From nobody Tue Feb 06 16:25:27 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TTpWW5RNWz59Y1L; Tue, 6 Feb 2024 16:25:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TTpWW3KKSz4twl; Tue, 6 Feb 2024 16:25:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707236727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eAO0dJL6SuoCPHcixdccG+RqSasKZEBDRMBulexzPsI=; b=ZCFNUBUlKfJ3uHkjfwgJZApp6UVOb2QOTYsanB7uSas2NE8LtGAbGGGr9a4W7okAFyUtec TTZzHwZkOyOypSSPPxSsMg1l/F4X05JP/MK3+7ldaW+5eWDDBvWLzGJQOT95zsQ2GF7EQH FNSBGHWRyDbVDB6xVSVnMj1IRX5xFMBflhV8FjRAiMtyMAP5oI61Xf8Tju9kfbaQbD/FNB E8KUi/9f6vWGKjD9gMgyQl+L3HJ09fYQ7R/Mr+dwfcot1Kn1NzaaTYJILYWO39mfFDgL8p dF4c3aE1VG+1Ub4A5tM3gra2cMoHh54Hp+loV09Sf6NGzOVoD1TH7lfct3pnTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707236727; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eAO0dJL6SuoCPHcixdccG+RqSasKZEBDRMBulexzPsI=; b=HUMMmi70fKLyycEnCiUzuAMEhYPCvETQMfLt/gaEvT3VMbuZWqrHHGxF0MQ2B7OewwcKvc dJgDW7RqkcIn5fjSkCoQCp37qg3Vzm9iiGMkEbRf/dtoa6xCdpojvSGS6/253DyMChblPZ pDzFAcmO7E9ktrrAK7QPcQNE0T4s0NNrmHIwpNNLjREuhPFZah4rvgL3/JLgOLGXbkY3Y2 gHlSuQUWRMz9j4W1Y8gWRATRb9ujBEM/Ziv3hsqeMySyxHlFhVKTWMKgYENikE+NQaVYI+ TRxAKdU74fpipDDLxsIECYnyPHDg3vSSG2cnyPTCSai7vCY1P9nf3m8nR31rDw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707236727; a=rsa-sha256; cv=none; b=enhubGQR9W0Somr5XbqUVtphdDtyayNQX6M1SL+4OvwnPgPO9SvJYLiHjk2LV2xJiImeTx Ph32RTscj3Mc/VdDv/2kZTizbq/v5bWjyi60UyEnd1csxEo2ilydZTfa90B9UJLtA/fivM R9+/Wz+uw7Zs23DmowljoLQwmtXIxWmt8HWHM3JItwQi8+k7tOCRG9FctUU7hI2OWEbGKL RRKWsQFJy6vlww+L8KPVrFCjOiWonBQZxuAU9whMPe1K/eSIaijDRiLvmSyB9TI0+tfa6V igk656L2Jnj8Akb/ZYjoZzcr+gC3sIH6SgmrulBkY3Fix1RbYogoY8p7yTsZAA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TTpWW2NwczWkL; Tue, 6 Feb 2024 16:25:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 416GPRdj066625; Tue, 6 Feb 2024 16:25:27 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 416GPRbI066622; Tue, 6 Feb 2024 16:25:27 GMT (envelope-from git) Date: Tue, 6 Feb 2024 16:25:27 GMT Message-Id: <202402061625.416GPRbI066622@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 58a26743145a - main - pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx mutex List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 58a26743145a0092903125973512035e97d41237 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=58a26743145a0092903125973512035e97d41237 commit 58a26743145a0092903125973512035e97d41237 Author: Kajetan Staszkiewicz AuthorDate: 2024-02-05 16:22:31 +0000 Commit: Kristof Provost CommitDate: 2024-02-06 16:24:28 +0000 pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx mutex The redirection pool stored in r->rpool.cur is used for loadbalancing and cur can change whenever loadbalancing happens, which is for every new connection. Therefore it can't be trusted outside of pf_map_addr() and the r->rpool->mtx mutex. After evaluating the ruleset, loadbalancing decission is made in pf_map_addr() called from within pf_create_state() and stored in the state itself. This patch modifies BOUND_IFACE() so that it only uses the information already stored in the state which has been obtained in a way which respects the r->rpool->mtx mutex. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D43741 --- sys/netpfil/pf/pf.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 9f2c07c614b3..12b72f50aa02 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -413,25 +413,22 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]); } while (0) static struct pfi_kkif * -BOUND_IFACE(struct pf_krule *r, struct pfi_kkif *k, struct pf_pdesc *pd) +BOUND_IFACE(struct pf_kstate *st, struct pfi_kkif *k) { /* Floating unless otherwise specified. */ - if (! (r->rule_flag & PFRULE_IFBOUND)) + if (! (st->rule.ptr->rule_flag & PFRULE_IFBOUND)) return (V_pfi_all); /* Don't overrule the interface for states created on incoming packets. */ - if (pd->dir == PF_IN) - return (k); - - /* No route-to, so don't overrrule. */ - if (r->rt != PF_ROUTETO) + if (st->direction == PF_IN) return (k); - if (r->rpool.cur == NULL) + /* No route-to, so don't overrule. */ + if (st->rt != PF_ROUTETO) return (k); /* Bind to the route-to interface. */ - return (r->rpool.cur->kif); + return (st->rt_kif); } #define STATE_INC_COUNTERS(s) \ @@ -5018,7 +5015,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, __func__, nr, sk, nk)); /* Swap sk/nk for PF_OUT. */ - if (pf_state_insert(BOUND_IFACE(r, kif, pd), kif, + if (pf_state_insert(BOUND_IFACE(s, kif), kif, (pd->dir == PF_IN) ? sk : nk, (pd->dir == PF_IN) ? nk : sk, s)) { REASON_SET(&reason, PFRES_STATEINS);