Page MenuHomeFreeBSD

Avoid double reference decrement when firewalls force relooping of packets
ClosedPublic

Authored by eri on Jul 9 2015, 12:14 PM.

Details

Summary

When firewalls force a reloop of packets and the caller supplied a route the reference to the route might be reduced twice creating issues.
This is especially the scenario when a packet is looped because of operation in the firewall but the new route lookup gives a down route.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

eri updated this revision to Diff 6817.Jul 9 2015, 12:14 PM
eri retitled this revision from to Avoid double reference decrement when firewalls force relooping of packets.
eri updated this object.
eri edited the test plan for this revision. (Show Details)
eri added a reviewer: gnn.
eri set the repository for this revision to rS FreeBSD src repository.
eri added a project: network.
eri added a subscriber: network.
gnn added a reviewer: rwatson.Jul 24 2015, 1:33 PM
eri added a comment.Jul 24 2015, 5:26 PM

It would be more visible if you take this into consideration https://reviews.freebsd.org/D3022

gnn accepted this revision.Jul 27 2015, 3:08 PM
gnn edited edge metadata.

This is approved for the tree but I would like you to amend this review with a test that we can use to agree that this fix works.

This revision is now accepted and ready to land.Jul 27 2015, 3:08 PM
eri added a comment.Jul 29 2015, 5:54 PM

A test case is for example trying to change the fib to use when forwarding a packet by the firewall.
Also the route need to point to an route that is marked down for some reason...(like interface is not in up state).
Load pf/ipfw and try changing the fib to be used with appropriate rules this will trigger the bug.

This revision was automatically updated to reflect the committed changes.