Page MenuHomeFreeBSD

pf :Use counter(9) in pf tables.
ClosedPublic

Authored by kristof on Tue, Mar 12, 12:45 PM.

Details

Summary

The counters of pf tables are updated outside the rule lock. That means state
updates might overwrite each other. Furthermore allocation and
freeing of counters happens outside the lock as well.

Use counter(9) for the counters, and always allocate the counter table
element, so that the race condition cannot happen any more.

Submitted by: Kajetan Staszkiewicz <vegeta@tuxpowered.net>
PR: 230619

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

kristof created this revision.Tue, Mar 12, 12:45 PM
kristof edited the summary of this revision. (Show Details)
glebius accepted this revision.Tue, Mar 12, 9:35 PM
glebius added a subscriber: glebius.
glebius added inline comments.
sys/netpfil/pf/pf_table.c
794 ↗(On Diff #54970)

Let's put a comment that previous allocation isn't leaked, since any failure of ​pfr_create_kentry_counter() is followed by pfr_destroy_kentry(ke).

This revision is now accepted and ready to land.Tue, Mar 12, 9:35 PM
kristof updated this revision to Diff 55023.Wed, Mar 13, 4:17 PM

Add comment

This revision now requires review to proceed.Wed, Mar 13, 4:17 PM
This revision was not accepted when it landed; it landed in state Needs Review.Fri, Mar 15, 11:09 AM
Closed by commit rS345177: pf :Use counter(9) in pf tables. (authored by kp, committed by ). · Explain Why
This revision was automatically updated to reflect the committed changes.