From nobody Thu Aug 24 13:08:22 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RWk0k6Bt2z4r87N; Thu, 24 Aug 2023 13:08:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RWk0k5j2sz3bYK; Thu, 24 Aug 2023 13:08:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1692882502; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jssGnlnZFdAZzbiQe/2uDuyBDS653dmz+z8tDe+dwq4=; b=JYPN8MOGxg5Pue1pGrwlu3y4xnSue9lsMqRVLr6x4VZanA1ILT8OZzemjPM6cCMZ/d8BnY 6EySVxwGOVhMcb6FIrqLPH8EukbOH0ijEvY55pJPsd/1Pov0tY/NQhbZSIrO73JSaLLpPV ryuqPlMtV2JnifshImPwfGdQT5oXqxu1mgy+6xZyaVKt0CjtUDqXJlCFUrUENIKDa6YbCB mL13w4lBaaMpb70xVnY3ASk9pBpldcULdIIVwO+bO1KURTXpG45Gl690UIwj2QmHfBb1Gi fMkVP9Fosc2vPANpxOFMD6NwTNNCBvEwKE/OkFx2O1hTaNxexJG+1BJYmfScGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1692882502; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jssGnlnZFdAZzbiQe/2uDuyBDS653dmz+z8tDe+dwq4=; b=Kij6axQ9oZYGPFwnqNRR3afhcEgaM+0UgJz/udgxvmdUVqEYYmPN0I7NFYtxlspr1mF1BL ii+109t481ZI+gcxJMPiFpuA8jSfcYTQnkwdJpMAy16TG7rN7R/WygtVLSD3ee3fvee/az cEavoW4cDSIW63KVgnRNTwXSyINbeODNt3xkdZs7gzZB93nXRRx9Rcywu0TFfPAxzLrhi9 xsK00xMgr5Q+tS+eTNOsOKYGThDusleJ0NZWPdd1mi9fMhmsEC2mWrzWjneLkewmvnaGeP IxYBsX9Ot3C6FlQfSHcwgFpK6uppAr++V/YPQNzqZmx/Rkt4DdHXe1Gj/q3eBg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1692882502; a=rsa-sha256; cv=none; b=ITk7czVOikm69DmFUy9/iVMMS7HlXeCXJ781lHR2P/aWMbC5uENna95oGZF/z6y+7DzBPe fp6GNhzpuqt9uIhmd2NpxDisEg+VX/Vg8jiHB3mS5gZbcKVYDSKzRLFGBBkh6G6ZoXJfhP ao9CoR3qrM2YCHY0xICkZk1FcPUSW8dr6OznFioBnY93LLpsK7YlxU+jVvbsVuWqZJ5NJb ioJqM+wCaIbFZKze+6sjg/3CccjoSVo9a0A/PqyYbNJe7tve5Grs+t5i0p7JGLMf8NzaiU sZ5EL2E4lk24TI62juNVICTilQZlfA6xy2MRS1MrObPBRipqo50XZfoc0XVGpw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RWk0k4mBHzD9b; Thu, 24 Aug 2023 13:08:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37OD8Mba062641; Thu, 24 Aug 2023 13:08:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37OD8MF7062637; Thu, 24 Aug 2023 13:08:22 GMT (envelope-from git) Date: Thu, 24 Aug 2023 13:08:22 GMT Message-Id: <202308241308.37OD8MF7062637@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: d10de21f2f7d - main - pf: Access r->rpool.cur->kif under mutex protection List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d10de21f2f7df59344f8611546989b36e4fd867c Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=d10de21f2f7df59344f8611546989b36e4fd867c commit d10de21f2f7df59344f8611546989b36e4fd867c Author: Kajetan Staszkiewicz AuthorDate: 2023-08-24 11:05:33 +0000 Commit: Kristof Provost CommitDate: 2023-08-24 11:05:33 +0000 pf: Access r->rpool.cur->kif under mutex protection pf_route() sends traffic to a specified next hop over a specific interface. The next hop is obtained in pf_map_addr() but the interface is obtained directly via r->rpool.cur->kif` outside of the lock held in pf_map_addr() in multiple places around pf. The chosen interface is not stored in source node. Move the interface selection into pf_map_addr(), have the function return it together with the chosen IP address and ensure its stored in struct pf_ksrc_node, store it in the source node and use the stored value when needed. Sponsored by: InnoGames GmbH MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D41570 --- sys/net/pfvar.h | 5 +++-- sys/netpfil/pf/pf.c | 31 +++++++++++++++++-------------- sys/netpfil/pf/pf_lb.c | 24 +++++++++++++++++++----- 3 files changed, 39 insertions(+), 21 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 21ebca755b3d..f9cb45f696d3 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -873,7 +873,7 @@ struct pf_ksrc_node { struct pf_addr raddr; struct pf_krule_slist match_rules; union pf_krule_ptr rule; - struct pfi_kkif *kif; + struct pfi_kkif *rkif; counter_u64_t bytes[2]; counter_u64_t packets[2]; u_int32_t states; @@ -2474,7 +2474,8 @@ int pf_step_out_of_keth_anchor(struct pf_keth_anchor_stackframe *, u_short pf_map_addr(u_int8_t, struct pf_krule *, struct pf_addr *, struct pf_addr *, - struct pf_addr *, struct pf_ksrc_node **); + struct pfi_kkif **nkif, struct pf_addr *, + struct pf_ksrc_node **); struct pf_krule *pf_get_translation(struct pf_pdesc *, struct mbuf *, int, struct pfi_kkif *, struct pf_ksrc_node **, struct pf_state_key **, struct pf_state_key **, diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index c80553ba017d..a5d7c1ba0155 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4880,15 +4880,14 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr, struct pf_krule *a, if (r->rt) { /* pf_map_addr increases the reason counters */ - if ((reason = pf_map_addr(pd->af, r, pd->src, &s->rt_addr, NULL, - &sn)) != 0) { + if ((reason = pf_map_addr(pd->af, r, pd->src, &s->rt_addr, + &s->rt_kif, NULL, &sn)) != 0) { pf_src_tree_remove_state(s); s->timeout = PFTM_UNLINKED; STATE_DEC_COUNTERS(s); pf_free_state(s); goto csfailed; } - s->rt_kif = r->rpool.cur->kif; s->rt = r->rt; } @@ -6700,6 +6699,7 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, struct mbuf *m0, *m1, *md; struct sockaddr_in dst; struct ip *ip; + struct pfi_kkif *nkif = NULL; struct ifnet *ifp = NULL; struct pf_addr naddr; struct pf_ksrc_node *sn = NULL; @@ -6784,21 +6784,22 @@ pf_route(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, goto bad_locked; } pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, - &naddr, NULL, &sn); + &naddr, &nkif, NULL, &sn); if (!PF_AZERO(&naddr, AF_INET)) dst.sin_addr.s_addr = naddr.v4.s_addr; - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; + ifp = nkif ? nkif->pfik_ifp : NULL; } else { if (!PF_AZERO(&s->rt_addr, AF_INET)) dst.sin_addr.s_addr = s->rt_addr.v4.s_addr; ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? + r->rpool.cur->kif->pfik_ifp : NULL; PF_STATE_UNLOCK(s); } - /* If pfsync'd */ - if (ifp == NULL) - ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; + if (ifp == NULL) goto bad; @@ -6913,6 +6914,7 @@ pf_route6(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, struct mbuf *m0, *md; struct sockaddr_in6 dst; struct ip6_hdr *ip6; + struct pfi_kkif *nkif = NULL; struct ifnet *ifp = NULL; struct pf_addr naddr; struct pf_ksrc_node *sn = NULL; @@ -6995,24 +6997,25 @@ pf_route6(struct mbuf **m, struct pf_krule *r, struct ifnet *oifp, goto bad_locked; } pf_map_addr(AF_INET6, r, (struct pf_addr *)&ip6->ip6_src, - &naddr, NULL, &sn); + &naddr, &nkif, NULL, &sn); if (!PF_AZERO(&naddr, AF_INET6)) PF_ACPY((struct pf_addr *)&dst.sin6_addr, &naddr, AF_INET6); - ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; + ifp = nkif ? nkif->pfik_ifp : NULL; } else { if (!PF_AZERO(&s->rt_addr, AF_INET6)) PF_ACPY((struct pf_addr *)&dst.sin6_addr, &s->rt_addr, AF_INET6); ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; + /* If pfsync'd */ + if (ifp == NULL) + ifp = r->rpool.cur->kif ? + r->rpool.cur->kif->pfik_ifp : NULL; } if (s) PF_STATE_UNLOCK(s); - /* If pfsync'd */ - if (ifp == NULL) - ifp = r->rpool.cur->kif ? r->rpool.cur->kif->pfik_ifp : NULL; if (ifp == NULL) goto bad; diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 09e5d6a7a97f..eb3d087e3df6 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -222,7 +222,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_krule *r, struct pf_addr init_addr; bzero(&init_addr, sizeof(init_addr)); - if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) + if (pf_map_addr(af, r, saddr, naddr, NULL, &init_addr, sn)) return (1); bzero(&key, sizeof(key)); @@ -299,7 +299,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_krule *r, * pick a different source address since we're out * of free port choices for the current one. */ - if (pf_map_addr(af, r, saddr, naddr, &init_addr, sn)) + if (pf_map_addr(af, r, saddr, naddr, NULL, &init_addr, sn)) return (1); break; case PF_POOL_NONE: @@ -350,7 +350,8 @@ pf_get_mape_sport(sa_family_t af, u_int8_t proto, struct pf_krule *r, u_short pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr, - struct pf_addr *naddr, struct pf_addr *init_addr, struct pf_ksrc_node **sn) + struct pf_addr *naddr, struct pfi_kkif **nkif, struct pf_addr *init_addr, + struct pf_ksrc_node **sn) { u_short reason = 0; struct pf_kpool *rpool = &r->rpool; @@ -377,11 +378,15 @@ pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr, } PF_ACPY(naddr, &(*sn)->raddr, af); + if (nkif) + *nkif = (*sn)->rkif; if (V_pf_status.debug >= PF_DEBUG_NOISY) { printf("pf_map_addr: src tracking maps "); pf_print_host(saddr, 0, af); printf(" to "); pf_print_host(naddr, 0, af); + if (nkif) + printf("@%s", (*nkif)->pfik_name); printf("\n"); } goto done; @@ -539,13 +544,22 @@ pf_map_addr(sa_family_t af, struct pf_krule *r, struct pf_addr *saddr, break; } } - if (*sn != NULL) + + if (nkif) + *nkif = rpool->cur->kif; + + if (*sn != NULL) { PF_ACPY(&(*sn)->raddr, naddr, af); + if (nkif) + (*sn)->rkif = *nkif; + } if (V_pf_status.debug >= PF_DEBUG_NOISY && (rpool->opts & PF_POOL_TYPEMASK) != PF_POOL_NONE) { printf("pf_map_addr: selected address "); pf_print_host(naddr, 0, af); + if (nkif) + printf("@%s", (*nkif)->pfik_name); printf("\n"); } @@ -711,7 +725,7 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off, } break; case PF_RDR: { - if (pf_map_addr(pd->af, r, saddr, naddr, NULL, sn)) + if (pf_map_addr(pd->af, r, saddr, naddr, NULL, NULL, sn)) goto notrans; if ((r->rpool.opts & PF_POOL_TYPEMASK) == PF_POOL_BITMASK) PF_POOLMASK(naddr, naddr, &r->rpool.cur->addr.v.a.mask,