2012/4/17 Gleb Smirnoff <gleb...@freebsd.org>:
> On Tue, Apr 17, 2012 at 10:06:15AM +0200, Ermal Lu?i wrote:
> E> 2012/4/16 Gleb Smirnoff <gleb...@freebsd.org>:
> E> > On Sun, Apr 15, 2012 at 12:00:21PM +0000, Gleb Smirnoff wrote:
> E> > T> On Sun, Apr 15, 2012 at 11:10:03AM +0000, Gleb Smirnoff wrote:
> E> > T> T> I have a vague suspicion on what is happening. Your
> description of
> E> > T> T> the problem looks like if a packet processing in the kernel has
> entered
> E> > T> T> an endless loop.
> E> > T> T>
> E> > T> T> Looking at pf_route() I see such possibility. From OpenBSD we
> have
> E> > T> T> this protection against endless looping:
> E> > T> T>
> E> > T> T> if ((*m)->m_pkthdr.pf.routed++ > 3) {
> E> > T> T> m0 = *m;
> E> > T> T> *m = NULL;
> E> > T> T> goto bad;
> E> > T> T> }
> E> > T> T>
> E> > T> T> In our code this transforms to:
> E> > T> T>
> E> > T> T> if (pd->pf_mtag->routed++ > 3) {
> E> > T> T> m0 = *m;
> E> > T> T> *m = NULL;
> E> > T> T> goto bad;
> E> > T> T> }
> E> > T> T>
> E> > T> T> The root difference between storing the tag on mbuf and on pfdesc
> E> > T> T> is that we lose pfdesc, and thus the tag, when we enter pf_test()
> E> > T> T> recursively. And pf_route() does this recursion:
> E> > T> T>
> E> > T> T> if (oifp != ifp) {
> E> > T> T> if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS) {
> E> > T> T> goto bad;
> E> > T> T> ....
> E> > T>
> E> > T> On second look I see that my suspicion may not be true. In the
> E> > T> beginning of pf_test() we do pf_get_mtag() which preserves already
> E> > T> present tag if there is one.
> E> >
> E> > Further investigation showed that problem exist when route applied
> E> > ends in lo0, and packet passes to if_simloop(). There all mtags are
> E> > stripped from the mbuf, including the pf mtag. Then packet is again
> E> > processed by ip_input() again entering pf(4), if it again matches
> E> > a routing rule, then we got an endless loop.
> E> >
> E> > We can try to fix this applying MTAG_PERSISTENT to the pf(4) tag id.
> E>
> E> That seems like the best fix for this case.
>
> In this case crash or freeze is fixed, but still packet is dropped. Example
> of such rule:
>
> pass in on igb0 fastroute proto tcp from any to $localip
>
> Anyway, dropping packets is much better than crashing.
>
Actually after some coffee :) i think its better marking the packet
with M_SKIP_FIREWALL since
it has already taken its decision on this packet.
The simloop consumers seem to be just facilities of how things work
from what i can see.
So just delivering the packet by sending skipping the firewalls seems
more sensibile!
Though the persistent case for the tags should be revisited since it
may fix some other issues with pf(4) tags, and some others.
> --
> Totus tuus, Glebius.
--
Ermal
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
