Page MenuHomeFreeBSD

pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx mutex
ClosedPublic

Authored by vegeta_tuxpowered.net on Feb 4 2024, 9:01 PM.
Tags
None
Referenced Files
F102840436: D43741.id133892.diff
Sun, Nov 17, 8:45 PM
Unknown Object (File)
Oct 16 2024, 9:22 PM
Unknown Object (File)
Oct 16 2024, 9:22 PM
Unknown Object (File)
Oct 16 2024, 9:22 PM
Unknown Object (File)
Oct 16 2024, 9:22 PM
Unknown Object (File)
Oct 16 2024, 8:49 PM
Unknown Object (File)
Oct 3 2024, 5:02 PM
Unknown Object (File)
Sep 30 2024, 2:33 AM

Details

Summary

The redirection pool stored in r->rpool.cur is used for loadbalancing and cur can change whenever loadbalancing happens, which is for every new connection. Therefore it can't be trusted outside of pf_map_addr() and the r->rpool->mtx mutex. After evaluating the ruleset, loadbalancing decission is made in pf_map_addr() called from within pf_create_state() and stored in the state itself.

This patch modifies BOUND_IFACE() so that it only uses the information already stored in the state which has been obtained in a way which respects the r->rpool->mtx mutex.

Test Plan

I've ran the test suite.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

vegeta_tuxpowered.net retitled this revision from pf: Ensure state->kif override accesses locked redirection pool to pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx mutex.
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)

A slightly less invasive patch.

Thanks for catching that.

This revision is now accepted and ready to land.Feb 5 2024, 9:17 PM