diff options
| author | Kajetan Staszkiewicz <ks@FreeBSD.org> | 2025-09-07 16:59:00 +0300 |
|---|---|---|
| committer | Kajetan Staszkiewicz <ks@FreeBSD.org> | 2025-10-01 18:00:20 +0200 |
| commit | 048b8123ee87154b220d73ea6543423164f25fdb (patch) | |
| tree | f9014dcaeb88bd26180762dcad224372e5b13bef /tests | |
| parent | f12dba5d17466d591f7adbeca5e9eec06ef06d66 (diff) | |
pf: Always skip outbound filtering for inbound af-to rules
The af-to rules on inbound direction create a single state spanning both
the inbound and the outbound interface. Calling pf_test() for the
outbound direction in pf_route() makes the packet pass through state
search, match the existing state, never evaluate the ruleset, and increase
state counters.
Check that the state comes from an af-to rule in inbound direction, and
if yes, skip outbound testing.
Reviewed by: kp
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D52446
(cherry picked from commit 938ae26ffda81fd42c235eaa3223dae51331e4eb)
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/sys/netpfil/pf/nat64.sh | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/tests/sys/netpfil/pf/nat64.sh b/tests/sys/netpfil/pf/nat64.sh index d930e2ee5763..d873d34a51d5 100644 --- a/tests/sys/netpfil/pf/nat64.sh +++ b/tests/sys/netpfil/pf/nat64.sh @@ -214,11 +214,11 @@ tcp_in_if_bound_body() fi # Interfaces of the state are reversed when doing inbound NAT64! - # FIXME: Packets counters seem wrong! + # FIXME: Packets from both directions are counted only on the inbound direction! states=$(mktemp) || exit 1 jexec rtr pfctl -qvvss | normalize_pfctl_s > $states for state_regexp in \ - "${epair_link}a tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\) .* 9:9 pkts.* rule 3 .* origif: ${epair}b" \ + "${epair_link}a tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\) .* 9:0 pkts.* rule 3 .* origif: ${epair}b" \ ; do grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" done @@ -296,11 +296,11 @@ tcp_in_floating_body() fi # Interfaces of the state are reversed when doing inbound NAT64! - # FIXME: Packets counters seem wrong! + # FIXME: Packets from both directions are counted only on the inbound direction! states=$(mktemp) || exit 1 jexec rtr pfctl -qvvss | normalize_pfctl_s > $states for state_regexp in \ - "all tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\).* 9:9 pkts.* rule 3 .* origif: ${epair}b" \ + "all tcp 192.0.2.1:[0-9]+ \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:1234 \(64:ff9b::c000:202\[1234\]\).* 9:0 pkts.* rule 3 .* origif: ${epair}b" \ ; do grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" done @@ -1045,8 +1045,10 @@ route_to_body() states=$(mktemp) || exit 1 jexec rtr pfctl -qvvss | normalize_pfctl_s > $states + # Interfaces of the state are reversed when doing inbound NAT64! + # FIXME: Packets from both directions are counted only on the inbound direction! for state_regexp in \ - "${epair_link}a ipv6-icmp 192.0.2.1:.* \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:8 \(64:ff9b::c000:202\[[0-9]+\]\).*6:6 pkts.*route-to: 192.0.2.2@${epair_link}a origif: ${epair}b" \ + "${epair_link}a ipv6-icmp 192.0.2.1:.* \(2001:db8::2\[[0-9]+\]\) -> 192.0.2.2:8 \(64:ff9b::c000:202\[[0-9]+\]\).* 6:0 pkts.*route-to: 192.0.2.2@${epair_link}a origif: ${epair}b" \ ; do grep -qE "${state_regexp}" $states || atf_fail "State not found for '${state_regexp}'" done |