Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| 38f7444c | 2022-01-05 05:19:22 | add NSH and NHRP ethertypes, mostly for tcpdump stuff. ok deraadt@ | ||
| 83aa0ba6 | 2022-01-05 05:18:24 | rename ETHERTYPE_PAE to ETHERTYPE_EAPOL. everyone else seems to use ETHERTYPE_EAPOL, and as a bonus it also appears to be more correct. ok deraadt@ stsp@ | ||
| 4d544115 | 2022-01-04 06:32:39 | Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and trees. ipsp_ids_lookup() returns `ids' with bumped reference counter. original diff from mvs ok mvs | ||
| df8d9afd | 2022-01-02 22:36:03 | spelling ok jmc@ reads ok tb@ | ||
| 7945134b | 2021-12-30 14:25:39 | Use a distinct variable while iterating the list of existing devices. ok mvs@ Reported-by: syzbot+e2d1df67f742a5a47938@syzkaller.appspotmail.com Reported-by: syzbot+72298724beda82ec8e7f@syzkaller.appspotmail.com | ||
| 188a0a69 | 2021-12-30 00:49:41 | Prevent concurrent access to incomplete or dying `sc' caused by sleep points in pppacopen() and pppacclose() paths. Use the same "sc_ready" logic we use for 'pppx_if' structure. Reported-by: syzbot+a7ac144b48f7f471f689@syzkaller.appspotmail.com ok anton@ dlg@ | ||
| 5bac415b | 2021-12-28 23:13:20 | whitespace tweak, no functional change. | ||
| 02cdd809 | 2021-12-28 23:10:58 | it doesnt make sense to configure a vport as a span port. | ||
| 6b7aaaa8 | 2021-12-28 23:10:30 | move away from using the M_PROTO1 flag to prevent loops with vports if a vlan interface is configured on a vport interface, vlan(4) will take the packet away from ether_input before the veb bridge input handler gets to clear M_PROTO1. this leaves the flag on the mbuf as it goes through the l3 stacks. if it goes back out a vport into a veb, the presence of M_PROTO1 means the packet ends up getting dropped, which is unexpected. this diff specialises vport handling by veb even more to avoid the problem the flag was handling. vports get their own bridge input handler that skips veb processing completely because a packet being received on a vport can only occur if a veb has decided to forward it there and has already processed it. when the stack sends a packet out a vport interface, then we do actual veb bridge input handling. bug reported on misc@ and the fix tested by Simon Baker | ||
| 5a50f165 | 2021-12-26 14:04:29 | DIOCHANGERRULE ioctl must set pointer to ruleset in rule it inserts. Reported-by: syzbot+7718c5f69c595f76b298@syzkaller.appspotmail.com OK bluhm@, OK jmatthew@ | ||
| 840840b0 | 2021-12-26 01:00:32 | make 'set skip on ...' in pf.conf dynamic This is an old issue in pf(4): whenever new interface appears in IP stack, we must reload pf.conf to apply 'set skip on ...' to newly plumbed network interfaces. Time has come to fix it. The idea is to also create pfi_kif for interfaces, which are referred by 'set skip on ...'. Such pfi_kif instances are created/destroyed by pfi_set_flags()/pfi_clear_flags(). claudio@ dragged my attention to this in Gouveia. Also his feedback helped me to put change into shape. OK claudio@ | ||
| 5ee194bc | 2021-12-23 12:21:48 | IPsec is not MP safe yet. To allow forwarding in parallel without dirty hacks, it is better to protect IPsec input and output with kernel lock. Not much is lost as crypto needs the kernel lock anyway. From here we can refine the lock later. Note that there is no kernel lock in the SPD lockup path. Goal is to keep that lock free to allow fast forwarding with non IPsec traffic. tested by Hrvoje Popovski; OK tobhe@ | ||
| d997d144 | 2021-12-20 15:59:09 | Use per-CPU counters for tunnel descriptor block (TDB) statistics. 'tdb_data' struct became unused and was removed. Tested by Hrvoje Popovski. ok bluhm@ | ||
| 9cb0c582 | 2021-12-19 23:30:08 | There are occasions where the walker function in tdb_walk() might sleep. So holding the tdb_sadb_mtx() when calling walker() is not allowed. Move the TDB from the TDB-Hash to a temporary list that is protected by netlock. Then unlock tdb_sadb_mtx and traverse the list to call the walker. OK mvs@ | ||
| e966ab90 | 2021-12-16 09:33:56 | When adding the extra 10% of space to a needed sysctl buffer use math that is less likely to overflow the int type used. A BGP fullfeed is now so big that this calculation overflowed and then got sign extended. The result was for example 'route -n show' failures. Problem identified with deraadt@ OK deraadt@ (more cleanup needed but this fix is a good start) | ||
| 38bfd041 | 2021-12-16 02:01:59 | fix zero division found by syzkaller. The sanity checks in pf(4) ioctls are not powerful enough to detect invalid port ranges (or even invalid rules). syzkaller does not use pfctl(8), it uses ioctl(2) to pass some random chunk of memory as a rule to pf(4). Fix adds explicit check for 0 divider to pf_get_transaddr(). It should make syzkaller happy without disturbing anyone else. OK gnezdo@ Reported-by: syzbot+d1f00da48fa717e171f3@syzkaller.appspotmail.com | ||
| 4023ddd7 | 2021-12-16 00:54:42 | pool_get w/ PR_ZERO is better than following with a bzero, because pools hold dirty and clean memory, and can hand out the right time cheaper ok dlg | ||
| bdf46359 | 2021-12-14 17:50:37 | To cache lookups, the policy ipo is linked to its SA tdb. There is also a list of SAs that belong to a policy. To make it MP safe, protect these pointers with a mutex. tested by Hrvoje Popovski; OK mvs@ | ||
| 59b9936b | 2021-12-11 16:33:46 | Protect the write access to the TDB flags field with a mutex per TDB. Clearing the timeout flags just before pool put in tdb_free() does not make sense. Move this to tdb_delete(). While there make the parentheses in the flag check consistent. tested by Hrvoje Popovski; OK tobhe@ | ||
| 8cdd540d | 2021-12-08 14:24:18 | Start documenting the locking strategy of struct tdb fields. Note that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in udpencap_ctlinput() to protect the access to tdb_snext. Make the braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED() into the functions where the read access happens. OK mvs@ | ||
| 655f9804 | 2021-12-06 07:41:33 | fix odd check in pfi_kif_free() pointed out by jsg@ OK jsg@ | ||
| c4d43372 | 2021-12-03 19:04:49 | Add tdb_delete_locked() to replace duplicate tdb deletion code in pfkey_flush(). ok bluhm@ mvs@ | ||
| 31a6915f | 2021-12-03 17:18:34 | Add TDB reference counting to ipsp_spd_lookup(). If an output pointer is passed to the function, it will return a refcounted TDB. The ref happens when ipsp_spd_inp() copies the pointer from ipo->ipo_tdb. The caller of ipsp_spd_lookup() has to unref after using it. tested by Hrvoje Popovski; OK mvs@ tobhe@ | ||
| 2400aaeb | 2021-12-01 22:34:31 | Reintroduce the TDBF_DELETED flag. Checking next pointer to figure out whether the TDB is linked to the hash bucket does not work. This fixes removal of SAs that could not be flushed with ipsecctl -F. OK tobhe@ | ||
| 45b43d79 | 2021-12-01 21:48:00 | mention that the "flags" field in the enchdr is uses m_flags values (see mbuf.h) | ||
| e7111b64 | 2021-12-01 12:51:09 | Let ipsp_spd_lookup() return an error instead of a TDB. The TDB is not always needed, but the error value is necessary for the caller. As TDB should be refcounted, it makes not sense to always return it. Pass an output pointer for the TDB which can be NULL. OK mvs@ tobhe@ | ||
| 08d984e5 | 2021-11-29 15:39:59 | Using a void pointer for temporary allocated TDB in pfkeyv2 does not make sense. Do not use the freeme pointer for TDB in pfkeyv2_send(). The pattern is tdb_alloc() and tdb_unref() in case of error. Replace tdb_free() in reserve_spi() with tdb_unref() to keep this consistent. Only tdb_unref() should call tdb_free(). OK mvs@ | ||
| acf1bec5 | 2021-11-26 16:16:35 | Replace TDBF_DELETED flag with check if tdb was already unlinked. Protect tdb_unlink() and puttdb() for SADB_UPDATE with tdb_sadb_mutex. Tested by Hrvoje Popovski ok bluhm@ mvs@ | ||
| 4b0e5db3 | 2021-11-25 13:46:02 | Implement reference counting for IPsec tdbs. Not all cases are covered yet, more ref counts to come. The timeouts are protected, so the racy tdb_reaper() gets retired. The tdb_policy_head, onext and inext lists are protected. All gettdb...() functions return a tdb that is ref counted and has to be unrefed later. A flag ensures that tdb_delete() is called only once. Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@ | ||
| e0790d6d | 2021-11-23 19:13:45 | Use system uptime not UTC time to calculate PPPoE session duration Systems without RTC are likely to boot with wrong time, but pppoe(4) used microtime(9) anyway to remember when a new session began. (In)adequately, ifconfig(8) used gettimeofday(2) and calculated the difference between two absoloute dates to infer the PPPoE session duration. This goes off the rails if the wall clock jumps in between, e.g. due to NTP kicking in. Use getmicrouptime(9) and clock_gettime(2)/CLOCK_BOOTTIME instead to rely on the monotonically increasing system uptime instead to fix this. Reported and tested by Peter J. Philipp <pjp AT delphinusdns DOT org> on some octeon box without RTC. I've seen this on a Edgerouter 4 as well (2m uptime, 19d session). OK claudio | ||
| ac7c051c | 2021-11-22 12:56:04 | move PFR_TFLAG_CONST test, missed in rev 1.138 prompted by uninitialised var found by bluhm@ running regress on sparc64 ok sashan@ | ||
| 97bcf35f | 2021-11-17 18:00:24 | Display DNS information from sppp(4) in ifconfig(8) Behaviour is similar to that of umb(4). OK kn@ | ||
| 999a6f61 | 2021-11-16 20:51:30 | move memory allocations in pfr_add_addrs() outside of NET_LOCK()/PF_LOCK() scope. feedback by bluhm@ OK bluhm@ | ||
| d04b6041 | 2021-11-12 15:49:41 | "netconfigd" is now better known as resolvd(8) | ||
| bec0ed23 | 2021-11-11 18:08:17 | Do not call ip_deliver() recursively from IPsec. As there is no crypto task anymore, it is possible to return the next protocol. Then ip_deliver() will walk the header chain in its loop. IPsec bridge(4) tested by jan@ OK mvs@ tobhe@ jan@ | ||
| c97e8838 | 2021-11-11 12:35:01 | Allow pfi_kif_get() callers to pre-allocate buffer for new kif. If kif object exists already, then caller must free the pre-allocated buffer. If caller does not pre-allocate buffer, the pfi_kif_get() will get memory from pool using M_NOWAIT flag. Commit is also polishing pfi_initialize() a bit so it uses M_WAITOK allocation for pfi_all. there is no change in current behaviour. feedback by bluhm@ OK bluhm@ | ||
| 9f9935a8 | 2021-11-11 10:03:08 | Retire switch(4) it never really was production ready and the OpenFlow API implemented is a deadend. OK akoshibe@ yasuoka@ deraadt@ kn@ patrick@ sthen@ | ||
| 6371cd0b | 2021-11-10 20:24:22 | Give sppp(4) its own RTP_PROPOSAL priority OK semarie@ | ||
| 3265d83c | 2021-11-10 15:04:26 | sppp(4) - support PPP IPCP extensions for DNS RFC 1877 extends the family of network control protocols for establishing and configuring the IPCP over PPP, defining the negotiation of primary and secondary DNS addresses. After negotiation, rtm_proposal() is used to send out DNS updates. Feedback from claudio@ and kn@. OK claudio@, kn@ | ||
| 48a17b0d | 2021-11-10 04:46:25 | whitespace tweak, no functional change. enjoy rebuilding all the things cos i deleted a space. | ||
| 3c33e230 | 2021-11-10 04:45:15 | whitespace tweaks, no functional change. | ||
| b26d8e6e | 2021-11-08 04:54:44 | whitespace tweak, no functional change | ||
| 728741be | 2021-11-08 04:50:54 | whitespace tweaks, no functional change. | ||
| e4692c21 | 2021-11-08 04:15:46 | veb rules are an smr list, so traversal should be in an smr crit section reported by stsp@ an earlier diff was tested by and ok stsp@ ok jmatthew@ | ||
| c2f23716 | 2021-10-25 18:25:01 | Call a locked variant of tdb_unlink() from tdb_walk(). Fixes a mutex locking against myself panic introduced by my previous commit. OK beck@ patrick@ | ||
| 7f9adf34 | 2021-10-24 10:58:43 | let pf_table.c to use standard way to work with lists OK todd@, mvs@, kn@ | ||
| d5072c26 | 2021-10-23 22:19:37 | There is an m_pullup() down in AH input. As it may free or change the mbuf, the callers must be careful. Although there is no bug, use the common pattern to handle this. Pass down an mbuf pointer mp and let m_pullup() update the pointer in all callers. It looks like the tcp signature functions should not be called. Avoid an mbuf leak and return an error. OK mvs@ | ||
| 828d9ca1 | 2021-10-23 15:00:11 | Fix double free after allocation failure in bpf(4). Reported by Peter J. Philipp. OK mpi@ | ||
| ac7813e4 | 2021-10-23 09:36:58 | YIELD() in pf_table.c should preempt for ioctl() callers only OK @mpi | ||
| 7834797c | 2021-10-22 12:30:53 | After deleting hifn(4) the only provider for the LZS compression algorithm is gone. Reomve all LZS references from the tree. The v42bis in isakmpd also looks unsupported. OK mvs@ patrick@ sthen@ | ||
| 7853af73 | 2021-09-14 09:15:55 | Add missing kernel lock for Bi-directional Forwarding Detection data. Also bfdset() calls pool_get(9) with PR_WAITOK flag so it should be done before we check the existence of this `bfd', otherwise it could be added multiple times. We have BFD disabled in the default kernel so this diff is for consistency mostly. ok mpi@ | ||
| d2084f83 | 2021-09-07 16:07:46 | Fix NULL pointer dereference introduced by previous commit. Reported-by: syzbot+684597dbbb9b516e76ae@syzkaller.appspotmail.com ok mpi@ | ||
| 40192866 | 2021-09-07 09:56:00 | Fix the race between if_detach() and rtm_output(). When the dying network interface descriptor has if_get(9) obtained reference owned by foreign thread, the if_detach() thread will sleep just after it removed this interface from the interface index map. The data related to this interface is still in routing table, so if_get(9) called by concurrent rtm_output() thread will return NULL and the following "ifp != NULL" assertion will be triggered. So remove the "ifp != NULL" assertions from rtm_output() and try to grab `ifp' as early as possible then hold it until we finish the work. In the case we won the race and we have `ifp' non NULL, concurrent if_detach() thread will wait us. In the case we lost we just return ESRCH. The problem reported by danj@. Diff tested by danj@. ok mpi@ | ||
| 73ce225a | 2021-08-30 14:44:39 | remove a bunch of forward-only structs that were found with ctfconv. ok mpi@ | ||
| 304cf3fd | 2021-08-19 10:22:00 | implement reception of "VLAN 0 priority tagged" packets. according to 802.1Q, vlan 0 on the wire is special and should be interpreted as if it was a packet received on the parent interface, but you get the packet priority information encoded in the vlan header. historically we drop vlan tagged packets that don't have a vlan interface configured for the received tag number. historically we have deviated from 802.1Q by allowing for the configuration of a vlan subinterface with the vnetid "unset". this works just like any other vlan interface, but it uses tag 0 on the wire. however, if you're in a situation where you're receiving vlan tagged 0 packets that really are part of the same layer 2 ethernet domain as the parent inteface, this doesnt work well. landry@ is in such a situation at work where the network is sending his OpenBSD boxes packets with VLAN tag 0. sometimes. most of the time the packets are untagged, which is expected, but sometimes they have a VLAN header set. this causes problems, particularly with arp. this diff does the smallest possible change to enable reception of these vlan 0 priority tagged packets. if an "unset" vlan interface is not configured on the parent, then vlan 0 tagged packets get their header stripped and continue stack processing as if they didnt have the tag at all. landry has been running this for months. ok sthen@ claudio@ | ||
| 2f84ac13 | 2021-08-05 13:37:04 | m_freem in wg_send's path where a peer has no endpoint address, fixing an mbuf leak way with wgpka (keepalive) found the hard way by Matt P. Diff from Matt Dunwoodie, ok claudio@ | ||
| 60a682ed | 2021-08-02 21:10:55 | Don't call rtm_ifchg() in trunk_port_state(). The preceding trunk_link_active() already produced RTM_IFINFO message when trunk(4) state was changed. I such case we double RTM_IFINFO message or we produce false message when trunk(4) state was not changed. ok florian@ | ||
| 1ff726c6 | 2021-07-27 17:13:03 | Revert "Use per-CPU counters for tunnel descriptor block" diff. Panic reported by Hrvoje Popovski. | ||
| 2960d3c8 | 2021-07-27 09:29:09 | Introduce mutex(9) to protect pipex(4) session content. With bluhm@'s diff for parallel forwarding pipex(4) could be accessed in parallel through (*ifp->if_input)() -> ether_input() -> pipex_pppoe_input(). PPPOE pipex(4) sessions are mostly immutable except MPPE crypt. The new per-session `pxs_mtx' mutex(9) used to protect session's `ccp-id' which is incremented each time we send CCP reset-request. The new `pxm_mtx' mutex(9) used to protect MPPE context. Each pipex(4) session has two of them: one for the input and one for output path. Where is no lock order limitations because those new mutex(9)'es never held together. ok bluhm@ | ||
| 5a1e2cae | 2021-07-26 23:17:06 | Use per-CPU counters for tunnel descriptor block (tdb) statistics. 'tdb_data' struct became unused and was removed. ok bluhm@ | ||
| 0258c1b1 | 2021-07-22 16:40:19 | Add sizes for free() in zlib Rebased version of a diff from miod who described it as follows: This tries to keep diffability against upstream, hence a questionable choice of the size type for zcfree() - but all sizes should fit in 32 bits anyway. Since all zcfree routines used in the tree cope with NULL arguments (including the various alloc.c used by the boot blocks), I have simplified TRY_FREE to compensate for the growth. Reminded by and ok mpi | ||
| df21f681 | 2021-07-20 16:44:55 | Turn pipex(4) session statistics to per-CPU counters. This makes pipex(4) more compliant to bluhm@'s work on traffic forwarding parallelization. ok yasuoka@ bluhm@ | ||
| b8500bb4 | 2021-07-20 16:32:28 | The current workaround to disable parallel IPsec did not work. Variable nettaskqs must not change at runtime. Interface input queues choose the thread during init with ifiq_softnet = net_tq(). So it cannot be modified after pfkeyv2_send() sets the first SA in kernel. Also changing the calculation in net_tq() may call task_del() with a different taskq than task_add(). Instead of restricting the index to the first softnet task, use an exclusive lock. For now just move the comment. We can later decide if a write net lock or kernel lock is better. OK mvs@ | ||
| 8ee934e7 | 2021-07-19 19:00:58 | Fix an alignment fault observed on an octeon machine while pppoe(4) was attempting to negotiate a large MTU. Copy the peer's max payload size from the discovery packet with memcpy() instead of using a pointer to this value's offset in the packet buffer. tweak and ok visa@ additional testing and ok sthen@ | ||
| 094e3f7d | 2021-07-14 22:39:26 | Export SA replay counters via pfkey and print with ipsecctl. This is useful for debugging replay window issues with 64 bit sequence numbers in IPsec. ok bluhm@ | ||
| 01ae73c5 | 2021-07-09 01:22:05 | ifq_hdatalen can return 0 if ifq_empty is true, which avoids locks. | ||
| 8bd2aa04 | 2021-07-08 16:39:55 | Initialize `ipsec_acquire_pool' pool (9) within pfkey_init() instead of doing that in runtime within ipsp_acquire_sa(). ok bluhm@ | ||
| 698a75dd | 2021-07-08 15:13:14 | Debug printfs in encdebug were inconsistent, some missing newlines produced ugly output. Move the function name and the newline into the DPRINTF macro. This simplifies the debug statements. OK tobhe@ | ||
| baf71576 | 2021-07-07 20:19:01 | tell ether_input() to call pf_test() outside of smr_read sections, because smr_read sections don't play well with sleeping locks in pf(4). OK bluhm@ | ||
| 52ade9e7 | 2021-07-07 18:38:25 | pfsync_undefer() must be called outside of PF_LOCK OK @bluhm | ||
| f3218c34 | 2021-07-05 12:01:20 | Export tdb MTU to userland via SADB_GET. This helps debug path MTU discovery issues with ESP in UDP. ok bluhm@ sthen@ mpi@ | ||
| dd76c598 | 2021-07-05 04:17:41 | etherbridge_map was way too clever, so simplify it. the code tried to carry state from the quick smr based lookup through to the actual map update under the mutex, but this led to refcnt leaks, and logic errors. the simplification is that if the smr based checks say the map needs updating, we prepare the update and then forget what we learnt inside the smr critical section and redo them under the mutex again. entries in an etherbridge map are either in it or they aren't, so we don't need to refcnt them. this means the thing that takes an entry out of the map becomes directly responsible for destroy it, so they can do the smr call or barrier directly rather than via a refcnt. found by hrvoje popovski while testing the stack running in parallel, and fix tested by him too. ok sashan@ | ||
| a0ebdf48 | 2021-06-30 13:23:33 | Remove splnet() from ifnewlladdr(), it is not needed anymore. Add asserts and comments for the locks that are necessary. discussed with dlg@ mpi@ mvs@; tested by Hrvoje Popovski; OK mpi@ | ||
| 7845b46b | 2021-06-25 23:48:30 | let pfsync_request_update actually retry when it overfills a packet. a continue in the middle of a do { } while (0) loop is effectively a break, it doesnt restart the loop. without the retry, the code leaked update messages which in turn made pool_destroy in pfsync destroy trip over a kassert cos items were still out. found by and fix tested by hrvoje popovski ok sashan@ | ||
| b1f2ff08 | 2021-06-23 16:10:45 | rtsock: revert from timeout_set_flags(9) to timeout_set_proc(9); ok mvs@ | ||
| 3f1b5c31 | 2021-06-23 06:53:51 | augment the global pf state list with its own locks. before this, things that iterated over the global list of pf states had to take the net, pf, or pf state locks. in particular, the ioctls that dump the state table took the net and pf state locks before iterating over the states and using copyout to export them to userland. when we tried replacing the use rwlocks with mutexes under the pf locks, this blew up because you can't sleep when holding a mutex and there's a sleeping lock used inside copyout. this diff introduces two locks around the global state list: a mutex that protects the head and tail of the list, and an rwlock that protects the links between elements in the list. inserts on the state list only occur during packet handling and can be done by taking the mutex and putting the state on the tail before releasing the mutex. iterating over states is only done from thread/process contexts, so we can take a read lock, then the mutex to get a snapshot of the head and tail pointers, and then keep the read lock to iterate between the head and tail points. because it's a read lock we can then take other sleeping locks (eg, the one inside copyout) without (further) gymnastics. the pf state purge code takes the rwlock exclusively and the mutex to remove elements from the list. this allows the ioctls and purge code to loop over the list concurrently and largely without blocking the creation of states when pf is processing packets. pfsync also iterates over the state list when doing bulk sends, which the state purge code needs to be careful around. ok sashan@ | ||
| db679a19 | 2021-06-23 05:51:27 | pf_purge_expired_states can check the time once instead of for every state. | ||
| ec01c30c | 2021-06-23 05:43:53 | pfsync_undefer_notify needs to be careful before dereferecing state keys. pfsync_undefer_notify uses the state keys to look up the address family, which is used to figure out if it should call ipv4 or ipv6 functions. however, the pf state purge code can unlink a state from the trees (ie, the state keys get removed) while the pfsync defer code is holding a reference to it and expects to be able to send the deferred packet in the future. we can test if the state keys are set by checking if the timeout state is PFTM_UNLINK or not. this currently relies on both pf_remove_state and pfsync_undefer_notify being called with the NET_LOCK held. this probably needs to be rethought later but is good enough for now. found the hard way on a production firewall at work. | ||
| 99e6e1ef | 2021-06-23 04:16:32 | rework pf_state_expires to avoid confusion around state->timeout. im going to make it so pf_purge_expired_states() can gather states largely without sharing a lock with pfsync or actual packet processing in pf. if pf or pfsync unlink a state while pf_purge_expired_states is looking at it, we can race with some checks and fall over a KASSERT. i'm fixing this by having the caller of pf_state_expires read state->timeout first, do it's checks, and then pass the value as an argument into pf_state_expires. this means there's a consistent view of the state->timeout variable across all the checks that pf_purge_expired_states in particular does. if pf/pfsync does change the timeout while pf_purge_expired_states is looking at it, the worst thing that happens is that it doesn't get picked as a candidate for purging in this pass and will have to wait for the next sweep. ok sashan@ as part of a bigger diff | ||
| b8dc9bf2 | 2021-06-17 00:18:09 | more consistently use pfsync_free_deferral to free the mbuf. pfsync_free_deferral doesnt need to check pd_m for NULL before calling m_freem because m_freem does that anyway. if pf_setup_pdesc in pfsync_undefer_notify failed, the mbuf was freed but the pd_m pointer was not cleared, which would have led to a double free when pfsync_free_deferral tried to do the same thing for it. if pfsync_undefer is supposed to drop the mbuf, let pfsync_free_deferral do it for us. ok jmatthew@ | ||
| 58d69225 | 2021-06-15 10:10:22 | use getnsecuptime instead of getmicrouptime. working on a uint64_t is easier than remembering how timercmp and timersub works. ok jmatthew@ | ||
| a7d9d424 | 2021-06-15 08:36:19 | get the uptime before comparing to it. "that seems kind of important" jmatthew@ | ||
| 4ea72498 | 2021-06-15 05:24:46 | factor out nsecuptime and getnsecuptime. these functions were implemented in a bunch of places with comments saying it should be moved to kern_tc.c when more pop up, and i was about to add another one. i think it's time to move them to kern_tc.c. ok cheloa@ jmatthew@ | ||
| 1c3ff09a | 2021-06-15 05:06:24 | rework pfsync deferal timeout handling. instead of having a timeout per deferred packet structure, use a single timeout in pfsync that pulls items off the list of deferred packets. this avoids confusion about whether a timeout is handling the defer or another context owns it. this way round, the context that removes a defer from the list owns it and is responsible for completing it. this should fix a panic we hit on the firewalls at work. there's still another one that needs a fix, but sashan@ has been looking at it. this might make it simpler to deal with though. ok sashan@ jmatthew@ | ||
| 35ae5119 | 2021-06-09 03:24:54 | whitespace tweak. no functional change. | ||
| 3cc9bc2c | 2021-06-02 21:49:31 | With parallel execution of pf_test() two packets may try to update the same state in pfsync(4) queue. pfsync_q_ins() takes that race into account with one exception: the KASSERT() at line 2352. That KASSERT() needs to be removed. 2346 void 2347 pfsync_q_ins(struct pf_state *st, int q) 2348 { 2349 struct pfsync_softc *sc = pfsyncif; 2350 size_t nlen, sc_len; 2351 2352 KASSERT(st->sync_state == PFSYNC_S_NONE); 2353 2354 #if defined(PFSYNC_DEBUG) 2355 if (sc->sc_len < PFSYNC_MINPKT) 2356 panic("pfsync pkt len is too low %zd", sc->sc_len); 2357 #endif 2358 do { 2359 mtx_enter(&sc->sc_mtx[q]); 2360 2361 /* 2362 * If two threads are competing to insert the same state, then 2363 * there must be just single winner. 2364 */ 2365 if (st->sync_state != PFSYNC_S_NONE) { 2366 mtx_leave(&sc->sc_mtx[q]); 2367 break; 2368 } OK bluhm@ | ||
| f561b0b3 | 2021-06-02 07:46:22 | whitespace tweaks, no functional change. | ||
| 9f67f65b | 2021-06-02 01:37:10 | only read the if_bpf pointer once. | ||
| 2fbecff6 | 2021-06-02 01:36:10 | tpmr_input is called in an smr crit section, so it doesnt need its own. this simplifies the code a little bit. | ||
| 12b9e3f3 | 2021-06-02 01:30:30 | read the tpmr if_flags once in tpmr_input so link flags apply consistently. this avoids IFF_LINK1 getting set by another cpu halfway through tpmr_input. if LINK1 is not set when a packet enters a tpmr pair it skips ip/pf checks, but if it is then set then only pf is run against it. this way you either get the ip checks and pf when the packet enters and leaves tpmr, or you dont get the ip and pf checks at all. | ||
| fdb9e118 | 2021-06-02 00:44:18 | use ipv4_check and ipv6_check to well, check ip headers before running pf. unlike bridge(4), these checks are only run when the packet is entering the veb/tpmr topology. the assumption is that only valid IP packets end up inside the topology so we don't have to check them when they're leaving. ok bluhm@ sashan@ | ||
| b35addb2 | 2021-06-02 00:40:51 | use ipv4_check and ipv6_check provided by the network stacks. this removes the duplication of the check code, and lets the v6 code in particular pick up a lot more sanity checks around valid addresses on the wire. ok bluhm@ sashan@ | ||
| 66f5a49c | 2021-06-01 14:23:34 | Check `so_state' in rtm_senddesync() and return if SS_ISCONNECTED or SS_CANTRCVMORE bits are set. The first check required to prevent timeout_add(9) reschedule `rop_timeout', otherwise timeout_del_barrier(9) can't help us. The second check is for the case when shutdown(2) with SHUT_RD argument occurred on this socket and we should not receive anything include RTM_DESYNC packets. ok claudio@ | ||
| e793fd61 | 2021-06-01 09:57:11 | a couple of minor whitespace tweaks. no functional change. am i a pf hacker now? | ||
| b688c8f8 | 2021-05-30 21:01:27 | Declare all struct protosw as constant. OK mvs@ | ||
| d103d05a | 2021-05-27 03:46:15 | ajacoutot says i missed copying some bits from bridge for divert-to. | ||
| 884f1619 | 2021-05-27 03:43:23 | ajacouto says i missed copying some bits from bridge for divert-to. | ||
| 2537beac | 2021-05-26 08:28:34 | Use `so_lock' to protect key management (PF_KEY) sockets. This can be done because we have no cases where one thread should lock two sockets simultaneously. tested by yasuoka@ ok bluhm@ markus@ | ||
| e4207ed0 | 2021-05-26 06:44:28 | add support for pf divert-to on tpmr, like what was done for veb(4). when a divert-to rule applies to a packet, pf doesnt take the packet away and shove it in the socket directly. pf marks the packet, and then ip (or ipv6) input processing looks at the mark and picks the local socket to queue it on. because tpmr operates at layer 2, ip input has no chance to look at the packet and let the divert socket steal it. bridge(4) and now veb(4) handle this by checking if the packet has the pf divert to mark set on it and calls ip input if it's set. this copies the semantic to tpmr. | ||
| 603ab61f | 2021-05-26 02:38:01 | support divert-to when pf applies it to a packet. when a divert-to rule applies to a packet, pf doesnt take the packet away and shove it in the socket directly. pf marks the packet, and then ip (or ipv6) input processing looks at the mark and picks the local socket to queue it on. because veb operates at layer 2, ip input processing only occurred if the packet was destined to go into a vport interface. bridge(4) handles this by checking if the packet has the pf divert to mark set on it and calls ip input if it's set. this copies the semantic to veb. this allows divert-to to steal (take?) packets going over a veb and process them on a local socket. reported by ajacatot@ |