pf: Handle if_groups with the same name as interfaces
AbandonedPublic
Actions

Authored by kp on Aug 19 2015, 9:23 PM.

Details

Reviewers

Group Reviewers

Summary

pf allows network interfaces and groups to be used interchangeably. They don't
share a namespace so it's possible for an interface and a group to have the same
name.

If that happens we recurse infinitely in pfi_kif_update() because the pfi_kif is
both an interface and a group. That means that the kif is a member of itself.

Simply checking that we're not calling pfi_kif_update() on the current pfi_kif
fixes the panic.

PR: 127042, 202178

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

kp updated this revision to Diff 8072.Aug 19 2015, 9:23 PM

kp retitled this revision from to pf: Handle if_groups with the same name as interfaces.

kp updated this object.

kp edited the test plan for this revision. (Show Details)

kp set the repository for this revision to rS FreeBSD src repository - subversion.

Herald added a subscriber: imp. · View Herald TranscriptAug 19 2015, 9:23 PM

op added a subscriber: op.Aug 19 2015, 10:04 PM

kp added a reviewer: network.Aug 25 2015, 1:19 PM

eri added a reviewer: eri.Aug 25 2015, 5:14 PM

I do not think this is the root cause for this, it just hides another issue.
I think that the result of RB_INSERT should be checked when a group/iface is created should be tested.
If that returns NULL the result should be null.

To me it is not good to have this weirdness in the configuration and nevertheless allow that.

This revision now requires changes to proceed.Aug 25 2015, 5:26 PM

asomers added a subscriber: asomers.Feb 13 2016, 12:12 AM

I'll post a patch with an alternative approach: change the network stack to put ifgroup and interface names in the same namespace.

Alternate approach in https://reviews.freebsd.org/D7528