diff options
| author |   oga <oga@openbsd.org> | 2011-05-13 14:31:16 +0000 |
|---|---|---|
| committer | oga <oga@openbsd.org> | 2011-05-13 14:31:16 +0000 |
| commit | dda46e081c914a53cca99225de98dcc0d41f936f (patch) | |
| tree | 9f9378fa5ad43027f94b90608eae22f35d13b6c1 | |
| parent | replace handrolled NELEM() with nitems() (diff) | |
| download | wireguard-openbsd-dda46e081c914a53cca99225de98dcc0d41f936f.tar.xz wireguard-openbsd-dda46e081c914a53cca99225de98dcc0d41f936f.zip | |
Revert the pf->socket linking diff.
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw
with xxxterm not sure about pirofti) involving pool corruption while
using this commit.
krw and todd confirm that this backout fixes the problem.
ok blambert@ krw@, todd@ henning@ and kettenis@
Double link between pf states and sockets. Henning has
already implemented half of it. The additional part is: -
The pf state lookup for outgoing packets is optimized by
using mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket
lookup always is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet
for outgoing connections.
- In case of divert states, delete the state when the socket
closes. Otherwise new connections could match on old
states instead of being diverted to the listen socket.
ok henning@
| -rw-r--r-- | sys/net/pf.c | 27 | ||||
| -rw-r--r-- | sys/netinet/in_pcb.c | 21 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 17 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 18 | ||||
| -rw-r--r-- | sys/netinet/tcp_output.c | 8 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 17 | ||||
| -rw-r--r-- | sys/netinet6/raw_ip6.c | 22 | ||||
| -rw-r--r-- | sys/sys/mbuf.h | 3 |
8 files changed, 13 insertions, 120 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index f0abe32b822..594f73ceea5 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.742 2011/04/24 19:36:54 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.743 2011/05/13 14:31:16 oga Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -953,9 +953,6 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, if (dir == PF_OUT && m->m_pkthdr.pf.statekey && ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse) sk = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse; - else if (dir == PF_OUT && m->m_pkthdr.pf.inp && - ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk) - sk = ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk; else { if ((sk = RB_FIND(pf_state_tree, &pf_statetbl, (struct pf_state_key *)key)) == NULL) @@ -966,16 +963,11 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, ((struct pf_state_key *) m->m_pkthdr.pf.statekey)->reverse = sk; sk->reverse = m->m_pkthdr.pf.statekey; - } else if (dir == PF_OUT && m->m_pkthdr.pf.inp && !sk->inp) { - ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = sk; - sk->inp = m->m_pkthdr.pf.inp; } } - if (dir == PF_OUT) { + if (dir == PF_OUT) m->m_pkthdr.pf.statekey = NULL; - m->m_pkthdr.pf.inp = NULL; - } /* list is sorted, if-bound states before floating ones */ TAILQ_FOREACH(si, &sk->states, entry) @@ -5946,13 +5938,6 @@ done: if (dir == PF_IN && s && s->key[PF_SK_STACK]) m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; - if (dir == PF_OUT && m->m_pkthdr.pf.inp && - !((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk && - s && s->key[PF_SK_STACK] && !s->key[PF_SK_STACK]->inp) { - ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = - s->key[PF_SK_STACK]; - s->key[PF_SK_STACK]->inp = m->m_pkthdr.pf.inp; - } #ifdef ALTQ if (action == PF_PASS && qid) { @@ -6238,13 +6223,6 @@ done: if (dir == PF_IN && s && s->key[PF_SK_STACK]) m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; - if (dir == PF_OUT && m->m_pkthdr.pf.inp && - !((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk && - s && s->key[PF_SK_STACK] && !s->key[PF_SK_STACK]->inp) { - ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = - s->key[PF_SK_STACK]; - s->key[PF_SK_STACK]->inp = m->m_pkthdr.pf.inp; - } #ifdef ALTQ if (action == PF_PASS && qid) { @@ -6341,5 +6319,4 @@ void pf_pkt_addr_changed(struct mbuf *m) { m->m_pkthdr.pf.statekey = NULL; - m->m_pkthdr.pf.inp = NULL; } diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index 1a125bc5296..91d274faa30 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.119 2011/04/28 09:56:27 claudio Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.120 2011/05/13 14:31:16 oga Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -513,23 +513,8 @@ in_pcbdetach(v) splx(s); #endif #if NPF > 0 - if (inp->inp_pf_sk) { - struct pf_state_key *sk; - struct pf_state_item *si; - - s = splsoftnet(); - sk = (struct pf_state_key *)inp->inp_pf_sk; - TAILQ_FOREACH(si, &sk->states, entry) - if (sk == si->s->key[PF_SK_STACK] && si->s->rule.ptr && - si->s->rule.ptr->divert.port) { - pf_unlink_state(si->s); - break; - } - /* pf_unlink_state() may have detached the state */ - if (inp->inp_pf_sk) - ((struct pf_state_key *)inp->inp_pf_sk)->inp = NULL; - splx(s); - } + if (inp->inp_pf_sk) + ((struct pf_state_key *)inp->inp_pf_sk)->inp = NULL; #endif s = splnet(); LIST_REMOVE(inp, inp_lhash); diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index efac6a6d96c..9e2797aac3e 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip.c,v 1.57 2011/04/28 09:56:27 claudio Exp $ */ +/* $OpenBSD: raw_ip.c,v 1.58 2011/05/13 14:31:16 oga Exp $ */ /* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */ /* @@ -157,16 +157,6 @@ rip_input(struct mbuf *m, ...) if (inp->inp_faddr.s_addr && inp->inp_faddr.s_addr != ip->ip_src.s_addr) continue; -#if NPF > 0 - if (m->m_pkthdr.pf.statekey && !inp->inp_pf_sk && - !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp && - (inp->inp_socket->so_state & SS_ISCONNECTED) && - ip->ip_p != IPPROTO_ICMP) { - ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = - inp; - inp->inp_pf_sk = m->m_pkthdr.pf.statekey; - } -#endif if (last) { struct mbuf *n; @@ -287,11 +277,6 @@ rip_output(struct mbuf *m, ...) /* force routing domain */ m->m_pkthdr.rdomain = inp->inp_rtableid; -#if NPF > 0 - if (inp->inp_socket->so_state & SS_ISCONNECTED && - ip->ip_p != IPPROTO_ICMP) - m->m_pkthdr.pf.inp = inp; -#endif error = ip_output(m, inp->inp_options, &inp->inp_route, flags, inp->inp_moptions, inp); if (error == EACCES) /* translate pf(4) error for userland */ diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 3eabda7633a..2cb29ea6c53 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.249 2011/05/04 08:20:05 blambert Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.250 2011/05/13 14:31:16 oga Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -895,8 +895,7 @@ findpcb: #endif #if NPF > 0 - if (m->m_pkthdr.pf.statekey && !inp->inp_pf_sk && - !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp) { + if (m->m_pkthdr.pf.statekey) { ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = inp; inp->inp_pf_sk = m->m_pkthdr.pf.statekey; } @@ -1339,19 +1338,6 @@ trimthenstep6: ((opti.ts_present && TSTMP_LT(tp->ts_recent, opti.ts_val)) || SEQ_GT(th->th_seq, tp->rcv_nxt))) { -#if NPF > 0 - /* - * The socket will be recreated but the new state - * has already been linked to the socket. Remove the - * link between old socket and new state. Otherwise - * closing the socket would remove the state. - */ - if (inp->inp_pf_sk) { - ((struct pf_state_key *)inp->inp_pf_sk)->inp = - NULL; - inp->inp_pf_sk = NULL; - } -#endif /* * Advance the iss by at least 32768, but * clear the msb in order to make sure diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index bb5416e7e0f..7e1776865b5 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_output.c,v 1.95 2011/04/24 19:36:54 bluhm Exp $ */ +/* $OpenBSD: tcp_output.c,v 1.96 2011/05/13 14:31:17 oga Exp $ */ /* $NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $ */ /* @@ -98,8 +98,6 @@ #include <netinet6/in6_var.h> #endif /* INET6 */ -#include "pf.h" - #ifdef notyet extern struct mbuf *m_copypack(); #endif @@ -1079,10 +1077,6 @@ send: /* force routing domain */ m->m_pkthdr.rdomain = tp->t_inpcb->inp_rtableid; -#if NPF > 0 - m->m_pkthdr.pf.inp = tp->t_inpcb; -#endif - switch (tp->pf) { case 0: /*default to PF_INET*/ #ifdef INET diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 53906eece24..d2479425074 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.143 2011/05/04 16:05:49 blambert Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.144 2011/05/13 14:31:17 oga Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -561,7 +561,7 @@ udp_input(struct mbuf *m, ...) /* * Locate pcb for datagram. */ -#if NPF > 0 +#if 0 if (m->m_pkthdr.pf.statekey) inp = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp; #endif @@ -619,15 +619,6 @@ udp_input(struct mbuf *m, ...) } } -#if NPF > 0 - if (m->m_pkthdr.pf.statekey && !inp->inp_pf_sk && - !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp && - (inp->inp_socket->so_state & SS_ISCONNECTED)) { - ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = inp; - inp->inp_pf_sk = m->m_pkthdr.pf.statekey; - } -#endif - #ifdef IPSEC mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); s = splnet(); @@ -1042,10 +1033,6 @@ udp_output(struct mbuf *m, ...) /* force routing domain */ m->m_pkthdr.rdomain = inp->inp_rtableid; -#if NPF > 0 - if (inp->inp_socket->so_state & SS_ISCONNECTED) - m->m_pkthdr.pf.inp = inp; -#endif error = ip_output(m, inp->inp_options, &inp->inp_route, inp->inp_socket->so_options & (SO_DONTROUTE | SO_BROADCAST | SO_JUMBO), diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 2e1140953ef..65c1884d1c0 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip6.c,v 1.42 2011/04/24 19:36:54 bluhm Exp $ */ +/* $OpenBSD: raw_ip6.c,v 1.43 2011/05/13 14:31:17 oga Exp $ */ /* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */ /* @@ -61,8 +61,6 @@ * @(#)raw_ip.c 8.2 (Berkeley) 1/4/94 */ -#include "pf.h" - #include <sys/param.h> #include <sys/malloc.h> #include <sys/mbuf.h> @@ -77,9 +75,6 @@ #include <net/if.h> #include <net/route.h> #include <net/if_types.h> -#if NPF > 0 -#include <net/pfvar.h> -#endif #include <netinet/in.h> #include <netinet/in_var.h> @@ -205,16 +200,6 @@ rip6_input(struct mbuf **mp, int *offp, int proto) continue; } } -#if NPF > 0 - if (m->m_pkthdr.pf.statekey && !in6p->inp_pf_sk && - !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp && - (in6p->inp_socket->so_state & SS_ISCONNECTED) && - proto != IPPROTO_ICMPV6) { - ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = - in6p; - in6p->inp_pf_sk = m->m_pkthdr.pf.statekey; - } -#endif if (last) { struct mbuf *n; if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) { @@ -502,11 +487,6 @@ rip6_output(struct mbuf *m, ...) if (in6p->in6p_flags & IN6P_MINMTU) flags |= IPV6_MINMTU; -#if NPF > 0 - if (in6p->inp_socket->so_state & SS_ISCONNECTED && - so->so_proto->pr_protocol != IPPROTO_ICMPV6) - m->m_pkthdr.pf.inp = in6p; -#endif error = ip6_output(m, optp, &in6p->in6p_route, flags, in6p->in6p_moptions, &oifp, in6p); if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) { diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index eda8eb81e41..395b9fd597b 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mbuf.h,v 1.152 2011/05/04 16:05:49 blambert Exp $ */ +/* $OpenBSD: mbuf.h,v 1.153 2011/05/13 14:31:17 oga Exp $ */ /* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */ /* @@ -78,7 +78,6 @@ struct m_hdr { struct pkthdr_pf { void *hdr; /* saved hdr pos in mbuf, for ECN */ void *statekey; /* pf stackside statekey */ - void *inp; /* connected pcb for outgoing packet */ u_int32_t qid; /* queue id */ u_int16_t tag; /* tag id */ u_int8_t flags; |