-/* $OpenBSD: pf.c,v 1.1191 2024/01/01 17:00:57 bluhm Exp $ */
+/* $OpenBSD: pf.c,v 1.1192 2024/01/01 22:16:51 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
struct pf_status pf_status;
+struct mutex pf_inp_mtx = MUTEX_INITIALIZER(IPL_SOFTNET);
+
int pf_hdr_limit = 20; /* arbitrary limit, tune in ddb */
SHA2_CTX pf_tcp_secret_ctx;
void pf_state_key_link_inpcb(struct pf_state_key *,
struct inpcb *);
void pf_state_key_unlink_inpcb(struct pf_state_key *);
-void pf_inpcb_unlink_state_key(struct inpcb *);
void pf_pktenqueue_delayed(void *);
int32_t pf_state_expires(const struct pf_state *, uint8_t);
pf_find_state(struct pf_pdesc *pd, struct pf_state_key_cmp *key,
struct pf_state **stp)
{
- struct pf_state_key *sk, *pkt_sk, *inp_sk;
+ struct pf_state_key *sk, *pkt_sk;
struct pf_state_item *si;
struct pf_state *st = NULL;
addlog("\n");
}
- inp_sk = NULL;
pkt_sk = NULL;
sk = NULL;
if (pd->dir == PF_OUT) {
sk = pkt_sk->sk_reverse;
if (pkt_sk == NULL) {
+ struct inpcb *inp = pd->m->m_pkthdr.pf.inp;
+
/* here we deal with local outbound packet */
- if (pd->m->m_pkthdr.pf.inp != NULL) {
- inp_sk = pd->m->m_pkthdr.pf.inp->inp_pf_sk;
- if (pf_state_key_isvalid(inp_sk))
+ if (inp != NULL) {
+ struct pf_state_key *inp_sk;
+
+ mtx_enter(&pf_inp_mtx);
+ inp_sk = inp->inp_pf_sk;
+ if (pf_state_key_isvalid(inp_sk)) {
sk = inp_sk;
- else
- pf_inpcb_unlink_state_key(
- pd->m->m_pkthdr.pf.inp);
+ mtx_leave(&pf_inp_mtx);
+ } else if (inp_sk != NULL) {
+ KASSERT(inp_sk->sk_inp == inp);
+ inp_sk->sk_inp = NULL;
+ inp->inp_pf_sk = NULL;
+ mtx_leave(&pf_inp_mtx);
+
+ pf_state_key_unref(inp_sk);
+ in_pcbunref(inp);
+ } else
+ mtx_leave(&pf_inp_mtx);
}
}
}
if (pd->dir == PF_OUT && pkt_sk &&
pf_compare_state_keys(pkt_sk, sk, pd->kif, pd->dir) == 0)
pf_state_key_link_reverse(sk, pkt_sk);
- else if (pd->dir == PF_OUT && pd->m->m_pkthdr.pf.inp &&
- !pd->m->m_pkthdr.pf.inp->inp_pf_sk && !sk->sk_inp)
+ else if (pd->dir == PF_OUT)
pf_state_key_link_inpcb(sk, pd->m->m_pkthdr.pf.inp);
}
}
void
-pf_remove_divert_state(struct pf_state_key *sk)
+pf_remove_divert_state(struct inpcb *inp)
{
+ struct pf_state_key *sk;
struct pf_state_item *si;
PF_ASSERT_UNLOCKED();
+ if (READ_ONCE(inp->inp_pf_sk) == NULL)
+ return;
+
+ mtx_enter(&pf_inp_mtx);
+ sk = pf_state_key_ref(inp->inp_pf_sk);
+ mtx_leave(&pf_inp_mtx);
+ if (sk == NULL)
+ return;
+
PF_LOCK();
PF_STATE_ENTER_WRITE();
TAILQ_FOREACH(si, &sk->sk_states, si_entry) {
}
PF_STATE_EXIT_WRITE();
PF_UNLOCK();
+
+ pf_state_key_unref(sk);
}
void
pd.m->m_pkthdr.pf.qid = qid;
if (pd.dir == PF_IN && st && st->key[PF_SK_STACK])
pf_mbuf_link_state_key(pd.m, st->key[PF_SK_STACK]);
- if (pd.dir == PF_OUT &&
- pd.m->m_pkthdr.pf.inp && !pd.m->m_pkthdr.pf.inp->inp_pf_sk &&
- st && st->key[PF_SK_STACK] && !st->key[PF_SK_STACK]->sk_inp)
+ if (pd.dir == PF_OUT && st && st->key[PF_SK_STACK])
pf_state_key_link_inpcb(st->key[PF_SK_STACK],
pd.m->m_pkthdr.pf.inp);
sk = m->m_pkthdr.pf.statekey;
if (sk != NULL) {
- if (sk->sk_inp != NULL)
+ if (READ_ONCE(sk->sk_inp) != NULL)
return (1);
}
if (!pf_state_key_isvalid(sk))
pf_mbuf_unlink_state_key(m);
- else
- inp = m->m_pkthdr.pf.statekey->sk_inp;
-
- if (inp && inp->inp_pf_sk)
- KASSERT(m->m_pkthdr.pf.statekey == inp->inp_pf_sk);
+ else if (READ_ONCE(sk->sk_inp) != NULL) {
+ mtx_enter(&pf_inp_mtx);
+ inp = in_pcbref(sk->sk_inp);
+ mtx_leave(&pf_inp_mtx);
+ }
- in_pcbref(inp);
return (inp);
}
* state, which might be just being marked as deleted by another
* thread.
*/
- if (inp && !sk->sk_inp && !inp->inp_pf_sk)
- pf_state_key_link_inpcb(sk, inp);
+ pf_state_key_link_inpcb(sk, inp);
/* The statekey has finished finding the inp, it is no longer needed. */
pf_mbuf_unlink_state_key(m);
void
pf_inp_unlink(struct inpcb *inp)
{
- pf_inpcb_unlink_state_key(inp);
+ struct pf_state_key *sk;
+
+ if (READ_ONCE(inp->inp_pf_sk) == NULL)
+ return;
+
+ mtx_enter(&pf_inp_mtx);
+ sk = inp->inp_pf_sk;
+ if (sk == NULL) {
+ mtx_leave(&pf_inp_mtx);
+ return;
+ }
+ KASSERT(sk->sk_inp == inp);
+ sk->sk_inp = NULL;
+ inp->inp_pf_sk = NULL;
+ mtx_leave(&pf_inp_mtx);
+
+ pf_state_key_unref(sk);
+ in_pcbunref(inp);
}
void
void
pf_state_key_link_inpcb(struct pf_state_key *sk, struct inpcb *inp)
{
- KASSERT(sk->sk_inp == NULL);
- sk->sk_inp = in_pcbref(inp);
- KASSERT(inp->inp_pf_sk == NULL);
- inp->inp_pf_sk = pf_state_key_ref(sk);
-}
-
-void
-pf_inpcb_unlink_state_key(struct inpcb *inp)
-{
- struct pf_state_key *sk = inp->inp_pf_sk;
+ if (inp == NULL || READ_ONCE(sk->sk_inp) != NULL)
+ return;
- if (sk != NULL) {
- KASSERT(sk->sk_inp == inp);
- sk->sk_inp = NULL;
- inp->inp_pf_sk = NULL;
- pf_state_key_unref(sk);
- in_pcbunref(inp);
+ mtx_enter(&pf_inp_mtx);
+ if (inp->inp_pf_sk != NULL || sk->sk_inp != NULL) {
+ mtx_leave(&pf_inp_mtx);
+ return;
}
+ sk->sk_inp = in_pcbref(inp);
+ inp->inp_pf_sk = pf_state_key_ref(sk);
+ mtx_leave(&pf_inp_mtx);
}
void
pf_state_key_unlink_inpcb(struct pf_state_key *sk)
{
- struct inpcb *inp = sk->sk_inp;
+ struct inpcb *inp;
- if (inp != NULL) {
- KASSERT(inp->inp_pf_sk == sk);
- sk->sk_inp = NULL;
- inp->inp_pf_sk = NULL;
- pf_state_key_unref(sk);
- in_pcbunref(inp);
+ if (READ_ONCE(sk->sk_inp) == NULL)
+ return;
+
+ mtx_enter(&pf_inp_mtx);
+ inp = sk->sk_inp;
+ if (inp == NULL) {
+ mtx_leave(&pf_inp_mtx);
+ return;
}
+ KASSERT(inp->inp_pf_sk == sk);
+ sk->sk_inp = NULL;
+ inp->inp_pf_sk = NULL;
+ mtx_leave(&pf_inp_mtx);
+
+ pf_state_key_unref(sk);
+ in_pcbunref(inp);
}
void
projects / openbsd / commitdiff