Page MenuHomeFreeBSD
Differential D49551

pf: don't use state keys after pf_state_insert()
AcceptedPublic
Actions

Authored by kp on Fri, Mar 28, 2:47 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Mar 30, 1:15 AM
Unknown Object (File)
Sat, Mar 29, 6:46 PM
Unknown Object (File)
Sat, Mar 29, 6:02 PM
Subscribers
ae
farrokhi
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
glebius
markj
Group Reviewers
network
Summary

pf_state_insert() may free the state keys, it's not safe to access these
pointers after the call.

Introduce osrc/odst (similar to osport/odport) to store the original source and
destination addresses. This allows us to undo NAT transformations without having
to access the state keys.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 63175
Build 60059: arc lint + arc unit

Event Timeline

kp created this revision.Fri, Mar 28, 2:47 PM
Herald added subscribers: vegeta_tuxpowered.net, melifaro, farrokhi and 2 others. · View Herald TranscriptFri, Mar 28, 2:47 PM
kp requested review of this revision.Fri, Mar 28, 2:47 PM
Harbormaster completed remote builds in B63175: Diff 152790.Fri, Mar 28, 2:47 PM
kp added a parent revision: D49550: pf: improve pf_state_key_attach() error handling.Fri, Mar 28, 2:47 PM
kp added a child revision: D49552: pf: simplify action resolution in pf_test_rule().
glebius accepted this revision as: glebius.Fri, Mar 28, 8:08 PM

The pf_pdesc is always on the stack, is it?

This revision is now accepted and ready to land.Fri, Mar 28, 8:08 PM
markj accepted this revision as: markj.Sat, Mar 29, 8:18 AM
markj added inline comments.
sys/netpfil/pf/pf.c
6266

Maybe it'd be nice to deduplicate this with the identical code in pf_return().

9927

This turns into a function call where we switch on af, even though we know its value here. It'd be nicer to have pf_addrcpy() be inlined, at least when the value of af is known at compile-time. Or have pf_addrcpy_inet()/pf_addrcpy_inet6().

kp added a comment.Sat, Mar 29, 9:44 AM
In D49551#1129918, @glebius wrote:

The pf_pdesc is always on the stack, is it?

Yes. In pf_test().
There's another instance in pf_icmp_state_lookup(), for the embedded packet in ICMP errors. That's on the stack too.

kp added inline comments.Sat, Mar 29, 9:53 AM
sys/netpfil/pf/pf.c
6266

I'll propose a separate commit for that.

9927

I'm tempted to move pf_addrcpy() into pfvar.h so we can leave that to the compiler.
We basically always 'PF_ACPY()' to copy addresses, and I'd like to not have to think about why we sometimes do and sometimes don't.

markj added inline comments.Sat, Mar 29, 12:49 PM
sys/netpfil/pf/pf.c
9927

That makes sense to me. I'd maybe also hardcode the value of af here, i.e., PF_ACPY(..., AF_INET6), just in case.

Revision Contents
Changeset List

PathSize
sys/
net/
2 lines
netpfil/
pf/
30 lines

Diff 152790

View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...