pf: ensure mbufs are writable
ClosedPublic
Actions

Authored by kp on Sep 10 2024, 8:20 PM.

Details

Reviewers

Group Reviewers

network
pfsense

Commits

rG423b1069af74: pf: ensure mbufs are writable

Summary

Ensure that we can modify mbufs before we start processing them. There are a
number of paths where pf will m_copyback() or otherwise modify a packet. Ensure
that this is safe to do.

For example, ip6_forward() will m_copym() the packet before handing it to the
output pfil hook. This results in a non-writable mbuf, which would trigger
assertion failures (see previous commit).

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Sep 10 2024, 8:20 PM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptSep 10 2024, 8:20 PM

kp requested review of this revision.Sep 10 2024, 8:20 PM

Harbormaster completed remote builds in B59428: Diff 143211.Sep 10 2024, 8:20 PM

glebius accepted this revision as: glebius.Sep 11 2024, 1:57 AM

glebius added inline comments.

sys/netpfil/pf/pf.c
8418–8423	Not insisting on this style, but I would write it down this way.

This revision is now accepted and ready to land.Sep 11 2024, 1:57 AM

kp added inline comments.Sep 11 2024, 6:23 AM

sys/netpfil/pf/pf.c
8418–8423	I'll include the __predict_false, because that's just clearly better. I'll also change it to set m at the same time. It doesn't break anything if it's not there because we do set it again with the pull-up later, but we should be consistent about it. I don't like that one-line construct though. Perhaps your brain is just larger than mine.