Date: Fri, 24 Jan 2025 10:24:59 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 5cb08fddef99 - main - pfctl: improve NAT pool handling Message-ID: <202501241024.50OAOx0j038302@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=5cb08fddef998b5e6452df3f52474e00883e06c4 commit 5cb08fddef998b5e6452df3f52474e00883e06c4 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-01-20 13:11:20 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-01-24 10:20:29 +0000 pfctl: improve NAT pool handling Ensure we always free the NAT pool (as well as the rdr pool) and actually handle it in the optimiser. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/parse.y | 1 + sbin/pfctl/pfctl.c | 5 +++++ sbin/pfctl/pfctl_optimize.c | 13 ++++++++++++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 2bd8e16b535b..e66d3cdd295e 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -5171,6 +5171,7 @@ binatrule : no BINAT natpasslog interface af proto FROM ipspec toipspec tag } TAILQ_INIT(&binat.rdr.list); + TAILQ_INIT(&binat.nat.list); pa = calloc(1, sizeof(struct pf_pooladdr)); if (pa == NULL) err(1, "binat: calloc"); diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 9da13daee063..7b54bc1c7c7a 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1324,6 +1324,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, break; } pfctl_clear_pool(&rule.rdr); + pfctl_clear_pool(&rule.nat); } ret = pfctl_get_rules_info_h(pfh, &ri, PF_PASS, path); if (ret != 0) { @@ -1410,6 +1411,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, break; } pfctl_clear_pool(&rule.rdr); + pfctl_clear_pool(&rule.nat); } error: @@ -1757,6 +1759,8 @@ pfctl_append_rule(struct pfctl *pf, struct pfctl_rule *r, bcopy(r, rule, sizeof(*rule)); TAILQ_INIT(&rule->rdr.list); pfctl_move_pool(&r->rdr, &rule->rdr); + TAILQ_INIT(&rule->nat.list); + pfctl_move_pool(&r->nat, &rule->nat); TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries); return (0); @@ -2086,6 +2090,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth) } path[len] = '\0'; pfctl_clear_pool(&r->rdr); + pfctl_clear_pool(&r->nat); return (0); } diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c index 48b9a9caa82d..a97664e0c929 100644 --- a/sbin/pfctl/pfctl_optimize.c +++ b/sbin/pfctl/pfctl_optimize.c @@ -136,6 +136,7 @@ static struct pf_rule_field { PF_RULE_FIELD(overload_tblname, BREAK), PF_RULE_FIELD(flush, BREAK), PF_RULE_FIELD(rdr, BREAK), + PF_RULE_FIELD(nat, BREAK), PF_RULE_FIELD(logif, BREAK), /* @@ -296,7 +297,12 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pfctl_ruleset *rs) } else bzero(&por->por_rule.rdr, sizeof(por->por_rule.rdr)); - + if (TAILQ_FIRST(&r->nat.list) != NULL) { + TAILQ_INIT(&por->por_rule.nat.list); + pfctl_move_pool(&r->nat, &por->por_rule.nat); + } else + bzero(&por->por_rule.nat, + sizeof(por->por_rule.nat)); TAILQ_INSERT_TAIL(&opt_queue, por, por_entry); } @@ -327,6 +333,8 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pfctl_ruleset *rs) memcpy(r, &por->por_rule, sizeof(*r)); TAILQ_INIT(&r->rdr.list); pfctl_move_pool(&por->por_rule.rdr, &r->rdr); + TAILQ_INIT(&r->nat.list); + pfctl_move_pool(&por->por_rule.nat, &r->nat); TAILQ_INSERT_TAIL( rs->rules[PF_RULESET_FILTER].active.ptr, r, entries); @@ -915,6 +923,9 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks) if (TAILQ_EMPTY(&por->por_rule.rdr.list)) memset(&por->por_rule.rdr, 0, sizeof(por->por_rule.rdr)); + if (TAILQ_EMPTY(&por->por_rule.nat.list)) + memset(&por->por_rule.nat, 0, + sizeof(por->por_rule.nat)); TAILQ_INSERT_TAIL(&queue, por, por_entry); /* XXX pfctl_get_pool(pf->dev, &rule.rdr, nr, pr.ticket,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202501241024.50OAOx0j038302>