mirror of
https://github.com/opnsense/src.git
synced 2026-04-26 16:47:30 -04:00
5ab151574c
Redirect rules use PFIL_IN and PFIL_OUT events to allow packet filter rules to change the destination address and port for a connection. Typically, the rule triggers on an input event when a packet is received by a router and the destination address and/or port is changed to implement the redirect. When a reply packet on this connection is output to the network, the rule triggers again, reversing the modification. When the connection is initiated on the same host as the packet filter, it is initially output via lo0 which queues it for input processing. This causes an input event on the lo0 interface, allowing redirect processing to rewrite the destination and create state for the connection. However, when the reply is received, no corresponding output event is generated; instead, the packet is delivered to the higher level protocol (e.g. tcp or udp) without reversing the redirect, the reply is not matched to the connection and the packet is dropped (for tcp, a connection reset is also sent). This commit fixes the problem by adding a second packet filter call in the input path. The second call happens right before the handoff to higher level processing and provides the missing output event to allow the redirect's reply processing to perform its rewrite. This extra processing is disabled by default and can be enabled using pfilctl: pfilctl link -o pf:default-out inet-local pfilctl link -o pf:default-out6 inet6-local PR: 268717 Reviewed-by: kp, melifaro MFC-after: 2 weeks Differential Revision: https://reviews.freebsd.org/D40256 |
||
|---|---|---|
| .. | ||
| acl | ||
| aio | ||
| audit | ||
| auditpipe | ||
| capsicum | ||
| cddl | ||
| common | ||
| compat32 | ||
| devrandom | ||
| fifo | ||
| file | ||
| fs | ||
| geom | ||
| kern | ||
| kqueue | ||
| mac | ||
| mqueue | ||
| net | ||
| netgraph | ||
| netinet | ||
| netinet6 | ||
| netipsec | ||
| netlink | ||
| netmap | ||
| netpfil | ||
| opencrypto | ||
| pjdfstest | ||
| posixshm | ||
| ses | ||
| sys | ||
| vfs | ||
| vm | ||
| vmm | ||
| Makefile | ||
| Makefile.depend | ||
| Makefile.inc | ||