diff options
author | oleg <oleg@FreeBSD.org> | 2009-06-09 21:27:11 +0000 |
---|---|---|
committer | oleg <oleg@FreeBSD.org> | 2009-06-09 21:27:11 +0000 |
commit | 1980405dfdd449338905e8f38096f7b4e80f7784 (patch) | |
tree | 7f52d144f542aa5d755cf5429a93e60617651de6 /sys/netgraph | |
parent | 8fdb55dd4173ed49af8cc002203d5c23e353315e (diff) | |
download | FreeBSD-src-1980405dfdd449338905e8f38096f7b4e80f7784.zip FreeBSD-src-1980405dfdd449338905e8f38096f7b4e80f7784.tar.gz |
Close long existed race with net.inet.ip.fw.one_pass = 0:
If packet leaves ipfw to other kernel subsystem (dummynet, netgraph, etc)
it carries pointer to matching ipfw rule. If this packet then reinjected back
to ipfw, ruleset processing starts from that rule. If rule was deleted
meanwhile, due to existed race condition panic was possible (as well as
other odd effects like parsing rules in 'reap list').
P.S. this commit changes ABI so userland ipfw related binaries should be
recompiled.
MFC after: 1 month
Tested by: Mikolaj Golub
Diffstat (limited to 'sys/netgraph')
-rw-r--r-- | sys/netgraph/ng_ipfw.c | 2 | ||||
-rw-r--r-- | sys/netgraph/ng_ipfw.h | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/sys/netgraph/ng_ipfw.c b/sys/netgraph/ng_ipfw.c index cce623b..46bac8e 100644 --- a/sys/netgraph/ng_ipfw.c +++ b/sys/netgraph/ng_ipfw.c @@ -293,6 +293,8 @@ ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) return (ENOMEM); } ngit->rule = fwa->rule; + ngit->rule_id = fwa->rule_id; + ngit->chain_id = fwa->chain_id; ngit->dir = dir; ngit->ifp = fwa->oif; m_tag_prepend(m, &ngit->mt); diff --git a/sys/netgraph/ng_ipfw.h b/sys/netgraph/ng_ipfw.h index 5448a38..29039f2 100644 --- a/sys/netgraph/ng_ipfw.h +++ b/sys/netgraph/ng_ipfw.h @@ -38,6 +38,8 @@ extern ng_ipfw_input_t *ng_ipfw_input_p; struct ng_ipfw_tag { struct m_tag mt; /* tag header */ struct ip_fw *rule; /* matching rule */ + uint32_t rule_id; /* matching rule id */ + uint32_t chain_id; /* ruleset id */ struct ifnet *ifp; /* interface, for ip_output */ int dir; #define NG_IPFW_OUT 0 |