From nobody Fri Jan 24 10:24:59 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YfYpg5mg2z5lBbr; Fri, 24 Jan 2025 10:24:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YfYpg3yx4z3tJQ; Fri, 24 Jan 2025 10:24:59 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737714299; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=F9Q6Z20ZIplYf4J8FN+ytqornOoqmTkC29gzdRkLfaI=; b=LsMjo1e0CaDrZu5wzMWx5SreJHhJlxasLw9CA0+s3IYsk8kTB7z6kzVjof3IxmyGjKR9E+ vyC5AqoGDxCn3tDA4jRNZriE4oYpXg+0ZU9vGIiirVl1nvue1Q3PxhAHsWm5/lEO5wP0DO BTVjpYozE5+RAtPIOiEXYGtnKKfoys1bPK+EnXEMeinYqEs/s6ZauIjkAIAVgjFAo8tAfG qIbUlYx6AZg1momWG84KFxUzmOedaCmZT6NmFEUCcHcq4t+Y5lf4zwHt47Zpb0g+2j4AwK PV8RL+Yy0B/55a6qlvC/GOwofxfiKSftOBqyDw/B2z6en3HrW2NneDAd0iK9kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737714299; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=F9Q6Z20ZIplYf4J8FN+ytqornOoqmTkC29gzdRkLfaI=; b=L/IFcnHdFpc2VN1vHu63dL0XEBlEYPWACQykiwsbGClhNPC5N7WX8CMLzx0+L+9EgEKk3S UawitAbaNRmLF/Gf0A3EUqh2DcfItOWug82jBrndQ1RT5ehzD/WHA45j0gwQ1U5HPihzQ/ bH8HvH1hOX0aNXV2EdQX+iJ5wLYXkq4OMjnn/LZHO36TlZcs4W+MtDSY4C+fQYcgnmifOJ Dr9PuvryMRVCrw9nfmwqodGdV2pzdIyCsnOGUxlYuj2pyvyfd3pY6cn7N24nW3Et0cDhVq Go9iIgeju8BULfR2V3VjSB+lfrfdeSMIR+T410gutYH8bnmcxGBWdCgLeQGQLQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1737714299; a=rsa-sha256; cv=none; b=NVnuL4GjogrU+vnahvfw9TwFHr+ChgzDzcvp802T7f+zFeF1wckTLoEY0hbdcyXt/GsrTl avTUT2p4vBtyeBZZjSpx4x9Bk19Tt2ohXFVjrVD6ds2Nkm/tgCNFLkDPqyPRfw1DFsFD3L KgsK8L7M+zyeInnEeXBOEgvBlHJLYbF6EwxPtJ7px34GJ4lz70takqEnyRHw4Y2Kdm8eQ4 l1iaPk+SUn7wi1uANdivNMevabdei8axNRhfwi0mswBAQod9QpKYEDFBJY1Qu6sJTtFhVr cOXB0Nsyk/+Y98ThlEMgkKjJy828HjJYgyDMDeZuBYl2IJckn2jaYRX1D+WdnA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YfYpg3ZVGz64x; Fri, 24 Jan 2025 10:24:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50OAOxiU038305; Fri, 24 Jan 2025 10:24:59 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50OAOx0j038302; Fri, 24 Jan 2025 10:24:59 GMT (envelope-from git) Date: Fri, 24 Jan 2025 10:24:59 GMT Message-Id: <202501241024.50OAOx0j038302@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 5cb08fddef99 - main - pfctl: improve NAT pool handling List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 5cb08fddef998b5e6452df3f52474e00883e06c4 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=5cb08fddef998b5e6452df3f52474e00883e06c4 commit 5cb08fddef998b5e6452df3f52474e00883e06c4 Author: Kristof Provost AuthorDate: 2025-01-20 13:11:20 +0000 Commit: Kristof Provost CommitDate: 2025-01-24 10:20:29 +0000 pfctl: improve NAT pool handling Ensure we always free the NAT pool (as well as the rdr pool) and actually handle it in the optimiser. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/parse.y | 1 + sbin/pfctl/pfctl.c | 5 +++++ sbin/pfctl/pfctl_optimize.c | 13 ++++++++++++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 2bd8e16b535b..e66d3cdd295e 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -5171,6 +5171,7 @@ binatrule : no BINAT natpasslog interface af proto FROM ipspec toipspec tag } TAILQ_INIT(&binat.rdr.list); + TAILQ_INIT(&binat.nat.list); pa = calloc(1, sizeof(struct pf_pooladdr)); if (pa == NULL) err(1, "binat: calloc"); diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 9da13daee063..7b54bc1c7c7a 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1324,6 +1324,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, break; } pfctl_clear_pool(&rule.rdr); + pfctl_clear_pool(&rule.nat); } ret = pfctl_get_rules_info_h(pfh, &ri, PF_PASS, path); if (ret != 0) { @@ -1410,6 +1411,7 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, break; } pfctl_clear_pool(&rule.rdr); + pfctl_clear_pool(&rule.nat); } error: @@ -1757,6 +1759,8 @@ pfctl_append_rule(struct pfctl *pf, struct pfctl_rule *r, bcopy(r, rule, sizeof(*rule)); TAILQ_INIT(&rule->rdr.list); pfctl_move_pool(&r->rdr, &rule->rdr); + TAILQ_INIT(&rule->nat.list); + pfctl_move_pool(&r->nat, &rule->nat); TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries); return (0); @@ -2086,6 +2090,7 @@ pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth) } path[len] = '\0'; pfctl_clear_pool(&r->rdr); + pfctl_clear_pool(&r->nat); return (0); } diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c index 48b9a9caa82d..a97664e0c929 100644 --- a/sbin/pfctl/pfctl_optimize.c +++ b/sbin/pfctl/pfctl_optimize.c @@ -136,6 +136,7 @@ static struct pf_rule_field { PF_RULE_FIELD(overload_tblname, BREAK), PF_RULE_FIELD(flush, BREAK), PF_RULE_FIELD(rdr, BREAK), + PF_RULE_FIELD(nat, BREAK), PF_RULE_FIELD(logif, BREAK), /* @@ -296,7 +297,12 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pfctl_ruleset *rs) } else bzero(&por->por_rule.rdr, sizeof(por->por_rule.rdr)); - + if (TAILQ_FIRST(&r->nat.list) != NULL) { + TAILQ_INIT(&por->por_rule.nat.list); + pfctl_move_pool(&r->nat, &por->por_rule.nat); + } else + bzero(&por->por_rule.nat, + sizeof(por->por_rule.nat)); TAILQ_INSERT_TAIL(&opt_queue, por, por_entry); } @@ -327,6 +333,8 @@ pfctl_optimize_ruleset(struct pfctl *pf, struct pfctl_ruleset *rs) memcpy(r, &por->por_rule, sizeof(*r)); TAILQ_INIT(&r->rdr.list); pfctl_move_pool(&por->por_rule.rdr, &r->rdr); + TAILQ_INIT(&r->nat.list); + pfctl_move_pool(&por->por_rule.nat, &r->nat); TAILQ_INSERT_TAIL( rs->rules[PF_RULESET_FILTER].active.ptr, r, entries); @@ -915,6 +923,9 @@ load_feedback_profile(struct pfctl *pf, struct superblocks *superblocks) if (TAILQ_EMPTY(&por->por_rule.rdr.list)) memset(&por->por_rule.rdr, 0, sizeof(por->por_rule.rdr)); + if (TAILQ_EMPTY(&por->por_rule.nat.list)) + memset(&por->por_rule.nat, 0, + sizeof(por->por_rule.nat)); TAILQ_INSERT_TAIL(&queue, por, por_entry); /* XXX pfctl_get_pool(pf->dev, &rule.rdr, nr, pr.ticket,