diff options
| author | glebius <glebius@FreeBSD.org> | 2012-09-18 10:54:56 +0000 |
|---|---|---|
| committer | glebius <glebius@FreeBSD.org> | 2012-09-18 10:54:56 +0000 |
| commit | c3ead4d7df91f96b5c4796a2d0742c691e9bf5cb (patch) | |
| tree | 3b7ccf6b953df1ea7ddc4e2ec6f726fd5fd414a9 /sys/net/pfvar.h | |
| parent | 933e74cb8b0793d1cde852095f14ff4320a05404 (diff) | |
| download | FreeBSD-src-c3ead4d7df91f96b5c4796a2d0742c691e9bf5cb.zip FreeBSD-src-c3ead4d7df91f96b5c4796a2d0742c691e9bf5cb.tar.gz | |
Make ruleset anchors in pf(4) reentrant. We've got two problems here:
1) Ruleset parser uses a global variable for anchor stack.
2) When processing a wildcard anchor, matching anchors are marked.
To fix the first one:
o Allocate anchor processing stack on stack. To make this allocation
as small as possible, following measures taken:
- Maximum stack size reduced from 64 to 32.
- The struct pf_anchor_stackframe trimmed by one pointer - parent.
We can always obtain the parent via the rule pointer.
- When pf_test_rule() calls pf_get_translation(), the former lends
its stack to the latter, to avoid recursive allocation 32 entries.
The second one appeared more tricky. The code, that marks anchors was
added in OpenBSD rev. 1.516 of pf.c. According to commit log, the idea
is to enable the "quick" keyword on an anchor rule. The feature isn't
documented anywhere. The most obscure part of the 1.516 was that code
examines the "match" mark on a just processed child, which couldn't be
put here by current frame. Since this wasn't documented even in the
commit message and functionality of this is not clear to me, I decided
to drop this examination for now. The rest of 1.516 is redone in a
thread safe manner - the mark isn't put on the anchor itself, but on
current stack frame. To avoid growing stack frame, we utilize LSB
from the rule pointer, relying on kernel malloc(9) returning pointer
aligned addresses.
Discussed with: dhartmei
Diffstat (limited to 'sys/net/pfvar.h')
| -rw-r--r-- | sys/net/pfvar.h | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 183a2cc..f48864e 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -989,7 +989,7 @@ struct pf_anchor { char path[MAXPATHLEN]; struct pf_ruleset ruleset; int refcnt; /* anchor rules */ - int match; + int match; /* XXX: used for pfctl black magic */ }; RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); @@ -1019,6 +1019,8 @@ RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); PFR_TFLAG_REFDANCHOR | \ PFR_TFLAG_COUNTERS) +struct pf_anchor_stackframe; + struct pfr_table { char pfrt_anchor[MAXPATHLEN]; char pfrt_name[PF_TABLE_NAME_SIZE]; @@ -1938,11 +1940,12 @@ int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t); #ifdef _KERNEL void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); -void pf_step_into_anchor(int *, struct pf_ruleset **, int, - struct pf_rule **, struct pf_rule **, int *); -int pf_step_out_of_anchor(int *, struct pf_ruleset **, - int, struct pf_rule **, struct pf_rule **, - int *); +void pf_step_into_anchor(struct pf_anchor_stackframe *, int *, + struct pf_ruleset **, int, struct pf_rule **, + struct pf_rule **, int *); +int pf_step_out_of_anchor(struct pf_anchor_stackframe *, int *, + struct pf_ruleset **, int, struct pf_rule **, + struct pf_rule **, int *); int pf_map_addr(u_int8_t, struct pf_rule *, struct pf_addr *, struct pf_addr *, @@ -1951,7 +1954,7 @@ struct pf_rule *pf_get_translation(struct pf_pdesc *, struct mbuf *, int, int, struct pfi_kif *, struct pf_src_node **, struct pf_state_key **, struct pf_state_key **, struct pf_addr *, struct pf_addr *, - u_int16_t, u_int16_t); + uint16_t, uint16_t, struct pf_anchor_stackframe *); struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct pf_addr *, struct pf_addr *, u_int16_t, u_int16_t); |
