diff options
| author | oleg <oleg@FreeBSD.org> | 2009-06-09 21:27:11 +0000 |
|---|---|---|
| committer | oleg <oleg@FreeBSD.org> | 2009-06-09 21:27:11 +0000 |
| commit | 1980405dfdd449338905e8f38096f7b4e80f7784 (patch) | |
| tree | 7f52d144f542aa5d755cf5429a93e60617651de6 /sys/netinet/ip_fw.h | |
| parent | 8fdb55dd4173ed49af8cc002203d5c23e353315e (diff) | |
| download | FreeBSD-src-1980405dfdd449338905e8f38096f7b4e80f7784.zip FreeBSD-src-1980405dfdd449338905e8f38096f7b4e80f7784.tar.gz | |
Close long existed race with net.inet.ip.fw.one_pass = 0:
If packet leaves ipfw to other kernel subsystem (dummynet, netgraph, etc)
it carries pointer to matching ipfw rule. If this packet then reinjected back
to ipfw, ruleset processing starts from that rule. If rule was deleted
meanwhile, due to existed race condition panic was possible (as well as
other odd effects like parsing rules in 'reap list').
P.S. this commit changes ABI so userland ipfw related binaries should be
recompiled.
MFC after: 1 month
Tested by: Mikolaj Golub
Diffstat (limited to 'sys/netinet/ip_fw.h')
| -rw-r--r-- | sys/netinet/ip_fw.h | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 5602e9e..9e3468f 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -465,17 +465,18 @@ struct ip_fw { struct ip_fw *next_rule; /* ptr to next [skipto] rule */ /* 'next_rule' is used to pass up 'set_disable' status */ - u_int16_t act_ofs; /* offset of action in 32-bit units */ - u_int16_t cmd_len; /* # of 32-bit words in cmd */ - u_int16_t rulenum; /* rule number */ - u_int8_t set; /* rule set (0..31) */ + uint16_t act_ofs; /* offset of action in 32-bit units */ + uint16_t cmd_len; /* # of 32-bit words in cmd */ + uint16_t rulenum; /* rule number */ + uint8_t set; /* rule set (0..31) */ #define RESVD_SET 31 /* set for default and persistent rules */ - u_int8_t _pad; /* padding */ + uint8_t _pad; /* padding */ + uint32_t id; /* rule id */ /* These fields are present in all rules. */ - u_int64_t pcnt; /* Packet counter */ - u_int64_t bcnt; /* Byte counter */ - u_int32_t timestamp; /* tv_sec of last match */ + uint64_t pcnt; /* Packet counter */ + uint64_t bcnt; /* Byte counter */ + uint32_t timestamp; /* tv_sec of last match */ ipfw_insn cmd[1]; /* storage for commands */ }; @@ -619,10 +620,12 @@ struct ip_fw_args { struct ifnet *oif; /* output interface */ struct sockaddr_in *next_hop; /* forward address */ struct ip_fw *rule; /* matching rule */ + uint32_t rule_id; /* matching rule id */ + uint32_t chain_id; /* ruleset id */ struct ether_header *eh; /* for bridged packets */ struct ipfw_flow_id f_id; /* grabbed from IP header */ - u_int32_t cookie; /* a cookie depending on rule action */ + uint32_t cookie; /* a cookie depending on rule action */ struct inpcb *inp; struct _ip6dn_args dummypar; /* dummynet->ip6_output */ @@ -662,6 +665,7 @@ struct ip_fw_chain { LIST_HEAD(, cfg_nat) nat; /* list of nat entries */ struct radix_node_head *tables[IPFW_TABLES_MAX]; struct rwlock rwmtx; + uint32_t id; /* ruleset id */ }; #ifdef IPFW_INTERNAL |
