From d8322a6ac465ffe2ef432a4b4d608afdd03150da Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Mon, 11 Mar 2024 14:44:17 +0100 Subject: [PATCH] pf: avoid passing through dummynet multiple times In some setups we end up with multiple states created for a single packet, which in turn can mean we run the packet through dummynet multiple times. That's not expected or intended. Mark each packet when it goes through dummynet, and do not pass packet through dummynet if they're marked as having already passed through. See also: https://redmine.pfsense.org/issues/14854 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D44365 --- sys/netpfil/pf/pf.c | 4 ++++ sys/netpfil/pf/pf_mtag.h | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 761e76a5617..a713f6b8bf9 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -8301,6 +8301,9 @@ pf_pdesc_to_dnflow(const struct pf_pdesc *pd, const struct pf_krule *r, dndir = pd->dir; } + if (pd->pf_mtag->flags & PF_MTAG_FLAG_DUMMYNETED) + return (false); + memset(dnflow, 0, sizeof(*dnflow)); if (pd->dport != NULL) @@ -8442,6 +8445,7 @@ pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s, if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) { pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET; + pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNETED; ip_dn_io_ptr(m0, &dnflow); if (*m0 != NULL) { pd->pf_mtag->flags &= ~PF_MTAG_FLAG_ROUTE_TO; diff --git a/sys/netpfil/pf/pf_mtag.h b/sys/netpfil/pf/pf_mtag.h index 5c6fb1c386f..6ecc33c25a7 100644 --- a/sys/netpfil/pf/pf_mtag.h +++ b/sys/netpfil/pf/pf_mtag.h @@ -41,7 +41,7 @@ #define PF_MTAG_FLAG_TRANSLATE_LOCALHOST 0x04 #define PF_MTAG_FLAG_PACKET_LOOPED 0x08 #define PF_MTAG_FLAG_FASTFWD_OURS_PRESENT 0x10 -/* 0x20 unused */ +#define PF_MTAG_FLAG_DUMMYNETED 0x20 #define PF_MTAG_FLAG_DUPLICATED 0x40 #define PF_MTAG_FLAG_SYNCOOKIE_RECREATED 0x80