Date: Thu, 5 May 2022 08:16:51 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 27407a6adc79 - main - pf: clear PF_TAG_DUMMYNET for dummynet fast path Message-ID: <202205050816.2458GpuV099342@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=27407a6adc793bdfaef8a86ece32fb1b461429f0 commit 27407a6adc793bdfaef8a86ece32fb1b461429f0 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2022-05-05 07:21:32 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-05-05 07:21:32 +0000 pf: clear PF_TAG_DUMMYNET for dummynet fast path ip_dn_io_ptr() (i.e. dummynet_io()) can return the mbuf immediately (as opposed to owning it and later passing it through dummynet_send(), which returns it to pf_test()). In that case we must clear the PF_TAG_DUMMYNET flag to ensure we don't skip any subsequent firewall passes. This can happen if we process a packet in PFIL_IN, set PF_TAG_DUMMYNET on it, pass it to ip_dn_io_ptr() but have it returned immediately. The packet continues its normal path, eventually hitting pf_test(dir=PFIL_OUT), where we'd skip when we're not supposed to. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 5eee9dcf5b91..b0d8d8c6e017 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7300,6 +7300,8 @@ done: ip_dn_io_ptr(m0, &dnflow); if (*m0 == NULL) action = PF_DROP; + else + pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET; } } break; @@ -7758,6 +7760,8 @@ done: ip_dn_io_ptr(m0, &dnflow); if (*m0 == NULL) action = PF_DROP; + else + pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET; } } break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202205050816.2458GpuV099342>