From 46859ca7fcb0d776977156eb0aa5abba3a550d22 Mon Sep 17 00:00:00 2001
From: mlaier <mlaier@FreeBSD.org>
Date: Fri, 8 Oct 2004 12:07:20 +0000
Subject: Change pfil starvation prevention from fail-open to fail-close. We
 return ENOBUF to indicate the problem, which is an errno that should be
 handled well everywhere.

Requested & Submitted by:	green
Silently okay'ed by:		The rest of the firewall gang
MFC after:			3 days
---
 sys/net/pfil.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'sys/net/pfil.c')

diff --git a/sys/net/pfil.c b/sys/net/pfil.c
index f5fff2a..bfd382d 100644
--- a/sys/net/pfil.c
+++ b/sys/net/pfil.c
@@ -119,8 +119,16 @@ pfil_run_hooks(struct pfil_head *ph, struct mbuf **mp, struct ifnet *ifp,
 	struct mbuf *m = *mp;
 	int rv = 0;
 
-	if (ph->ph_busy_count == -1 || ph->ph_want_write)
-		return (0);
+	/*
+	 * Prevent packet filtering from starving the modification of
+	 * the packet filters. We would prefer a reader/writer locking
+	 * mechanism with guaranteed ordering, though.
+	 */
+	if (ph->ph_busy_count == -1 || ph->ph_want_write) {
+		m_freem(*mp);
+		*mp = NULL;
+		return (ENOBUFS);
+	}
 
 	PFIL_RLOCK(ph);
 	for (pfh = pfil_hook_get(dir, ph); pfh != NULL;
-- 
cgit v1.1