Page MenuHomeFreeBSD

pf: Access r->rpool.cur->kif under mutex protection
ClosedPublic

Authored by vegeta_tuxpowered.net on Aug 23 2023, 11:13 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Sep 9, 8:30 AM
Unknown Object (File)
Mon, Sep 9, 8:30 AM
Unknown Object (File)
Sun, Sep 8, 3:27 PM
Unknown Object (File)
Sun, Sep 8, 11:40 AM
Unknown Object (File)
Thu, Aug 29, 10:31 PM
Unknown Object (File)
Tue, Aug 20, 7:54 PM
Unknown Object (File)
Aug 14 2024, 3:11 AM
Unknown Object (File)
Aug 8 2024, 1:20 PM

Details

Summary

pf_route() sends traffic to a specified next hop over a specific interface. The next hop is obtained in pf_map_addr() but the interface is obtained directly via r->rpool.cur->kif` outside of the lock held in pf_map_addr() in multiple places around pf. The chosen interface is not stored in source node.

Move the interface selection into pf_map_addr(), have the function return it together with the chosen IP address and ensure it's stored in struct pf_ksrc_node, store it in the source node and use the stored value when needed.

Sponsored by: InnoGames GmbH

Test Plan

I've ran the tests from /usr/tests/sys/netpfil/pf, all pass. The issue was found when playing with this rule:

pass in quick on n_test_h_rtr \
    route-to { ( n_srv_h_rtr <serversA> ) , ( nonexistent <serversB> ) } round-robin sticky-address \
    proto tcp \
    to <lb_pool> port 80 \
    tag maciora

The client has multiple IP addresses it can use as source. It first makes a connection from source1 which lands on serverA2@n_srv_h_rtr (this thing always starts at 2 for whatever reason, that is not important for this bug). Then the next connection is made from source2 and lands on serverA3@n_srv_h_rtr. The next connection is made from source3 and lands on serverB1@nonexistent. This updates r->rpool.cur which is now used for all new connections, even ones matching existing source nodes. A new connection from the client from source1 fails because it gets mapped to serverA2@nonexistent, as only the IP address is stored in the source node.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

vegeta_tuxpowered.net edited the test plan for this revision. (Show Details)
This revision was not accepted when it landed; it landed in state Needs Review.Aug 24 2023, 1:09 PM
This revision was automatically updated to reflect the committed changes.