diff options
| author |   bluhm <bluhm@openbsd.org> | 2017-11-22 12:28:49 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2017-11-22 12:28:49 +0000 |
| commit | 4d3061fb7f3cafe8cf56ec6f4e8846c5fb6f0f6d (patch) | |
| tree | 53d24864a1326f2e853c742028adeaa90ea4f835 | |
| parent | Fix some incorrectness related to Emacs editing mode in ksh: (diff) | |
| download | wireguard-openbsd-4d3061fb7f3cafe8cf56ec6f4e8846c5fb6f0f6d.tar.xz wireguard-openbsd-4d3061fb7f3cafe8cf56ec6f4e8846c5fb6f0f6d.zip | |
It does not make sense to call pcb lookup from pf during packet
forwarding. It should never match and would cause MP locking
problems. While there remove an useless ifp parameter from
ip_output_ipsec_send().
from markus@; OK visa@ sashan@
| -rw-r--r-- | sys/net/pf.c | 16 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 16 |
2 files changed, 22 insertions, 10 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 88806a8521c..ebedf217cce 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.1046 2017/11/20 10:35:24 mpi Exp $ */ +/* $OpenBSD: pf.c,v 1.1047 2017/11/22 12:28:49 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -6776,6 +6776,17 @@ pf_test(sa_family_t af, int fwdir, struct ifnet *ifp, struct mbuf **m0) } pd.m->m_pkthdr.pf.flags |= PF_TAG_PROCESSED; + /* + * Avoid pcb-lookups from the forwarding path. They should never + * match and would cause MP locking problems. + */ + if (fwdir == PF_FWD) { + pd.lookup.done = -1; + pd.lookup.uid = UID_MAX; + pd.lookup.gid = GID_MAX; + pd.lookup.pid = NO_PID; + } + /* lock the lookup/write section of pf_test() */ PF_LOCK(); @@ -7072,7 +7083,8 @@ done: #ifdef INET6 /* if reassembled packet passed, create new fragments */ - if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD) { + if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD && + pd.af == AF_INET6) { struct m_tag *mtag; if ((mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL))) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index ef3f0abbef4..87df5b34831 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.343 2017/10/26 15:13:40 mpi Exp $ */ +/* $OpenBSD: ip_output.c,v 1.344 2017/11/22 12:28:49 bluhm Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -84,8 +84,7 @@ struct tdb * ip_output_ipsec_lookup(struct mbuf *m, int hlen, int *error, struct inpcb *inp, int ipsecflowinfo); int -ip_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct ifnet *ifp, - struct route *ro); +ip_output_ipsec_send(struct tdb *, struct mbuf *, struct route *, int); #endif /* IPSEC */ /* @@ -404,7 +403,8 @@ sendit: */ if (tdb != NULL) { /* Callee frees mbuf */ - error = ip_output_ipsec_send(tdb, m, ifp, ro); + error = ip_output_ipsec_send(tdb, m, ro, + (flags & IP_FORWARDING) ? 1 : 0); goto done; } #endif /* IPSEC */ @@ -413,7 +413,8 @@ sendit: * Packet filter */ #if NPF > 0 - if (pf_test(AF_INET, PF_OUT, ifp, &m) != PF_PASS) { + if (pf_test(AF_INET, (flags & IP_FORWARDING) ? PF_FWD : PF_OUT, + ifp, &m) != PF_PASS) { error = EACCES; m_freem(m); goto done; @@ -550,8 +551,7 @@ ip_output_ipsec_lookup(struct mbuf *m, int hlen, int *error, struct inpcb *inp, } int -ip_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct ifnet *ifp, - struct route *ro) +ip_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route *ro, int fwd) { #if NPF > 0 struct ifnet *encif; @@ -563,7 +563,7 @@ ip_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct ifnet *ifp, * Packet filter */ if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) == NULL || - pf_test(AF_INET, PF_OUT, encif, &m) != PF_PASS) { + pf_test(AF_INET, fwd ? PF_FWD : PF_OUT, encif, &m) != PF_PASS) { m_freem(m); return EACCES; } |