Re: Fwd: Dual-feed: PF setup troubles

Mon, 15 Aug 2005 08:29:08 -0700 

On Monday 15 August 2005 16:34, Daniel Hartmeier wrote:
> I suspect the loop occurs through sys/net/if_ethersubr.c ether_output()
> You route-to the broadcast packet, pf will call ether_output() to send
> it out through the new interface, and this piece of code in there will
> send it right back in through that interface again. If your ruleset then
> routes that resent packet again, you get a tight endless loop, locking
> up the kernel, like you describe.

Good catch!

> OpenBSD doesn't have this piece in ether_output(), I'm not sure in what
> cases people want outgoing broadcasts on an interface reflected back at
> them by the stack.

In fact OpenBSD has this code as well, though in it's old/original form.  
However, in version 1.70 you introduced the fix:

line 283:
                /* If broadcasting on a simplex interface, loopback a copy */
                if ((m->m_flags & M_BCAST) && (ifp->if_flags & IFF_SIMPLEX) &&
                    m_tag_find(m, PACKET_TAG_PF_ROUTED, NULL) == NULL)
                        mcopy = m_copy(m, 0, (int)M_COPYALL);

Attached is a patch to reproduce this in FreeBSD, can you please try?  I am 
not 100% that this is the right fix, or if it is better to do the relooping 
as well telling pf not to re-route it again (e.g. via PF_GENERATED), though 
this has different gotchas.

-- 
/"\  Best regards,                      | [EMAIL PROTECTED]
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Index: if_ethersubr.c
===================================================================
RCS file: /usr/store/mlaier/fcvs/src/sys/net/if_ethersubr.c,v
retrieving revision 1.196
diff -u -r1.196 if_ethersubr.c
--- if_ethersubr.c	9 Aug 2005 10:19:58 -0000	1.196
+++ if_ethersubr.c	15 Aug 2005 15:14:34 -0000
@@ -310,7 +310,8 @@
 	 * on the wire). However, we don't do that here for security
 	 * reasons and compatibility with the original behavior.
 	 */
-	if ((ifp->if_flags & IFF_SIMPLEX) && (loop_copy != -1)) {
+	if ((ifp->if_flags & IFF_SIMPLEX) && (loop_copy != -1) &&
+	    m_tag_find(m, PACKET_TAG_PF_ROUTED, NULL) == NULL) {
 		int csum_flags = 0;
 
 		if (m->m_pkthdr.csum_flags & CSUM_IP)

Attachment: pgpDokunfoYzg.pgp
Description: PGP signature

Reply via email to