|
Revision tags: release/14.2.0 |
|
| #
b9c0321d |
| 23-Nov-2024 |
Kajetan Staszkiewicz <ks@FreeBSD.org> |
pf: Fix source node locking
Source nodes are created quite early in pf_create_state(), even before
the state is allocated, locked and inserted into its hash row. They are
prone to being freed by sou
pf: Fix source node locking
Source nodes are created quite early in pf_create_state(), even before
the state is allocated, locked and inserted into its hash row. They are
prone to being freed by source node killing or clearing ioctl while
pf_create_state() is still running.
The function pf_map_addr_sn() can be called in two very different paths.
One is for filter rules where it is called from
pf_create_state() after pf_insert_src_node(). In this case it is called
with a given source node and does not perform its own search and must
return the source node.
The other one is for NAT rules where it is called from
pf_get_translation() or its descendants. In this case it is called with
no known source node and performs its own search for source nodes. This
source node is then passed back to pf_create_state() without locking.
The states property of source node is increased in pf_find_src_node()
which allows for the counter to increase when a packet matches the NAT
rule but not a pass keep state rule.
The function pf_map_addr() operates on unlocked source node.
Modify pf_find_src_node() to return locked on source node found, so
that any subsequent operations can access the source node safely.
Move sn->states++ counter increase to pf_insert_src_node() to ensure
that it's called only from pf_create_state() and not from NAT ruleset
path, and have it increased only if the source node has really been
inserted or found, simplifying the cleanup.
Add locking in pf_src_connlimit() and pf_map_addr(). Sprinkle mutex
assertions in pf_map_addr().
Add a function pf_src_node_exists() to check a known source node is
still valid. Use it in pf_create_state() where it's impossible to hold
locks from pf_insert_src_node() because that would cause LoR (nodes
first, then state) against pf_src_connlimit() (state first, then node).
Don't propagate the source node found while parsing the NAT ruleset to
pf_create_state() because it must be found again and locked or created.
Reviewed by: kp
Approved by: kp (mentor)
Sponsored by: InnoGames GmbH
Differential Revision: https://reviews.freebsd.org/D47770
show more ...
|
| #
65b20771 |
| 12-Nov-2024 |
Kajetan Staszkiewicz <ks@FreeBSD.org> |
pf tests: Simplify handling of pfctl -s
Some pf tests check the output of pfctl -s[sSr] to find if relevant
states, source nodes or rules exist and if their counters have proper
values. The output i
pf tests: Simplify handling of pfctl -s
Some pf tests check the output of pfctl -s[sSr] to find if relevant
states, source nodes or rules exist and if their counters have proper
values. The output is multiple lines per entry and contains varying
amount of whitespace. This makes parsing it rather hard.
Provide a function for standardization of output of pfctl -s[sSr] which
converts the output to a single line per entry and reduces whitespace
always to a single space. Adjust existing tests to make use of this
function.
Revieved by: kp
Approved by: kp (mentor)
Differental Revision: https://reviews.freebsd.org/D47435
show more ...
|
| #
a4e64fcd |
| 06-Nov-2024 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: test kill and clear source nodes paths
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
3ec4fbdd |
| 28-Sep-2024 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf tests: Add test for max-src-states
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46840
|
| #
6ffd4aeb |
| 28-Sep-2024 |
Kajetan Staszkiewicz <vegeta@tuxpowered.net> |
pf tests: add a test for max-src-conn
Switch tests using pft_ping.py to inetd. Netcat can only accept a single
connection, we need multiple parallel connections to test max-src-conn. Use the
discard
pf tests: add a test for max-src-conn
Switch tests using pft_ping.py to inetd. Netcat can only accept a single
connection, we need multiple parallel connections to test max-src-conn. Use the
discard service and modify pft_ping.py to use proper port number.
Implement functionality of 3-way handshake test in pft_ping.py. Make send_params
accessible to sniffer, because answers to SYN+ACK packets should be send with
the same parameters as the original SYN packet.
Finally add a test for max-src-conn and overload.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D46798
show more ...
|
|
Revision tags: release/13.4.0, release/14.1.0, release/13.3.0, release/14.0.0 |
|
| #
d0b2dbfa |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: one-line sh pattern
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| #
4d846d26 |
| 10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
show more ...
|
|
Revision tags: release/13.2.0, release/12.4.0, release/13.1.0, release/12.3.0, release/13.0.0 |
|
| #
d8f541d9 |
| 20-Nov-2020 |
Kristof Provost <kp@FreeBSD.org> |
pf tests: Basic source tracking test
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D27255
|