don't run copies of packets made by dup-to through pf_test.

dup-to is kind of like what you do with a span port, but is a bit
more fine grained. it copies packets in a connection out an interface
so that connection can be monitored. it doesnt make sense for pf
to see the copied packets and try to match or create new states for
them either. at best it needs config to stop pf seeing the copies
(eg, set skip on $dup_to_tgt_if). at worst it breaks the connections
you're monitoring because the states in pf get confused.

found while discussing larger route-to changes on tech@.

ok bluhm@ sashan@

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 5d6b493..1cdbd00 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1101 2021/01/19 22:22:23 bluhm Exp $ */
+/*     $OpenBSD: pf.c,v 1.1102 2021/01/27 03:02:06 dlg Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -6039,7 +6039,7 @@ pf_route(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s)
        if (ifp == NULL)
                goto bad;
 
-       if (pd->kif->pfik_ifp != ifp) {
+       if (r->rt != PF_DUPTO && pd->kif->pfik_ifp != ifp) {
                if (pf_test(AF_INET, PF_OUT, ifp, &m0) != PF_PASS)
                        goto bad;
                else if (m0 == NULL)
@@ -6194,7 +6194,7 @@ pf_route6(struct pf_pdesc *pd, struct pf_rule *r, struct pf_state *s)
        if (ifp == NULL)
                goto bad;
 
-       if (pd->kif->pfik_ifp != ifp) {
+       if (r->rt != PF_DUPTO && pd->kif->pfik_ifp != ifp) {
                if (pf_test(AF_INET6, PF_OUT, ifp, &m0) != PF_PASS)
                        goto bad;
                else if (m0 == NULL)