@ route_to_body() states=$(mktemp) || exit 1 jexec rtr pfctl -qvvss | normalize_pfctl_s > $states + # Interfaces of the state are reversed when doing inbound NAT64! + # FIXME: Packets from both directions are counted only on the inbound direction! for state_regexp in \ - "${epair_link}a ipv6-icmp 192.0.2.1:.* \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:8 \(64:ff9b::c000:202\[[0-9]+\]\).*6:6 pkts.*route-to: 192.0.2.2@${epair_link}a origif: ${epair}b" \ + "${epair_link}a ipv6-icmp 192.0.2.1:.* \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:8 \(64:ff9b::c000:202\[[0-9]+\]\).* 6:0 pkts.*route-to: 192.0.2.2@${epair_link}a origif: ${epair}b" \ ; do grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" done
