git: ea7401fe6764 - stable/12 - pf: Use counter(9) for pf_state byte/packet tracking
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=ea7401fe67649c3eaeff39b6d909d79bfeb709ee
commit ea7401fe67649c3eaeff39b6d909d79bfeb709ee
Author: Kristof Provost
AuthorDate: 2020-12-23 08:37:59 +
Commit: Kristof Provost
CommitDate: 2021-01-03 09:29:40 +
pf: Use counter(9) for pf_state byte/packet tracking
This improves cache behaviour by not writing to the same variable from
multiple cores simultaneously.
pf_state is only used in the kernel, so can be safely modified.
Reviewed by:Lutz Donnerhacke, philip
MFC after: 1 week
Sponsed by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D27661
(cherry picked from commit 1c00efe98ed7d103b9684ff692ffd5e3b64d0237)
---
sys/net/pfvar.h| 4 ++--
sys/netpfil/pf/if_pfsync.c | 13 +
sys/netpfil/pf/pf.c| 34 ++
sys/netpfil/pf/pf_ioctl.c | 10 ++
4 files changed, 47 insertions(+), 14 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 597bc2ffec8e..d0eb226ee41d 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -742,8 +742,8 @@ struct pf_state {
struct pfi_kif *rt_kif;
struct pf_src_node *src_node;
struct pf_src_node *nat_src_node;
- u_int64_tpackets[2];
- u_int64_tbytes[2];
+ counter_u64_tpackets[2];
+ counter_u64_tbytes[2];
u_int32_tcreation;
u_int32_texpire;
u_int32_tpfsync_time;
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 0566593b7616..a6967d2297a6 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -508,6 +508,13 @@ pfsync_state_import(struct pfsync_state *sp, u_int8_t
flags)
if ((st = uma_zalloc(V_pf_state_z, M_NOWAIT | M_ZERO)) == NULL)
goto cleanup;
+ for (int i = 0; i < 2; i++) {
+ st->packets[i] = counter_u64_alloc(M_NOWAIT);
+ st->bytes[i] = counter_u64_alloc(M_NOWAIT);
+ if (st->packets[i] == NULL || st->bytes[i] == NULL)
+ goto cleanup;
+ }
+
if ((skw = uma_zalloc(V_pf_state_key_z, M_NOWAIT)) == NULL)
goto cleanup;
@@ -617,6 +624,12 @@ cleanup:
cleanup_state: /* pf_state_insert() frees the state keys. */
if (st) {
+ for (int i = 0; i < 2; i++) {
+ if (st->packets[i] != NULL)
+ counter_u64_free(st->packets[i]);
+ if (st->bytes[i] != NULL)
+ counter_u64_free(st->bytes[i]);
+ }
if (st->dst.scrub)
uma_zfree(V_pf_state_scrub_z, st->dst.scrub);
if (st->src.scrub)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 343d2aed434a..693e45504745 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -1710,6 +1710,13 @@ pf_free_state(struct pf_state *cur)
KASSERT(cur->timeout == PFTM_UNLINKED, ("%s: timeout %u", __func__,
cur->timeout));
+ for (int i = 0; i < 2; i++) {
+ if (cur->bytes[i] != NULL)
+ counter_u64_free(cur->bytes[i]);
+ if (cur->packets[i] != NULL)
+ counter_u64_free(cur->packets[i]);
+ }
+
pf_normalize_tcp_cleanup(cur);
uma_zfree(V_pf_state_z, cur);
counter_u64_add(V_pf_status.fcounters[FCNT_STATE_REMOVALS], 1);
@@ -3652,6 +3659,16 @@ pf_create_state(struct pf_rule *r, struct pf_rule *nr,
struct pf_rule *a,
REASON_SET(&reason, PFRES_MEMORY);
goto csfailed;
}
+ for (int i = 0; i < 2; i++) {
+ s->bytes[i] = counter_u64_alloc(M_NOWAIT);
+ s->packets[i] = counter_u64_alloc(M_NOWAIT);
+
+ if (s->bytes[i] == NULL || s->packets[i] == NULL) {
+ pf_free_state(s);
+ REASON_SET(&reason, PFRES_MEMORY);
+ goto csfailed;
+ }
+ }
s->rule.ptr = r;
s->nat_rule.ptr = nr;
s->anchor.ptr = a;
@@ -4213,8 +4230,9 @@ pf_tcp_track_full(struct pf_state_peer *src, struct
pf_state_peer *dst,
pf_print_flags(th->th_flags);
printf(" seq=%u (%u) ack=%u len=%u ackskew=%d "
"pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack,
- pd->p_len, ackskew, (unsigned long
long)(*state)->packets[0],
- (unsigned long long)(*state)->packets[1],
+ pd->p_len, acks
git: 5c712c8748f3 - stable/12 - pf tests: Verify (tcp) checksum modification on unaligned options
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5c712c8748f304f57e18b09f890b46d5f3d13a2e
commit 5c712c8748f304f57e18b09f890b46d5f3d13a2e
Author: Kristof Provost
AuthorDate: 2020-12-19 15:06:03 +
Commit: Kristof Provost
CommitDate: 2021-01-03 22:11:08 +
pf tests: Verify (tcp) checksum modification on unaligned options
It turns out pf incorrectly updates the TCP checksum if the TCP option
we're modifying is not 2-byte algined with respect to the start of the
packet.
Create a TCP packet with such an option and throw it through a scrub
rule, which will update timestamps and modify the packet.
PR: 240416
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D27688
(cherry picked from commit 2d3fda5fa1dc99aa8788e5f8d8bb71e682101063)
---
tests/sys/netpfil/common/pft_ping.py | 69 +++--
tests/sys/netpfil/pf/Makefile| 1 +
tests/sys/netpfil/pf/checksum.sh | 85
3 files changed, 151 insertions(+), 4 deletions(-)
diff --git a/tests/sys/netpfil/common/pft_ping.py
b/tests/sys/netpfil/common/pft_ping.py
index 89cb3e1a5d01..8c47df24ea0d 100644
--- a/tests/sys/netpfil/common/pft_ping.py
+++ b/tests/sys/netpfil/common/pft_ping.py
@@ -2,6 +2,7 @@
import argparse
import scapy.all as sp
+import socket
import sys
from sniffer import Sniffer
@@ -87,6 +88,53 @@ def ping6(send_if, dst_ip, args):
req = ether / ip6 / icmp
sp.sendp(req, iface=send_if, verbose=False)
+def check_tcpsyn(args, packet):
+ dst_ip = args.to[0]
+
+ ip = packet.getlayer(sp.IP)
+ if not ip:
+ return False
+ if ip.dst != dst_ip:
+ return False
+
+ tcp = packet.getlayer(sp.TCP)
+ if not tcp:
+ return False
+
+ # Verify IP checksum
+ chksum = ip.chksum
+ ip.chksum = None
+ new_chksum = sp.IP(sp.raw(ip)).chksum
+ if chksum != new_chksum:
+ print("Expected IP checksum %x but found %x\n" % (new_cshkum,
chksum))
+ return False
+
+ # Verify TCP checksum
+ chksum = tcp.chksum
+ packet_raw = sp.raw(packet)
+ tcp.chksum = None
+ newpacket = sp.Ether(sp.raw(packet[sp.Ether]))
+ new_chksum = newpacket[sp.TCP].chksum
+ if chksum != new_chksum:
+ print("Expected TCP checksum %x but found %x\n" % (new_chksum,
chksum))
+ return False
+
+ return True
+
+def tcpsyn(send_if, dst_ip, args):
+ opts=[('Timestamp', (1, 1)), ('MSS', 1280)]
+
+ if args.tcpopt_unaligned:
+ opts = [('NOP', 0 )] + opts
+
+ ether = sp.Ether()
+ ip = sp.IP(dst=dst_ip)
+ tcp = sp.TCP(dport=666, flags='S', options=opts)
+
+ req = ether / ip / tcp
+ sp.sendp(req, iface=send_if, verbose=False)
+
+
def main():
parser = argparse.ArgumentParser("pft_ping.py",
description="Ping test tool")
@@ -101,6 +149,12 @@ def main():
required=True,
help='The destination IP address for the ICMP echo request')
+ # TCP options
+ parser.add_argument('--tcpsyn', action='store_true',
+ help='Send a TCP SYN packet')
+ parser.add_argument('--tcpopt_unaligned', action='store_true',
+ help='Include unaligned TCP options')
+
# Packet settings
parser.add_argument('--send-tos', nargs=1,
help='Set the ToS value for the transmitted packet')
@@ -116,12 +170,19 @@ def main():
sniffer = None
if not args.recvif is None:
- sniffer = Sniffer(args, check_ping_request)
+ checkfn=check_ping_request
+ if args.tcpsyn:
+ checkfn=check_tcpsyn
- if args.ip6:
- ping6(args.sendif[0], args.to[0], args)
+ sniffer = Sniffer(args, checkfn)
+
+ if args.tcpsyn:
+ tcpsyn(args.sendif[0], args.to[0], args)
else:
- ping(args.sendif[0], args.to[0], args)
+ if args.ip6:
+ ping6(args.sendif[0], args.to[0], args)
+ else:
+ ping(args.sendif[0], args.to[0], args)
if sniffer:
sniffer.join()
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 8e38ccf341de..4a07298c4900 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -7,6 +7,7 @@ TESTS_SUBDIRS+= ioctl
ATF_TESTS_SH+= anchor \
pass_block \
+ checksum \
forward \
fragmentation \
names \
git: b5c7812dd376 - stable/12 - pf tests: Fix accidental duplication of content
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b5c7812dd376dcfa513d948e0d7682c1f613b4ab
commit b5c7812dd376dcfa513d948e0d7682c1f613b4ab
Author: Mateusz Piotrowski <0...@freebsd.org>
AuthorDate: 2019-08-15 12:00:59 +
Commit: Kristof Provost
CommitDate: 2021-01-03 20:26:49 +
pf tests: Fix accidental duplication of content
Some files got their contented duplicated in r345409. Some mistakes where
fixed in r345430. The only file that was left with a duplicated content was
CVE-2019-5598.py.
Reviewed by:kp
Approved by:src (kp)
Differential Revision: https://reviews.freebsd.org/D21267
(cherry picked from commit 03d8a4b7d39af6da7ceaaf07211cf0fde1e623ed)
---
tests/sys/netpfil/pf/CVE-2019-5598.py | 65 ---
1 file changed, 65 deletions(-)
diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py
b/tests/sys/netpfil/pf/CVE-2019-5598.py
index 648b8ef9d6f0..1a019ea23fab 100644
--- a/tests/sys/netpfil/pf/CVE-2019-5598.py
+++ b/tests/sys/netpfil/pf/CVE-2019-5598.py
@@ -63,68 +63,3 @@ def main():
if __name__ == '__main__':
main()
-#!/usr/local/bin/python2.7
-
-import argparse
-import scapy.all as sp
-import sys
-from sniffer import Sniffer
-
-def check_icmp_error(args, packet):
- ip = packet.getlayer(sp.IP)
- if not ip:
- return False
- if ip.dst != args.to[0]:
- return False
-
- icmp = packet.getlayer(sp.ICMP)
- if not icmp:
- return False
- if icmp.type != 3 or icmp.code != 3:
- return False
-
- return True
-
-def main():
- parser = argparse.ArgumentParser("CVE-2019-icmp.py",
- description="CVE-2019-icmp test tool")
- parser.add_argument('--sendif', nargs=1,
- required=True,
- help='The interface through which the packet will be sent')
- parser.add_argument('--recvif', nargs=1,
- required=True,
- help='The interface on which to check for the packet')
- parser.add_argument('--src', nargs=1,
- required=True,
- help='The source IP address')
- parser.add_argument('--to', nargs=1,
- required=True,
- help='The destination IP address')
-
- args = parser.parse_args()
-
-# Send the allowed packet to establish state
-udp = sp.Ether() / \
-sp.IP(src=args.src[0], dst=args.to[0]) / \
-sp.UDP(dport=53, sport=1234)
-sp.sendp(udp, iface=args.sendif[0], verbose=False)
-
- # Start sniffing on recvif
- sniffer = Sniffer(args, check_icmp_error)
-
- # Send the bad error packet
- icmp_reachable = sp.Ether() / \
-sp.IP(src=args.src[0], dst=args.to[0]) / \
- sp.ICMP(type=3, code=3) / \
- sp.IP(src=args.src[0], dst=args.to[0]) / \
- sp.UDP(dport=53, sport=1234)
- sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
-
- sniffer.join()
- if sniffer.foundCorrectPacket:
- sys.exit(1)
-
- sys.exit(0)
-
-if __name__ == '__main__':
- main()
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 21745738a2b5 - stable/12 - pf: Fix unaligned checksum updates
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=21745738a2b5662dfbe730b6338aa38e829cb0eb
commit 21745738a2b5662dfbe730b6338aa38e829cb0eb
Author: Kristof Provost
AuthorDate: 2020-12-20 20:06:32 +
Commit: Kristof Provost
CommitDate: 2021-01-03 22:11:08 +
pf: Fix unaligned checksum updates
The algorithm we use to update checksums only works correctly if the
updated data is aligned on 16-bit boundaries (relative to the start of
the packet).
Import the OpenBSD fix for this issue.
PR: 240416
Obtained from: OpenBSD
MFC after: 1 week
Reviewed by:tuexen (previous version)
Differential Revision: https://reviews.freebsd.org/D27696
(cherry picked from commit c3f69af03ae7acc167cc1151f0c1ecc5e014ce4e)
---
sys/net/pfvar.h | 5 +++
sys/netpfil/pf/pf.c | 81 +++-
sys/netpfil/pf/pf_norm.c | 23 ++
3 files changed, 89 insertions(+), 20 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index d0eb226ee41d..24faee5d45c6 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -330,6 +330,7 @@ extern struct sx pf_end_lock;
(neg) \
)
+#define PF_ALGNMNT(off) (((off) % 2) == 0)
struct pf_rule_uid {
uid_tuid[2];
@@ -1727,6 +1728,10 @@ void pf_change_a(void *, u_int16_t *, u_int32_t,
u_int8_t);
void pf_change_proto_a(struct mbuf *, void *, u_int16_t *, u_int32_t,
u_int8_t);
void pf_change_tcp_a(struct mbuf *, void *, u_int16_t *, u_int32_t);
+void pf_patch_16_unaligned(struct mbuf *, u_int16_t *, void *, u_int16_t,
+ bool, u_int8_t);
+void pf_patch_32_unaligned(struct mbuf *, u_int16_t *, void *, u_int32_t,
+bool, u_int8_t);
void pf_send_deferred_syn(struct pf_state *);
intpf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
struct pf_addr *, sa_family_t);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 693e45504745..84133039eb45 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -289,6 +289,8 @@ static void pf_print_state_parts(struct pf_state *,
struct pf_state_key *, struct pf_state_key *);
static int pf_addr_wrap_neq(struct pf_addr_wrap *,
struct pf_addr_wrap *);
+static void pf_patch_8(struct mbuf *, u_int16_t *, u_int8_t *,
u_int8_t,
+ bool, u_int8_t);
static struct pf_state *pf_find_state(struct pfi_kif *,
struct pf_state_key_cmp *, u_int);
static int pf_src_connlimit(struct pf_state **);
@@ -2091,16 +2093,60 @@ pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct
pf_addr_wrap *aw2)
u_int16_t
pf_cksum_fixup(u_int16_t cksum, u_int16_t old, u_int16_t new, u_int8_t udp)
{
- u_int32_t l;
-
- if (udp && !cksum)
- return (0x);
- l = cksum + old - new;
- l = (l >> 16) + (l & 65535);
- l = l & 65535;
- if (udp && !l)
- return (0x);
- return (l);
+ u_int32_t x;
+
+ x = cksum + old - new;
+ x = (x + (x >> 16)) & 0x;
+
+ /* optimise: eliminate a branch when not udp */
+ if (udp && cksum == 0x)
+ return cksum;
+ if (udp && x == 0x)
+ x = 0x;
+
+ return (u_int16_t)(x);
+}
+
+static void
+pf_patch_8(struct mbuf *m, u_int16_t *cksum, u_int8_t *f, u_int8_t v, bool hi,
+u_int8_t udp)
+{
+ u_int16_t old = htons(hi ? (*f << 8) : *f);
+ u_int16_t new = htons(hi ? ( v << 8) : v);
+
+ if (*f == v)
+ return;
+
+ *f = v;
+
+ if (m->m_pkthdr.csum_flags & (CSUM_DELAY_DATA | CSUM_DELAY_DATA_IPV6))
+ return;
+
+ *cksum = pf_cksum_fixup(*cksum, old, new, udp);
+}
+
+void
+pf_patch_16_unaligned(struct mbuf *m, u_int16_t *cksum, void *f, u_int16_t v,
+bool hi, u_int8_t udp)
+{
+ u_int8_t *fb = (u_int8_t *)f;
+ u_int8_t *vb = (u_int8_t *)&v;
+
+ pf_patch_8(m, cksum, fb++, *vb++, hi, udp);
+ pf_patch_8(m, cksum, fb++, *vb++, !hi, udp);
+}
+
+void
+pf_patch_32_unaligned(struct mbuf *m, u_int16_t *cksum, void *f, u_int32_t v,
+bool hi, u_int8_t udp)
+{
+ u_int8_t *fb = (u_int8_t *)f;
+ u_int8_t *vb = (u_int8_t *)&v;
+
+ pf_patch_8(m, cksum, fb++, *vb++, hi, udp);
+ pf_patch_8(m, cksum, fb++, *vb++, !hi, udp);
+ pf_patch_8(m, cksum, fb++, *vb++, hi, udp);
+ pf_patch_8(m, cksum, fb++, *vb++, !hi, udp);
}
u_int16_t
@@ -2327,6 +2373,7 @@ pf_modulate_sack(struct mbuf *m, int off, struct pf_pdesc
*pd,
return 0;
while (hlen >= TCPOLEN_SACKLEN) {
+ siz
git: 63fb868d2913 - stable/12 - Follow r354121 to fix some python3 errors in sys.netpfil.*
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=63fb868d2913d5cb4efcc123eb57fe0287837758
commit 63fb868d2913d5cb4efcc123eb57fe0287837758
Author: Li-Wen Hsu
AuthorDate: 2019-10-27 21:07:50 +
Commit: Kristof Provost
CommitDate: 2021-01-03 20:26:50 +
Follow r354121 to fix some python3 errors in sys.netpfil.*
stderr:
Traceback (most recent call last):
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 135, in
main()
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 124, in main
ping(args.sendif[0], args.to[0], args)
File "/usr/tests/sys/netpfil/common/pft_ping.py", line 74, in ping
raw = sp.raw(str(PAYLOAD_MAGIC))
File "/usr/local/lib/python3.6/site-packages/scapy/compat.py", line 52,
in raw
return bytes(x)
TypeError: string argument without an encoding
MFC with: r354121
Sponsored by: The FreeBSD Foundation
(cherry picked from commit cfa8b6482740b2be1719d51e927f76b4adec3b92)
---
tests/sys/netpfil/common/pft_ping.py | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tests/sys/netpfil/common/pft_ping.py
b/tests/sys/netpfil/common/pft_ping.py
index da8edd9f7b63..89cb3e1a5d01 100644
--- a/tests/sys/netpfil/common/pft_ping.py
+++ b/tests/sys/netpfil/common/pft_ping.py
@@ -5,7 +5,7 @@ import scapy.all as sp
import sys
from sniffer import Sniffer
-PAYLOAD_MAGIC = 0x42c0ffee
+PAYLOAD_MAGIC = bytes.fromhex('42c0ffee')
def check_ping_request(args, packet):
if args.ip6:
@@ -34,7 +34,7 @@ def check_ping4_request(args, packet):
raw = packet.getlayer(sp.Raw)
if not raw:
return False
- if int(raw.load) != PAYLOAD_MAGIC:
+ if raw.load != PAYLOAD_MAGIC:
return False
# Wait to check expectations until we've established this is the packet
we
@@ -62,7 +62,7 @@ def check_ping6_request(args, packet):
icmp = packet.getlayer(sp.ICMPv6EchoRequest)
if not icmp:
return False
- if int(icmp.data) != PAYLOAD_MAGIC:
+ if icmp.data != PAYLOAD_MAGIC:
return False
return True
@@ -71,7 +71,7 @@ def ping(send_if, dst_ip, args):
ether = sp.Ether()
ip = sp.IP(dst=dst_ip)
icmp = sp.ICMP(type='echo-request')
- raw = sp.raw(str(PAYLOAD_MAGIC))
+ raw = sp.raw(PAYLOAD_MAGIC)
if args.send_tos:
ip.tos = int(args.send_tos[0])
@@ -82,7 +82,7 @@ def ping(send_if, dst_ip, args):
def ping6(send_if, dst_ip, args):
ether = sp.Ether()
ip6 = sp.IPv6(dst=dst_ip)
- icmp = sp.ICMPv6EchoRequest(data=sp.raw(str(PAYLOAD_MAGIC)))
+ icmp = sp.ICMPv6EchoRequest(data=sp.raw(PAYLOAD_MAGIC))
req = ether / ip6 / icmp
sp.sendp(req, iface=send_if, verbose=False)
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 0fc80e44f600 - stable/12 - pf tests: Test CVE-2019-5598
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=0fc80e44f600b65830da93b7b56e47250f978f06
commit 0fc80e44f600b65830da93b7b56e47250f978f06
Author: Kristof Provost
AuthorDate: 2019-03-22 07:39:28 +
Commit: Kristof Provost
CommitDate: 2021-01-03 20:26:49 +
pf tests: Test CVE-2019-5598
Verify that pf correctly drops inconsistent ICMP packets (i.e. where the
IP src/dst do not match the IP src/dst in the ICMP packet.
(cherry picked from commit 7de4bd92b8a1f510c88ea3b5af0bcb106af6ba11)
---
tests/sys/netpfil/pf/CVE-2019-5598.py | 130 ++
tests/sys/netpfil/pf/Makefile | 7 +-
tests/sys/netpfil/pf/icmp.sh | 99 ++
3 files changed, 234 insertions(+), 2 deletions(-)
diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py
b/tests/sys/netpfil/pf/CVE-2019-5598.py
new file mode 100644
index ..648b8ef9d6f0
--- /dev/null
+++ b/tests/sys/netpfil/pf/CVE-2019-5598.py
@@ -0,0 +1,130 @@
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+ ip = packet.getlayer(sp.IP)
+ if not ip:
+ return False
+ if ip.dst != args.to[0]:
+ return False
+
+ icmp = packet.getlayer(sp.ICMP)
+ if not icmp:
+ return False
+ if icmp.type != 3 or icmp.code != 3:
+ return False
+
+ return True
+
+def main():
+ parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+ description="CVE-2019-icmp test tool")
+ parser.add_argument('--sendif', nargs=1,
+ required=True,
+ help='The interface through which the packet will be sent')
+ parser.add_argument('--recvif', nargs=1,
+ required=True,
+ help='The interface on which to check for the packet')
+ parser.add_argument('--src', nargs=1,
+ required=True,
+ help='The source IP address')
+ parser.add_argument('--to', nargs=1,
+ required=True,
+ help='The destination IP address')
+
+ args = parser.parse_args()
+
+# Send the allowed packet to establish state
+udp = sp.Ether() / \
+sp.IP(src=args.src[0], dst=args.to[0]) / \
+sp.UDP(dport=53, sport=1234)
+sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+ # Start sniffing on recvif
+ sniffer = Sniffer(args, check_icmp_error)
+
+ # Send the bad error packet
+ icmp_reachable = sp.Ether() / \
+sp.IP(src=args.src[0], dst=args.to[0]) / \
+ sp.ICMP(type=3, code=3) / \
+ sp.IP(src="4.3.2.1", dst="1.2.3.4") / \
+ sp.UDP(dport=53, sport=1234)
+ sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
+
+ sniffer.join()
+ if sniffer.foundCorrectPacket:
+ sys.exit(1)
+
+ sys.exit(0)
+
+if __name__ == '__main__':
+ main()
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+ ip = packet.getlayer(sp.IP)
+ if not ip:
+ return False
+ if ip.dst != args.to[0]:
+ return False
+
+ icmp = packet.getlayer(sp.ICMP)
+ if not icmp:
+ return False
+ if icmp.type != 3 or icmp.code != 3:
+ return False
+
+ return True
+
+def main():
+ parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+ description="CVE-2019-icmp test tool")
+ parser.add_argument('--sendif', nargs=1,
+ required=True,
+ help='The interface through which the packet will be sent')
+ parser.add_argument('--recvif', nargs=1,
+ required=True,
+ help='The interface on which to check for the packet')
+ parser.add_argument('--src', nargs=1,
+ required=True,
+ help='The source IP address')
+ parser.add_argument('--to', nargs=1,
+ required=True,
+ help='The destination IP address')
+
+ args = parser.parse_args()
+
+# Send the allowed packet to establish state
+udp = sp.Ether() / \
+sp.IP(src=args.src[0], dst=args.to[0]) / \
+sp.UDP(dport=53, sport=1234)
+sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+ # Start sniffing on recvif
+ sniffer = Sniffer(args, check_icmp_error)
+
+ # Send the bad error packet
+ icmp_reachable = sp.Ether() / \
+sp.IP(src=args.src[0], dst=args.to[0]) /
git: 0c772900dcae - stable/12 - Fix path issues after r351212
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=0c772900dcae7ded1c8f1ca336878322a5483ffe
commit 0c772900dcae7ded1c8f1ca336878322a5483ffe
Author: Li-Wen Hsu
AuthorDate: 2019-08-22 12:08:35 +
Commit: Kristof Provost
CommitDate: 2021-01-03 20:26:50 +
Fix path issues after r351212
This fixes sys.netpfil.pf.forward.v4 and sys.netpfil.pf.icmp.cve_2019_5598
failures in CI system.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit cdac716946b14572d8c5c764a99617fe5a176da2)
---
tests/sys/netpfil/pf/forward.sh | 2 +-
tests/sys/netpfil/pf/icmp.sh| 5 -
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/tests/sys/netpfil/pf/forward.sh b/tests/sys/netpfil/pf/forward.sh
index 0d9c9d7787a3..5cb22e9c1384 100755
--- a/tests/sys/netpfil/pf/forward.sh
+++ b/tests/sys/netpfil/pf/forward.sh
@@ -32,7 +32,7 @@ v4_body()
route add -net 198.51.100.0/24 192.0.2.2
# Sanity check, can we forward ICMP echo requests without pf?
- atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
+ atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a
diff --git a/tests/sys/netpfil/pf/icmp.sh b/tests/sys/netpfil/pf/icmp.sh
index a02cbf45e34c..fbb62da09efd 100755
--- a/tests/sys/netpfil/pf/icmp.sh
+++ b/tests/sys/netpfil/pf/icmp.sh
@@ -2,6 +2,8 @@
. $(atf_get_srcdir)/utils.subr
+common_dir=$(atf_get_srcdir)/../common
+
atf_test_case "cve_2019_5598" "cleanup"
cve_2019_5598_head()
{
@@ -32,7 +34,8 @@ cve_2019_5598_body()
"pass in proto udp to 198.51.100.3 port 53" \
"pass out proto udp to 198.51.100.3 port 53"
- atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-5598.py \
+ atf_check -s exit:0 env PYTHONPATH=${common_dir} \
+ $(atf_get_srcdir)/CVE-2019-5598.py \
--sendif ${epair_in}a \
--recvif ${epair_out}a \
--src 192.0.2.1 \
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 8c45c8982a07 - stable/12 - Upgrade (scapy) py2 tests to work on py3.
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=8c45c8982a071c8e9878fb4cc755e6a2e3f31718
commit 8c45c8982a071c8e9878fb4cc755e6a2e3f31718
Author: Bjoern A. Zeeb
AuthorDate: 2019-10-26 21:19:55 +
Commit: Kristof Provost
CommitDate: 2021-01-03 20:26:50 +
Upgrade (scapy) py2 tests to work on py3.
In order to move python2 out of the test framework to avoid py2 vs. py3
confusions upgrade the remaining test cases using scapy to work with py3.
That means only one version of scapy needs to be installed in the CI system.
It also gives a path forward for testing i386 issues observed in the CI
system with some of these tests.
Fixes are:
- Use default python from environment (which is 3.x these days).
- properly ident some lines as common for the rest of the file to avoid
errors.
- cast the calculated offset to an int as the division result is considered
a float which is not accepted input.
- when comparing payload to a magic number make sure we always add the
payload properly to the packet and do not try to compare string in
the result but convert the data payload back into an integer.
- fix print formating.
Discussed with: lwhsu, kp (taking it off his todo :)
MFC after: 2 weeks
(cherry picked from commit f0297f121aee3ff9ae6de9d445fc4a7981385d05)
---
tests/sys/netpfil/common/pft_ping.py | 14 +++---
tests/sys/netpfil/pf/CVE-2019-5597.py | 5 +++--
tests/sys/netpfil/pf/CVE-2019-5598.py | 14 +++---
3 files changed, 17 insertions(+), 16 deletions(-)
diff --git a/tests/sys/netpfil/common/pft_ping.py
b/tests/sys/netpfil/common/pft_ping.py
index e77d0835134f..da8edd9f7b63 100644
--- a/tests/sys/netpfil/common/pft_ping.py
+++ b/tests/sys/netpfil/common/pft_ping.py
@@ -1,4 +1,4 @@
-#!/usr/local/bin/python2.7
+#!/usr/bin/env python
import argparse
import scapy.all as sp
@@ -34,15 +34,15 @@ def check_ping4_request(args, packet):
raw = packet.getlayer(sp.Raw)
if not raw:
return False
- if raw.load != str(PAYLOAD_MAGIC):
+ if int(raw.load) != PAYLOAD_MAGIC:
return False
# Wait to check expectations until we've established this is the packet
we
# sent.
if args.expect_tos:
if ip.tos != int(args.expect_tos[0]):
- print "Unexpected ToS value %d, expected %s" \
- % (ip.tos, args.expect_tos[0])
+ print("Unexpected ToS value %d, expected %d" \
+ % (ip.tos, int(args.expect_tos[0])))
return False
return True
@@ -62,7 +62,7 @@ def check_ping6_request(args, packet):
icmp = packet.getlayer(sp.ICMPv6EchoRequest)
if not icmp:
return False
- if icmp.data != str(PAYLOAD_MAGIC):
+ if int(icmp.data) != PAYLOAD_MAGIC:
return False
return True
@@ -71,7 +71,7 @@ def ping(send_if, dst_ip, args):
ether = sp.Ether()
ip = sp.IP(dst=dst_ip)
icmp = sp.ICMP(type='echo-request')
- raw = sp.Raw(str(PAYLOAD_MAGIC))
+ raw = sp.raw(str(PAYLOAD_MAGIC))
if args.send_tos:
ip.tos = int(args.send_tos[0])
@@ -82,7 +82,7 @@ def ping(send_if, dst_ip, args):
def ping6(send_if, dst_ip, args):
ether = sp.Ether()
ip6 = sp.IPv6(dst=dst_ip)
- icmp = sp.ICMPv6EchoRequest(data=PAYLOAD_MAGIC)
+ icmp = sp.ICMPv6EchoRequest(data=sp.raw(str(PAYLOAD_MAGIC)))
req = ether / ip6 / icmp
sp.sendp(req, iface=send_if, verbose=False)
diff --git a/tests/sys/netpfil/pf/CVE-2019-5597.py
b/tests/sys/netpfil/pf/CVE-2019-5597.py
index 524d26d72b2d..68579e99590c 100644
--- a/tests/sys/netpfil/pf/CVE-2019-5597.py
+++ b/tests/sys/netpfil/pf/CVE-2019-5597.py
@@ -1,4 +1,4 @@
-#!/usr/local/bin/python2.7
+#!/usr/bin/env python
import random
import scapy.all as sp
@@ -18,7 +18,8 @@ def main():
padding = 8
fid = random.randint(0,10)
frag_0 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=1, offset=0)
-frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=padding/8)
+foff_1 = (int)(padding/8)
+frag_1 = sp.IPv6ExtHdrFragment(id=fid, nh=UDP_PROTO, m=0, offset=foff_1)
pkt1_opts = sp.AH(nh=AH_PROTO, payloadlen=200) \
/ sp.Raw('' * 199) \
diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py
b/tests/sys/netpfil/pf/CVE-2019-5598.py
index 1a019ea23fab..1a2619f7e52f 100644
--- a/tests/sys/netpfil/pf/CVE-2019-5598.py
+++ b/tests/sys/netpfil/pf/CVE-2019-5598.py
@@ -1,4 +1,4 @@
-#!/usr/local/bin/python2.7
+#!/usr/bin/env python
import argparse
import scapy.all as sp
@@ -38,18 +38,18 @@ def main():
args = parser.parse_args()
-# Send the allowed pack
git: cc136589fadb - stable/12 - pf tests: Add a defer mode test for pfsync
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=cc136589fadb85996f9ba772a236fa500b6901dd
commit cc136589fadb85996f9ba772a236fa500b6901dd
Author: Kristof Provost
AuthorDate: 2018-12-05 19:53:09 +
Commit: Kristof Provost
CommitDate: 2021-01-03 20:26:48 +
pf tests: Add a defer mode test for pfsync
Repeat the pfsync test, this time with the 'defer' option enabled. This
exercises slightly different code paths.
(cherry picked from commit 369d9a2c153e45e2645bc78cdc3a8cdc42f45b7b)
---
tests/sys/netpfil/pf/pfsync.sh | 28 ++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/tests/sys/netpfil/pf/pfsync.sh b/tests/sys/netpfil/pf/pfsync.sh
index 85e54675c498..95209b832c62 100755
--- a/tests/sys/netpfil/pf/pfsync.sh
+++ b/tests/sys/netpfil/pf/pfsync.sh
@@ -7,12 +7,16 @@ basic_head()
{
atf_set descr 'Basic pfsync test'
atf_set require.user root
-
- atf_set require.progs scapy
}
basic_body()
{
+ common_body
+}
+
+common_body()
+{
+ defer=$1
pfsynct_init
epair_sync=$(vnet_mkepair)
@@ -28,12 +32,14 @@ basic_body()
jexec one ifconfig pfsync0 \
syncdev ${epair_sync}a \
maxupd 1 \
+ $defer \
up
jexec two ifconfig ${epair_two}a 198.51.100.2/24 up
jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up
jexec two ifconfig pfsync0 \
syncdev ${epair_sync}b \
maxupd 1 \
+ $defer \
up
# Enable pf!
@@ -64,7 +70,25 @@ basic_cleanup()
pfsynct_cleanup
}
+atf_test_case "defer" "cleanup"
+defer_head()
+{
+ atf_set descr 'Defer mode pfsync test'
+ atf_set require.user root
+}
+
+defer_body()
+{
+ common_body defer
+}
+
+defer_cleanup()
+{
+ pfsynct_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "basic"
+ atf_add_test_case "defer"
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: a343d1c8acfc - stable/12 - pf tests: Move Sniffer to its own file
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a343d1c8acfc78abfd7f12823c5297c8ca2ee4f4
commit a343d1c8acfc78abfd7f12823c5297c8ca2ee4f4
Author: Kristof Provost
AuthorDate: 2019-03-21 08:15:46 +
Commit: Kristof Provost
CommitDate: 2021-01-03 20:26:48 +
pf tests: Move Sniffer to its own file
Make it easier to re-use the sniffer class in other test support
scripts.
(cherry picked from commit d1805f60afc3f3c65f5d2bb360ed1ab55ea705da)
---
tests/sys/netpfil/pf/Makefile| 1 +
tests/sys/netpfil/pf/pft_ping.py | 23 +--
tests/sys/netpfil/pf/sniffer.py | 25 +
3 files changed, 27 insertions(+), 22 deletions(-)
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 9bb40b911d4c..115a38666cc7 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -22,6 +22,7 @@ ATF_TESTS_SH+=anchor \
${PACKAGE}FILES+= utils.subr \
echo_inetd.conf \
+ sniffer.py \
pft_ping.py \
CVE-2019-5597.py
diff --git a/tests/sys/netpfil/pf/pft_ping.py b/tests/sys/netpfil/pf/pft_ping.py
index 0b70c2235894..e77d0835134f 100644
--- a/tests/sys/netpfil/pf/pft_ping.py
+++ b/tests/sys/netpfil/pf/pft_ping.py
@@ -3,31 +3,10 @@
import argparse
import scapy.all as sp
import sys
-import threading
+from sniffer import Sniffer
PAYLOAD_MAGIC = 0x42c0ffee
-class Sniffer(threading.Thread):
- def __init__(self, args, check_function):
- threading.Thread.__init__(self)
-
- self._args = args
- self._recvif = args.recvif[0]
- self._check_function = check_function
- self.foundCorrectPacket = False
-
- self.start()
-
- def _checkPacket(self, packet):
- ret = self._check_function(self._args, packet)
- if ret:
- self.foundCorrectPacket = True
- return ret
-
- def run(self):
- self.packets = sp.sniff(iface=self._recvif,
- stop_filter=self._checkPacket, timeout=3)
-
def check_ping_request(args, packet):
if args.ip6:
return check_ping6_request(args, packet)
diff --git a/tests/sys/netpfil/pf/sniffer.py b/tests/sys/netpfil/pf/sniffer.py
new file mode 100644
index ..c71f6e1f5729
--- /dev/null
+++ b/tests/sys/netpfil/pf/sniffer.py
@@ -0,0 +1,25 @@
+# $FreeBSD$
+
+import threading
+import scapy.all as sp
+
+class Sniffer(threading.Thread):
+ def __init__(self, args, check_function):
+ threading.Thread.__init__(self)
+
+ self._args = args
+ self._recvif = args.recvif[0]
+ self._check_function = check_function
+ self.foundCorrectPacket = False
+
+ self.start()
+
+ def _checkPacket(self, packet):
+ ret = self._check_function(self._args, packet)
+ if ret:
+ self.foundCorrectPacket = True
+ return ret
+
+ def run(self):
+ self.packets = sp.sniff(iface=self._recvif,
+ stop_filter=self._checkPacket, timeout=3)
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: f0cb921e361a - stable/12 - netpfil tests: Move pft_ping.py and sniffer.py to the common test directory
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f0cb921e361a8dcefec6c469839e26e6d79f958f
commit f0cb921e361a8dcefec6c469839e26e6d79f958f
Author: Kristof Provost
AuthorDate: 2019-08-19 10:48:27 +
Commit: Kristof Provost
CommitDate: 2021-01-03 20:26:49 +
netpfil tests: Move pft_ping.py and sniffer.py to the common test directory
The pft_ping.py and sniffer.py tool is moved from tests/sys/netpfil/pf to
tests/sys/netpfil/common directory because these tools are to be used in
common for all the firewalls.
Submitted by: Ahsan Barkati
Reviewed by:kp, thj
Sponsored by: Google, Inc. (GSoC 2019)
Differential Revision: https://reviews.freebsd.org/D21276
(cherry picked from commit 9531253098a1b889520b49a98af0bb81a2373ac0)
---
ObsoleteFiles.inc| 3 +++
tests/sys/netpfil/common/Makefile| 13 +
tests/sys/netpfil/{pf => common}/pft_ping.py | 0
tests/sys/netpfil/{pf => common}/sniffer.py | 0
tests/sys/netpfil/pf/Makefile| 3 ---
tests/sys/netpfil/pf/forward.sh | 18 ++
tests/sys/netpfil/pf/set_tos.sh | 14 --
7 files changed, 34 insertions(+), 17 deletions(-)
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 622d1b79f557..3c505f9610f4 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -1100,6 +1100,9 @@
OLD_FILES+=usr/lib/clang/8.0.0/lib/freebsd/libclang_rt.ubsan_standalone_cxx-x86_
OLD_DIRS+=usr/lib/clang/8.0.0/lib/freebsd
OLD_DIRS+=usr/lib/clang/8.0.0/lib
OLD_DIRS+=usr/lib/clang/8.0.0
+# 20190817: pft_ping.py and sniffer.py moved to /usr/tests/sys/netpfil/common
+OLD_FILES+=usr/tests/sys/netpfil/pf/sniffer.py
+OLD_FILES+=usr/tests/sys/netpfil/pf/pft_ping.py
# 20190509: tests/sys/opencrypto requires the net/py-dpkt package.
OLD_FILES+=usr/tests/sys/opencrypto/dpkt.py
OLD_FILES+=usr/tests/sys/opencrypto/dpkt.pyc
diff --git a/tests/sys/netpfil/common/Makefile
b/tests/sys/netpfil/common/Makefile
new file mode 100644
index ..9e2fa132c84f
--- /dev/null
+++ b/tests/sys/netpfil/common/Makefile
@@ -0,0 +1,13 @@
+# $FreeBSD$
+
+PACKAGE= tests
+
+TESTSDIR= ${TESTSBASE}/sys/netpfil/common
+
+${PACKAGE}FILES+= \
+ pft_ping.py \
+ sniffer.py
+
+${PACKAGE}FILESMODE_pft_ping.py= 0555
+
+.include
diff --git a/tests/sys/netpfil/pf/pft_ping.py
b/tests/sys/netpfil/common/pft_ping.py
similarity index 100%
rename from tests/sys/netpfil/pf/pft_ping.py
rename to tests/sys/netpfil/common/pft_ping.py
diff --git a/tests/sys/netpfil/pf/sniffer.py
b/tests/sys/netpfil/common/sniffer.py
similarity index 100%
rename from tests/sys/netpfil/pf/sniffer.py
rename to tests/sys/netpfil/common/sniffer.py
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 474b3c3b9b4b..8e38ccf341de 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -23,12 +23,9 @@ ATF_TESTS_SH+= anchor \
${PACKAGE}FILES+= utils.subr \
echo_inetd.conf \
- sniffer.py \
- pft_ping.py \
CVE-2019-5597.py \
CVE-2019-5598.py
-${PACKAGE}FILESMODE_pft_ping.py= 0555
${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555
diff --git a/tests/sys/netpfil/pf/forward.sh b/tests/sys/netpfil/pf/forward.sh
index 0c97d9601cdc..0d9c9d7787a3 100755
--- a/tests/sys/netpfil/pf/forward.sh
+++ b/tests/sys/netpfil/pf/forward.sh
@@ -2,6 +2,8 @@
. $(atf_get_srcdir)/utils.subr
+common_dir=$(atf_get_srcdir)/../common
+
atf_test_case "v4" "cleanup"
v4_head()
{
@@ -39,20 +41,20 @@ v4_body()
# Forward with pf enabled
pft_set_rules alcatraz "block in"
- atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
+ atf_check -s exit:1 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a
pft_set_rules alcatraz "block out"
- atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
+ atf_check -s exit:1 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recv ${epair_recv}a
# Allow ICMP
pft_set_rules alcatraz "block in" "pass in proto icmp"
- atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
+ atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a
@@ -90,7 +92,7 @@ v6_body()
route add -6 2001:db8:43::/64 2001:db8:42::2
# Sanity check, can we forward ICMP echo requests without pf?
- atf_check -s exit:0 $(atf_get_srcdir)/p
git: 9caf8a4a0822 - stable/12 - pf tests: Fix accidental duplication of content
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9caf8a4a08223ee84cf0e63bde2c42adefe1e5f5
commit 9caf8a4a08223ee84cf0e63bde2c42adefe1e5f5
Author: Kristof Provost
AuthorDate: 2019-03-23 01:07:51 +
Commit: Kristof Provost
CommitDate: 2021-01-03 20:26:49 +
pf tests: Fix accidental duplication of content
Also use the correct name for the scapy test script.
(cherry picked from commit d93ae404ab8ead535efc4ddcd0fe9e3ee612)
---
tests/sys/netpfil/pf/icmp.sh | 51 +---
1 file changed, 1 insertion(+), 50 deletions(-)
diff --git a/tests/sys/netpfil/pf/icmp.sh b/tests/sys/netpfil/pf/icmp.sh
index 5cc1a769c799..a02cbf45e34c 100755
--- a/tests/sys/netpfil/pf/icmp.sh
+++ b/tests/sys/netpfil/pf/icmp.sh
@@ -32,56 +32,7 @@ cve_2019_5598_body()
"pass in proto udp to 198.51.100.3 port 53" \
"pass out proto udp to 198.51.100.3 port 53"
- atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
- --sendif ${epair_in}a \
- --recvif ${epair_out}a \
- --src 192.0.2.1 \
- --to 198.51.100.3
-}
-
-cve_2019_5598_cleanup()
-{
- pft_cleanup
-}
-
-atf_init_test_cases()
-{
- atf_add_test_case "cve_2019_5598"
-}
-# $FreeBSD$
-
-. $(atf_get_srcdir)/utils.subr
-
-atf_test_case "cve_2019_5598" "cleanup"
-cve_2019_5598_head()
-{
- atf_set descr 'Test CVE-2019-5598'
- atf_set require.user root
- atf_set require.progs scapy
-}
-
-cve_2019_5598_body()
-{
- pft_init
-
- epair_in=$(vnet_mkepair)
- epair_out=$(vnet_mkepair)
- ifconfig ${epair_in}a 192.0.2.1/24 up
- ifconfig ${epair_out}a up
-
- vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
- jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
- jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
- jexec alcatraz sysctl net.inet.ip.forwarding=1
- jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
- route add -net 198.51.100.0/24 192.0.2.2
-
- jexec alcatraz pfctl -e
- pft_set_rules alcatraz "block all" \
- "pass in proto udp to 198.51.100.3 port 53" \
- "pass out proto udp to 198.51.100.3 port 53"
-
- atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
+ atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-5598.py \
--sendif ${epair_in}a \
--recvif ${epair_out}a \
--src 192.0.2.1 \
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 6d2a10d96fb5 - main - Widen ifnet_detach_sxlock coverage
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=6d2a10d96fb5d4ee42fd67b0b07a6d098db5d55a
commit 6d2a10d96fb5d4ee42fd67b0b07a6d098db5d55a
Author: Kristof Provost
AuthorDate: 2021-02-08 09:04:27 +
Commit: Kristof Provost
CommitDate: 2021-02-11 15:12:29 +
Widen ifnet_detach_sxlock coverage
Widen the ifnet_detach_sxlock to cover the entire vnet sysuninit code.
This ensures that we can't end up having the vnet_sysuninit free the UDP
pcb while the detach code is running and trying to purge the UDP pcb.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D28530
---
sys/net/if.c | 13 ++---
sys/net/if.h | 3 +++
sys/net/vnet.c | 2 ++
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/sys/net/if.c b/sys/net/if.c
index 74fdd066fd2d..c85cfab19bf6 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -315,7 +315,8 @@ struct sx ifnet_sxlock;
SX_SYSINIT_FLAGS(ifnet_sx, &ifnet_sxlock, "ifnet_sx", SX_RECURSE);
struct sx ifnet_detach_sxlock;
-SX_SYSINIT(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx");
+SX_SYSINIT_FLAGS(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx",
+SX_RECURSE);
/*
* The allocation of network interfaces is a rather non-atomic affair; we
@@ -546,9 +547,7 @@ vnet_if_return(const void *unused __unused)
IFNET_WUNLOCK();
for (int j = 0; j < i; j++) {
- sx_xlock(&ifnet_detach_sxlock);
if_vmove(pending[j], pending[j]->if_home_vnet);
- sx_xunlock(&ifnet_detach_sxlock);
}
free(pending, M_IFNET);
@@ -1124,9 +1123,9 @@ if_detach(struct ifnet *ifp)
CURVNET_SET_QUIET(ifp->if_vnet);
found = if_unlink_ifnet(ifp, false);
if (found) {
- sx_slock(&ifnet_detach_sxlock);
+ sx_xlock(&ifnet_detach_sxlock);
if_detach_internal(ifp, 0, NULL);
- sx_sunlock(&ifnet_detach_sxlock);
+ sx_xunlock(&ifnet_detach_sxlock);
}
CURVNET_RESTORE();
}
@@ -3015,9 +3014,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data,
struct thread *td)
error = priv_check(td, PRIV_NET_IFDESTROY);
if (error == 0) {
- sx_slock(&ifnet_detach_sxlock);
+ sx_xlock(&ifnet_detach_sxlock);
error = if_clone_destroy(ifr->ifr_name);
- sx_sunlock(&ifnet_detach_sxlock);
+ sx_xunlock(&ifnet_detach_sxlock);
}
goto out_noref;
diff --git a/sys/net/if.h b/sys/net/if.h
index eabd4e053733..e6073563bce2 100644
--- a/sys/net/if.h
+++ b/sys/net/if.h
@@ -604,6 +604,9 @@ struct ifdownreason {
MALLOC_DECLARE(M_IFADDR);
MALLOC_DECLARE(M_IFMADDR);
#endif
+
+extern struct sx ifnet_detach_sxlock;
+
#endif
#ifndef _KERNEL
diff --git a/sys/net/vnet.c b/sys/net/vnet.c
index c5dafedbc6b2..2480fc8dd86c 100644
--- a/sys/net/vnet.c
+++ b/sys/net/vnet.c
@@ -283,7 +283,9 @@ vnet_destroy(struct vnet *vnet)
vnet->vnet_shutdown = true;
CURVNET_SET_QUIET(vnet);
+ sx_xlock(&ifnet_detach_sxlock);
vnet_sysuninit();
+ sx_xunlock(&ifnet_detach_sxlock);
CURVNET_RESTORE();
/*
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 5e42cb139fc1 - main - pf: Slightly relax pf_rule_addr validation
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5e42cb139fc17f165c9c93ac97069dc7770490e2
commit 5e42cb139fc17f165c9c93ac97069dc7770490e2
Author: Kristof Provost
AuthorDate: 2021-02-13 15:31:52 +
Commit: Kristof Provost
CommitDate: 2021-02-14 11:07:31 +
pf: Slightly relax pf_rule_addr validation
Ensure we don't reject no-route / urpf-failed addresses.
PR: 253479
Reported by:michal AT microwave.sk
Revied by: donner@
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D28650
---
sys/netpfil/pf/pf_ioctl.c | 47 ++-
1 file changed, 30 insertions(+), 17 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 644a091808cd..edc8443dcc0a 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1557,9 +1557,33 @@ pf_krule_to_rule(const struct pf_krule *krule, struct
pf_rule *rule)
rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
}
+static int
+pf_check_rule_addr(const struct pf_rule_addr *addr)
+{
+
+ switch (addr->addr.type) {
+ case PF_ADDR_ADDRMASK:
+ case PF_ADDR_NOROUTE:
+ case PF_ADDR_DYNIFTL:
+ case PF_ADDR_TABLE:
+ case PF_ADDR_URPFFAILED:
+ case PF_ADDR_RANGE:
+ break;
+ default:
+ return (EINVAL);
+ }
+
+ if (addr->addr.p.dyn != NULL) {
+ return (EINVAL);
+ }
+
+ return (0);
+}
+
static int
pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
{
+ int ret;
#ifndef INET
if (rule->af == AF_INET) {
@@ -1572,23 +1596,12 @@ pf_rule_to_krule(const struct pf_rule *rule, struct
pf_krule *krule)
}
#endif /* INET6 */
- if (rule->src.addr.type != PF_ADDR_ADDRMASK &&
- rule->src.addr.type != PF_ADDR_DYNIFTL &&
- rule->src.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->src.addr.p.dyn != NULL) {
- return (EINVAL);
- }
-
- if (rule->dst.addr.type != PF_ADDR_ADDRMASK &&
- rule->dst.addr.type != PF_ADDR_DYNIFTL &&
- rule->dst.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->dst.addr.p.dyn != NULL) {
- return (EINVAL);
- }
+ ret = pf_check_rule_addr(&rule->src);
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_rule_addr(&rule->dst);
+ if (ret != 0)
+ return (ret);
bzero(krule, sizeof(*krule));
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 6b52139eb8e8 - main - pf tests: Test unicast reverse path forwarding check
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=6b52139eb8e8eda0ea263b24735556194f918642
commit 6b52139eb8e8eda0ea263b24735556194f918642
Author: Kristof Provost
AuthorDate: 2021-02-15 21:16:36 +
Commit: Kristof Provost
CommitDate: 2021-02-16 09:48:58 +
pf tests: Test unicast reverse path forwarding check
Ensure that pf's urpf-failed keyword works as expected.
PR: 253479
MFC after: 1 week
Reviewed by:melifaro@
Differential Revision: https://reviews.freebsd.org/D28694
---
tests/sys/netpfil/common/pft_ping.py | 52
tests/sys/netpfil/pf/pass_block.sh | 67
2 files changed, 119 insertions(+)
diff --git a/tests/sys/netpfil/common/pft_ping.py
b/tests/sys/netpfil/common/pft_ping.py
index 812250803309..957123e4f6f8 100644
--- a/tests/sys/netpfil/common/pft_ping.py
+++ b/tests/sys/netpfil/common/pft_ping.py
@@ -115,6 +115,35 @@ def check_ping6_request(args, packet):
return True
+def check_ping_reply(args, packet):
+ return check_ping4_reply(args, packet)
+
+def check_ping4_reply(args, packet):
+ """
+ Check that this is a reply to the ping request we sent
+ """
+ dst_ip = args.to[0]
+
+ ip = packet.getlayer(sp.IP)
+ if not ip:
+ return False
+ if ip.src != dst_ip:
+ return False
+
+ icmp = packet.getlayer(sp.ICMP)
+ if not icmp:
+ return False
+ if sp.icmptypes[icmp.type] != 'echo-reply':
+ return False
+
+ raw = packet.getlayer(sp.Raw)
+ if not raw:
+ return False
+ if raw.load != PAYLOAD_MAGIC:
+ return False
+
+ return True
+
def ping(send_if, dst_ip, args):
ether = sp.Ether()
ip = sp.IP(dst=dst_ip)
@@ -124,6 +153,9 @@ def ping(send_if, dst_ip, args):
if args.send_tos:
ip.tos = int(args.send_tos[0])
+ if args.fromaddr:
+ ip.src = args.fromaddr[0]
+
req = ether / ip / icmp / raw
sp.sendp(req, iface=send_if, verbose=False)
@@ -132,6 +164,9 @@ def ping6(send_if, dst_ip, args):
ip6 = sp.IPv6(dst=dst_ip)
icmp = sp.ICMPv6EchoRequest(data=sp.raw(PAYLOAD_MAGIC))
+ if args.fromaddr:
+ ip.src = args.fromaddr[0]
+
req = ether / ip6 / icmp
sp.sendp(req, iface=send_if, verbose=False)
@@ -189,6 +224,8 @@ def main():
required=True,
help='The interface through which the packet(s) will be sent')
parser.add_argument('--recvif', nargs=1,
+ help='The interface on which to expect the ICMP echo request')
+ parser.add_argument('--replyif', nargs=1,
help='The interface on which to expect the ICMP echo response')
parser.add_argument('--checkdup', nargs=1,
help='The interface on which to expect the duplicated ICMP
packets')
@@ -197,6 +234,8 @@ def main():
parser.add_argument('--to', nargs=1,
required=True,
help='The destination IP address for the ICMP echo request')
+ parser.add_argument('--fromaddr', nargs=1,
+ help='The source IP address for the ICMP echo request')
# TCP options
parser.add_argument('--tcpsyn', action='store_true',
@@ -225,6 +264,11 @@ def main():
sniffer = Sniffer(args, checkfn)
+ replysniffer = None
+ if not args.replyif is None:
+ checkfn=check_ping_reply
+ replysniffer = Sniffer(args, checkfn, recvif=args.replyif[0])
+
dupsniffer = None
if args.checkdup is not None:
dupsniffer = Sniffer(args, check_dup, recvif=args.checkdup[0])
@@ -250,5 +294,13 @@ def main():
else:
sys.exit(1)
+ if replysniffer:
+ replysniffer.join()
+
+ if replysniffer.foundCorrectPacket:
+ sys.exit(0)
+ else:
+ sys.exit(1)
+
if __name__ == '__main__':
main()
diff --git a/tests/sys/netpfil/pf/pass_block.sh
b/tests/sys/netpfil/pf/pass_block.sh
index 139adb43bddd..589b89891729 100644
--- a/tests/sys/netpfil/pf/pass_block.sh
+++ b/tests/sys/netpfil/pf/pass_block.sh
@@ -27,6 +27,8 @@
. $(atf_get_srcdir)/utils.subr
+common_dir=$(atf_get_srcdir)/../common
+
atf_test_case "v4" "cleanup"
v4_head()
{
@@ -189,10 +191,75 @@ nested_inline_cleanup()
pft_cleanup
}
+atf_test_case "urpf" "cleanup"
+urpf_head()
+{
+ atf_set descr "Test unicast reverse path forwarding check"
+ atf_set requ
git: 8a439f324e90 - main - pf: Remove unused return value from (de)hook_pf()
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=8a439f324e9010a122fa4c00426bde70dc373c2f
commit 8a439f324e9010a122fa4c00426bde70dc373c2f
Author: Kristof Provost
AuthorDate: 2021-02-16 11:40:51 +
Commit: Kristof Provost
CommitDate: 2021-02-17 08:15:40 +
pf: Remove unused return value from (de)hook_pf()
These functions always return 0, which is good, because the code calling
them doesn't handle this error gracefully.
As the functions always succeed remove their return value, and the code
handling their errors (because it was never executed anyway).
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC (“Netgate”’)
---
sys/netpfil/pf/pf_ioctl.c | 40 +---
1 file changed, 9 insertions(+), 31 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index edc8443dcc0a..028938b9aea0 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -213,8 +213,8 @@ static pfil_return_t pf_check6_out(struct mbuf **m, struct
ifnet *ifp,
int flags, void *ruleset __unused, struct inpcb *inp);
#endif
-static int hook_pf(void);
-static int dehook_pf(void);
+static voidhook_pf(void);
+static voiddehook_pf(void);
static int shutdown_pf(void);
static int pf_load(void);
static voidpf_unload(void);
@@ -1814,12 +1814,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int
flags, struct thread *td
else {
int cpu;
- error = hook_pf();
- if (error) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: pfil registration failed\n"));
- break;
- }
+ hook_pf();
V_pf_status.running = 1;
V_pf_status.since = time_second;
@@ -1836,12 +1831,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int
flags, struct thread *td
error = ENOENT;
else {
V_pf_status.running = 0;
- error = dehook_pf();
- if (error) {
- V_pf_status.running = 1;
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: pfil unregistration failed\n"));
- }
+ dehook_pf();
V_pf_status.since = time_second;
DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
}
@@ -4565,14 +4555,14 @@ VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_out_hook);
#defineV_pf_ip6_out_hook VNET(pf_ip6_out_hook)
#endif
-static int
+static void
hook_pf(void)
{
struct pfil_hook_args pha;
struct pfil_link_args pla;
if (V_pf_pfil_hooked)
- return (0);
+ return;
pha.pa_version = PFIL_VERSION;
pha.pa_modname = "pf";
@@ -4620,15 +4610,14 @@ hook_pf(void)
#endif
V_pf_pfil_hooked = 1;
- return (0);
}
-static int
+static void
dehook_pf(void)
{
if (V_pf_pfil_hooked == 0)
- return (0);
+ return;
#ifdef INET
pfil_remove_hook(V_pf_ip4_in_hook);
@@ -4640,7 +4629,6 @@ dehook_pf(void)
#endif
V_pf_pfil_hooked = 0;
- return (0);
}
static void
@@ -4688,20 +4676,10 @@ pf_load(void)
static void
pf_unload_vnet(void)
{
- int error;
V_pf_vnet_active = 0;
V_pf_status.running = 0;
- error = dehook_pf();
- if (error) {
- /*
-* Should not happen!
-* XXX Due to error code ESRCH, kldunload will show
-* a message like 'No such process'.
-*/
- printf("%s : pfil unregisteration fail\n", __FUNCTION__);
- return;
- }
+ dehook_pf();
PF_RULES_WLOCK();
shutdown_pf();
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 4a7d84058d88 - main - pf tests: Explicitly ask for python3
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=4a7d84058d88244c405fc0b73d6985681eb661f5 commit 4a7d84058d88244c405fc0b73d6985681eb661f5 Author: Kristof Provost AuthorDate: 2021-02-17 10:45:54 + Commit: Kristof Provost CommitDate: 2021-02-17 13:04:33 + pf tests: Explicitly ask for python3 If we install the scapy package (which we do list as a dependency) we don't automatically install python (but we do have python3). MFC after: 1 week Sponsored by: Rubicon Communications, LLC (“Netgate”’) --- tests/sys/netpfil/common/pft_ping.py | 2 +- tests/sys/netpfil/pf/CVE-2019-5597.py | 2 +- tests/sys/netpfil/pf/CVE-2019-5598.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/sys/netpfil/common/pft_ping.py b/tests/sys/netpfil/common/pft_ping.py index 957123e4f6f8..916a019d2f4a 100644 --- a/tests/sys/netpfil/common/pft_ping.py +++ b/tests/sys/netpfil/common/pft_ping.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # SPDX-License-Identifier: BSD-2-Clause # diff --git a/tests/sys/netpfil/pf/CVE-2019-5597.py b/tests/sys/netpfil/pf/CVE-2019-5597.py index bb95e95c13b7..1050af506f8d 100644 --- a/tests/sys/netpfil/pf/CVE-2019-5597.py +++ b/tests/sys/netpfil/pf/CVE-2019-5597.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py b/tests/sys/netpfil/pf/CVE-2019-5598.py index 53616e681609..ac1e4f3438f5 100644 --- a/tests/sys/netpfil/pf/CVE-2019-5598.py +++ b/tests/sys/netpfil/pf/CVE-2019-5598.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: c4e0f7aa1ae7 - main - pf: Assert that pfil_link() calls succeed
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c4e0f7aa1ae7729df8c3e525e511b84f8052375c
commit c4e0f7aa1ae7729df8c3e525e511b84f8052375c
Author: Kristof Provost
AuthorDate: 2021-02-17 10:44:37 +
Commit: Kristof Provost
CommitDate: 2021-02-17 13:04:20 +
pf: Assert that pfil_link() calls succeed
These should only fail if we use them incorrectly, so assert that they
succeed.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC (“Netgate”’)
---
sys/netpfil/pf/pf_ioctl.c | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 028938b9aea0..ea71664756d7 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -4560,6 +4560,7 @@ hook_pf(void)
{
struct pfil_hook_args pha;
struct pfil_link_args pla;
+ int ret;
if (V_pf_pfil_hooked)
return;
@@ -4579,7 +4580,8 @@ hook_pf(void)
pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
pla.pa_head = V_inet_pfil_head;
pla.pa_hook = V_pf_ip4_in_hook;
- (void)pfil_link(&pla);
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
pha.pa_func = pf_check_out;
pha.pa_flags = PFIL_OUT;
pha.pa_rulname = "default-out";
@@ -4587,7 +4589,8 @@ hook_pf(void)
pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
pla.pa_head = V_inet_pfil_head;
pla.pa_hook = V_pf_ip4_out_hook;
- (void)pfil_link(&pla);
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
#endif
#ifdef INET6
pha.pa_type = PFIL_TYPE_IP6;
@@ -4598,7 +4601,8 @@ hook_pf(void)
pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
pla.pa_head = V_inet6_pfil_head;
pla.pa_hook = V_pf_ip6_in_hook;
- (void)pfil_link(&pla);
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
pha.pa_func = pf_check6_out;
pha.pa_rulname = "default-out6";
pha.pa_flags = PFIL_OUT;
@@ -4606,7 +4610,8 @@ hook_pf(void)
pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
pla.pa_head = V_inet6_pfil_head;
pla.pa_hook = V_pf_ip6_out_hook;
- (void)pfil_link(&pla);
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
#endif
V_pf_pfil_hooked = 1;
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: f9a66bb91ae1 - stable/13 - pf: Slightly relax pf_rule_addr validation
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f9a66bb91ae1f3f175d0c16730c683841525bd1d
commit f9a66bb91ae1f3f175d0c16730c683841525bd1d
Author: Kristof Provost
AuthorDate: 2021-02-13 15:31:52 +
Commit: Kristof Provost
CommitDate: 2021-02-17 13:03:58 +
pf: Slightly relax pf_rule_addr validation
Ensure we don't reject no-route / urpf-failed addresses.
PR: 253479
Reported by:michal AT microwave.sk
Revied by: donner@
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D28650
(cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2)
---
sys/netpfil/pf/pf_ioctl.c | 47 ++-
1 file changed, 30 insertions(+), 17 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 644a091808cd..edc8443dcc0a 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1557,9 +1557,33 @@ pf_krule_to_rule(const struct pf_krule *krule, struct
pf_rule *rule)
rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
}
+static int
+pf_check_rule_addr(const struct pf_rule_addr *addr)
+{
+
+ switch (addr->addr.type) {
+ case PF_ADDR_ADDRMASK:
+ case PF_ADDR_NOROUTE:
+ case PF_ADDR_DYNIFTL:
+ case PF_ADDR_TABLE:
+ case PF_ADDR_URPFFAILED:
+ case PF_ADDR_RANGE:
+ break;
+ default:
+ return (EINVAL);
+ }
+
+ if (addr->addr.p.dyn != NULL) {
+ return (EINVAL);
+ }
+
+ return (0);
+}
+
static int
pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
{
+ int ret;
#ifndef INET
if (rule->af == AF_INET) {
@@ -1572,23 +1596,12 @@ pf_rule_to_krule(const struct pf_rule *rule, struct
pf_krule *krule)
}
#endif /* INET6 */
- if (rule->src.addr.type != PF_ADDR_ADDRMASK &&
- rule->src.addr.type != PF_ADDR_DYNIFTL &&
- rule->src.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->src.addr.p.dyn != NULL) {
- return (EINVAL);
- }
-
- if (rule->dst.addr.type != PF_ADDR_ADDRMASK &&
- rule->dst.addr.type != PF_ADDR_DYNIFTL &&
- rule->dst.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->dst.addr.p.dyn != NULL) {
- return (EINVAL);
- }
+ ret = pf_check_rule_addr(&rule->src);
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_rule_addr(&rule->dst);
+ if (ret != 0)
+ return (ret);
bzero(krule, sizeof(*krule));
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: f8d1f2da0922 - stable/12 - pf: Slightly relax pf_rule_addr validation
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f8d1f2da0922fdff846b13baa7315652b43aa95c
commit f8d1f2da0922fdff846b13baa7315652b43aa95c
Author: Kristof Provost
AuthorDate: 2021-02-13 15:31:52 +
Commit: Kristof Provost
CommitDate: 2021-02-17 09:11:19 +
pf: Slightly relax pf_rule_addr validation
Ensure we don't reject no-route / urpf-failed addresses.
PR: 253479
Reported by:michal AT microwave.sk
Revied by: donner@
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D28650
(cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2)
---
sys/netpfil/pf/pf_ioctl.c | 47 ++-
1 file changed, 30 insertions(+), 17 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index bbb9cfe39586..edf147699235 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1558,9 +1558,33 @@ pf_krule_to_rule(const struct pf_krule *krule, struct
pf_rule *rule)
rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
}
+static int
+pf_check_rule_addr(const struct pf_rule_addr *addr)
+{
+
+ switch (addr->addr.type) {
+ case PF_ADDR_ADDRMASK:
+ case PF_ADDR_NOROUTE:
+ case PF_ADDR_DYNIFTL:
+ case PF_ADDR_TABLE:
+ case PF_ADDR_URPFFAILED:
+ case PF_ADDR_RANGE:
+ break;
+ default:
+ return (EINVAL);
+ }
+
+ if (addr->addr.p.dyn != NULL) {
+ return (EINVAL);
+ }
+
+ return (0);
+}
+
static int
pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
{
+ int ret;
#ifndef INET
if (rule->af == AF_INET) {
@@ -1573,23 +1597,12 @@ pf_rule_to_krule(const struct pf_rule *rule, struct
pf_krule *krule)
}
#endif /* INET6 */
- if (rule->src.addr.type != PF_ADDR_ADDRMASK &&
- rule->src.addr.type != PF_ADDR_DYNIFTL &&
- rule->src.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->src.addr.p.dyn != NULL) {
- return (EINVAL);
- }
-
- if (rule->dst.addr.type != PF_ADDR_ADDRMASK &&
- rule->dst.addr.type != PF_ADDR_DYNIFTL &&
- rule->dst.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->dst.addr.p.dyn != NULL) {
- return (EINVAL);
- }
+ ret = pf_check_rule_addr(&rule->src);
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_rule_addr(&rule->dst);
+ if (ret != 0)
+ return (ret);
bzero(krule, sizeof(*krule));
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 9cc7bd9a6ab1 - stable/12 - Widen ifnet_detach_sxlock coverage
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9cc7bd9a6ab1e2bfc12dabf4d9ef4ad463a05616
commit 9cc7bd9a6ab1e2bfc12dabf4d9ef4ad463a05616
Author: Kristof Provost
AuthorDate: 2021-02-08 09:04:27 +
Commit: Kristof Provost
CommitDate: 2021-02-17 13:13:04 +
Widen ifnet_detach_sxlock coverage
Widen the ifnet_detach_sxlock to cover the entire vnet sysuninit code.
This ensures that we can't end up having the vnet_sysuninit free the UDP
pcb while the detach code is running and trying to purge the UDP pcb.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D28530
(cherry picked from commit 6d2a10d96fb5d4ee42fd67b0b07a6d098db5d55a)
---
sys/net/if.c | 13 ++---
sys/net/if.h | 3 +++
sys/net/vnet.c | 2 ++
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/sys/net/if.c b/sys/net/if.c
index 56b12f594814..2ae8121043b0 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -316,7 +316,8 @@ struct sx ifnet_sxlock;
SX_SYSINIT_FLAGS(ifnet_sx, &ifnet_sxlock, "ifnet_sx", SX_RECURSE);
struct sx ifnet_detach_sxlock;
-SX_SYSINIT(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx");
+SX_SYSINIT_FLAGS(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx",
+SX_RECURSE);
/*
* The allocation of network interfaces is a rather non-atomic affair; we
@@ -552,9 +553,7 @@ vnet_if_return(const void *unused __unused)
IFNET_WUNLOCK();
for (int j = 0; j < i; j++) {
- sx_xlock(&ifnet_detach_sxlock);
if_vmove(pending[j], pending[j]->if_home_vnet);
- sx_xunlock(&ifnet_detach_sxlock);
}
free(pending, M_IFNET);
@@ -1108,9 +1107,9 @@ if_detach(struct ifnet *ifp)
CURVNET_SET_QUIET(ifp->if_vnet);
found = if_unlink_ifnet(ifp, false);
if (found) {
- sx_slock(&ifnet_detach_sxlock);
+ sx_xlock(&ifnet_detach_sxlock);
if_detach_internal(ifp, 0, NULL);
- sx_sunlock(&ifnet_detach_sxlock);
+ sx_xunlock(&ifnet_detach_sxlock);
}
CURVNET_RESTORE();
}
@@ -3147,9 +3146,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data,
struct thread *td)
error = priv_check(td, PRIV_NET_IFDESTROY);
if (error == 0) {
- sx_slock(&ifnet_detach_sxlock);
+ sx_xlock(&ifnet_detach_sxlock);
error = if_clone_destroy(ifr->ifr_name);
- sx_sunlock(&ifnet_detach_sxlock);
+ sx_xunlock(&ifnet_detach_sxlock);
}
goto out_noref;
diff --git a/sys/net/if.h b/sys/net/if.h
index 3767033d8265..44a920d844e2 100644
--- a/sys/net/if.h
+++ b/sys/net/if.h
@@ -600,6 +600,9 @@ struct ifdownreason {
MALLOC_DECLARE(M_IFADDR);
MALLOC_DECLARE(M_IFMADDR);
#endif
+
+extern struct sx ifnet_detach_sxlock;
+
#endif
#ifndef _KERNEL
diff --git a/sys/net/vnet.c b/sys/net/vnet.c
index 9a4321a8409b..3fd423d22d1d 100644
--- a/sys/net/vnet.c
+++ b/sys/net/vnet.c
@@ -281,7 +281,9 @@ vnet_destroy(struct vnet *vnet)
VNET_LIST_WUNLOCK();
CURVNET_SET_QUIET(vnet);
+ sx_xlock(&ifnet_detach_sxlock);
vnet_sysuninit();
+ sx_xunlock(&ifnet_detach_sxlock);
CURVNET_RESTORE();
/*
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 05530211165f - stable/13 - Widen ifnet_detach_sxlock coverage
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=05530211165f59b8dabc02adaf26ea29c2726ebc
commit 05530211165f59b8dabc02adaf26ea29c2726ebc
Author: Kristof Provost
AuthorDate: 2021-02-08 09:04:27 +
Commit: Kristof Provost
CommitDate: 2021-02-17 13:12:54 +
Widen ifnet_detach_sxlock coverage
Widen the ifnet_detach_sxlock to cover the entire vnet sysuninit code.
This ensures that we can't end up having the vnet_sysuninit free the UDP
pcb while the detach code is running and trying to purge the UDP pcb.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D28530
(cherry picked from commit 6d2a10d96fb5d4ee42fd67b0b07a6d098db5d55a)
---
sys/net/if.c | 13 ++---
sys/net/if.h | 3 +++
sys/net/vnet.c | 2 ++
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/sys/net/if.c b/sys/net/if.c
index 74fdd066fd2d..c85cfab19bf6 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -315,7 +315,8 @@ struct sx ifnet_sxlock;
SX_SYSINIT_FLAGS(ifnet_sx, &ifnet_sxlock, "ifnet_sx", SX_RECURSE);
struct sx ifnet_detach_sxlock;
-SX_SYSINIT(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx");
+SX_SYSINIT_FLAGS(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx",
+SX_RECURSE);
/*
* The allocation of network interfaces is a rather non-atomic affair; we
@@ -546,9 +547,7 @@ vnet_if_return(const void *unused __unused)
IFNET_WUNLOCK();
for (int j = 0; j < i; j++) {
- sx_xlock(&ifnet_detach_sxlock);
if_vmove(pending[j], pending[j]->if_home_vnet);
- sx_xunlock(&ifnet_detach_sxlock);
}
free(pending, M_IFNET);
@@ -1124,9 +1123,9 @@ if_detach(struct ifnet *ifp)
CURVNET_SET_QUIET(ifp->if_vnet);
found = if_unlink_ifnet(ifp, false);
if (found) {
- sx_slock(&ifnet_detach_sxlock);
+ sx_xlock(&ifnet_detach_sxlock);
if_detach_internal(ifp, 0, NULL);
- sx_sunlock(&ifnet_detach_sxlock);
+ sx_xunlock(&ifnet_detach_sxlock);
}
CURVNET_RESTORE();
}
@@ -3015,9 +3014,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data,
struct thread *td)
error = priv_check(td, PRIV_NET_IFDESTROY);
if (error == 0) {
- sx_slock(&ifnet_detach_sxlock);
+ sx_xlock(&ifnet_detach_sxlock);
error = if_clone_destroy(ifr->ifr_name);
- sx_sunlock(&ifnet_detach_sxlock);
+ sx_xunlock(&ifnet_detach_sxlock);
}
goto out_noref;
diff --git a/sys/net/if.h b/sys/net/if.h
index eabd4e053733..e6073563bce2 100644
--- a/sys/net/if.h
+++ b/sys/net/if.h
@@ -604,6 +604,9 @@ struct ifdownreason {
MALLOC_DECLARE(M_IFADDR);
MALLOC_DECLARE(M_IFMADDR);
#endif
+
+extern struct sx ifnet_detach_sxlock;
+
#endif
#ifndef _KERNEL
diff --git a/sys/net/vnet.c b/sys/net/vnet.c
index c5dafedbc6b2..2480fc8dd86c 100644
--- a/sys/net/vnet.c
+++ b/sys/net/vnet.c
@@ -283,7 +283,9 @@ vnet_destroy(struct vnet *vnet)
vnet->vnet_shutdown = true;
CURVNET_SET_QUIET(vnet);
+ sx_xlock(&ifnet_detach_sxlock);
vnet_sysuninit();
+ sx_xunlock(&ifnet_detach_sxlock);
CURVNET_RESTORE();
/*
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 00abeecb4a25 - releng/13.0 - pf: Slightly relax pf_rule_addr validation
The branch releng/13.0 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=00abeecb4a25728f36f763822bd584e7bf4f50b7
commit 00abeecb4a25728f36f763822bd584e7bf4f50b7
Author: Kristof Provost
AuthorDate: 2021-02-13 15:31:52 +
Commit: Kristof Provost
CommitDate: 2021-02-17 16:48:58 +
pf: Slightly relax pf_rule_addr validation
Ensure we don't reject no-route / urpf-failed addresses.
PR: 253479
Approved by:re (gjb)
Reported by:michal AT microwave.sk
Revied by: donner@
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D28650
(cherry picked from commit 5e42cb139fc17f165c9c93ac97069dc7770490e2)
(cherry picked from commit f9a66bb91ae1f3f175d0c16730c683841525bd1d)
---
sys/netpfil/pf/pf_ioctl.c | 47 ++-
1 file changed, 30 insertions(+), 17 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 644a091808cd..edc8443dcc0a 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1557,9 +1557,33 @@ pf_krule_to_rule(const struct pf_krule *krule, struct
pf_rule *rule)
rule->u_src_nodes = counter_u64_fetch(krule->src_nodes);
}
+static int
+pf_check_rule_addr(const struct pf_rule_addr *addr)
+{
+
+ switch (addr->addr.type) {
+ case PF_ADDR_ADDRMASK:
+ case PF_ADDR_NOROUTE:
+ case PF_ADDR_DYNIFTL:
+ case PF_ADDR_TABLE:
+ case PF_ADDR_URPFFAILED:
+ case PF_ADDR_RANGE:
+ break;
+ default:
+ return (EINVAL);
+ }
+
+ if (addr->addr.p.dyn != NULL) {
+ return (EINVAL);
+ }
+
+ return (0);
+}
+
static int
pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule)
{
+ int ret;
#ifndef INET
if (rule->af == AF_INET) {
@@ -1572,23 +1596,12 @@ pf_rule_to_krule(const struct pf_rule *rule, struct
pf_krule *krule)
}
#endif /* INET6 */
- if (rule->src.addr.type != PF_ADDR_ADDRMASK &&
- rule->src.addr.type != PF_ADDR_DYNIFTL &&
- rule->src.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->src.addr.p.dyn != NULL) {
- return (EINVAL);
- }
-
- if (rule->dst.addr.type != PF_ADDR_ADDRMASK &&
- rule->dst.addr.type != PF_ADDR_DYNIFTL &&
- rule->dst.addr.type != PF_ADDR_TABLE) {
- return (EINVAL);
- }
- if (rule->dst.addr.p.dyn != NULL) {
- return (EINVAL);
- }
+ ret = pf_check_rule_addr(&rule->src);
+ if (ret != 0)
+ return (ret);
+ ret = pf_check_rule_addr(&rule->dst);
+ if (ret != 0)
+ return (ret);
bzero(krule, sizeof(*krule));
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 23f8fe51af0b - releng/13.0 - Widen ifnet_detach_sxlock coverage
The branch releng/13.0 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=23f8fe51af0b192857feef2d19be2aa8eb888000
commit 23f8fe51af0b192857feef2d19be2aa8eb888000
Author: Kristof Provost
AuthorDate: 2021-02-08 09:04:27 +
Commit: Kristof Provost
CommitDate: 2021-02-17 16:49:28 +
Widen ifnet_detach_sxlock coverage
Widen the ifnet_detach_sxlock to cover the entire vnet sysuninit code.
This ensures that we can't end up having the vnet_sysuninit free the UDP
pcb while the detach code is running and trying to purge the UDP pcb.
Approved by:re (gjb)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D28530
(cherry picked from commit 6d2a10d96fb5d4ee42fd67b0b07a6d098db5d55a)
(cherry picked from commit 05530211165f59b8dabc02adaf26ea29c2726ebc)
---
sys/net/if.c | 13 ++---
sys/net/if.h | 3 +++
sys/net/vnet.c | 2 ++
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/sys/net/if.c b/sys/net/if.c
index 74fdd066fd2d..c85cfab19bf6 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -315,7 +315,8 @@ struct sx ifnet_sxlock;
SX_SYSINIT_FLAGS(ifnet_sx, &ifnet_sxlock, "ifnet_sx", SX_RECURSE);
struct sx ifnet_detach_sxlock;
-SX_SYSINIT(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx");
+SX_SYSINIT_FLAGS(ifnet_detach, &ifnet_detach_sxlock, "ifnet_detach_sx",
+SX_RECURSE);
/*
* The allocation of network interfaces is a rather non-atomic affair; we
@@ -546,9 +547,7 @@ vnet_if_return(const void *unused __unused)
IFNET_WUNLOCK();
for (int j = 0; j < i; j++) {
- sx_xlock(&ifnet_detach_sxlock);
if_vmove(pending[j], pending[j]->if_home_vnet);
- sx_xunlock(&ifnet_detach_sxlock);
}
free(pending, M_IFNET);
@@ -1124,9 +1123,9 @@ if_detach(struct ifnet *ifp)
CURVNET_SET_QUIET(ifp->if_vnet);
found = if_unlink_ifnet(ifp, false);
if (found) {
- sx_slock(&ifnet_detach_sxlock);
+ sx_xlock(&ifnet_detach_sxlock);
if_detach_internal(ifp, 0, NULL);
- sx_sunlock(&ifnet_detach_sxlock);
+ sx_xunlock(&ifnet_detach_sxlock);
}
CURVNET_RESTORE();
}
@@ -3015,9 +3014,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data,
struct thread *td)
error = priv_check(td, PRIV_NET_IFDESTROY);
if (error == 0) {
- sx_slock(&ifnet_detach_sxlock);
+ sx_xlock(&ifnet_detach_sxlock);
error = if_clone_destroy(ifr->ifr_name);
- sx_sunlock(&ifnet_detach_sxlock);
+ sx_xunlock(&ifnet_detach_sxlock);
}
goto out_noref;
diff --git a/sys/net/if.h b/sys/net/if.h
index a886474780dd..83597a7d390a 100644
--- a/sys/net/if.h
+++ b/sys/net/if.h
@@ -604,6 +604,9 @@ struct ifdownreason {
MALLOC_DECLARE(M_IFADDR);
MALLOC_DECLARE(M_IFMADDR);
#endif
+
+extern struct sx ifnet_detach_sxlock;
+
#endif
#ifndef _KERNEL
diff --git a/sys/net/vnet.c b/sys/net/vnet.c
index c5dafedbc6b2..2480fc8dd86c 100644
--- a/sys/net/vnet.c
+++ b/sys/net/vnet.c
@@ -283,7 +283,9 @@ vnet_destroy(struct vnet *vnet)
vnet->vnet_shutdown = true;
CURVNET_SET_QUIET(vnet);
+ sx_xlock(&ifnet_detach_sxlock);
vnet_sysuninit();
+ sx_xunlock(&ifnet_detach_sxlock);
CURVNET_RESTORE();
/*
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 2ed689a674c3 - main - pf: Fix osfp configuration
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=2ed689a674c380e48245933d5326da4dda65f94d commit 2ed689a674c380e48245933d5326da4dda65f94d Author: Kristof Provost AuthorDate: 2021-02-18 07:36:46 + Commit: Kristof Provost CommitDate: 2021-02-18 07:38:28 + pf: Fix osfp configuration pf_rule_to_krule() incorrectly converted the rule osfp configuration to the krule structure. Reported by:delphij@ MFC after: 3 days --- sys/netpfil/pf/pf_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index ea71664756d7..c32a961f5a0b 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1623,7 +1623,7 @@ pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) /* Don't allow userspace to set evaulations, packets or bytes. */ /* kif, anchor, overload_tbl are not copied over. */ - krule->os_fingerprint = krule->os_fingerprint; + krule->os_fingerprint = rule->os_fingerprint; krule->rtableid = rule->rtableid; bcopy(rule->timeout, krule->timeout, sizeof(krule->timeout)); ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
Re: git: 2fe5a79425c7 - main - Fix dst/netmask handling in routing socket code.
On 16 Feb 2021, at 21:31, Alexander V. Chernikov wrote:
The branch main has been updated by melifaro:
URL:
https://cgit.FreeBSD.org/src/commit/?id=2fe5a79425c79f7b828acd91da66d97230925fc8
commit 2fe5a79425c79f7b828acd91da66d97230925fc8
Author: Alexander V. Chernikov
AuthorDate: 2021-02-16 20:30:04 +
Commit: Alexander V. Chernikov
CommitDate: 2021-02-16 20:30:04 +
Fix dst/netmask handling in routing socket code.
Traditionally routing socket code did almost zero checks on
the input message except for the most basic size checks.
This resulted in the unclear KPI boundary for the routing system
code
(`rtrequest*` and now `rib_action()`) w.r.t message validness.
Multiple potential problems and nuances exists:
* Host bits in RTAX_DST sockaddr. Existing applications do send
prefixes
with hostbits uncleared. Even `route(8)` does this, as they hope
the kernel
would do the job of fixing it. Code inside `rib_action()` needs
to handle
it on its own (see `rt_maskedcopy()` ugly hack).
* There are multiple way of adding the host route: it can be DST
without
netmask or DST with /32(/128) netmask. Also, RTF_HOST has to be
set correspondingly.
Currently, these 2 options create 2 DIFFERENT routes in the
kernel.
* no sockaddr length/content checking for the "secondary" fields
exists: nothing
stops rtsock application to send sockaddr_in with length of 25
(instead of 16).
Kernel will accept it, install to RIB as is and propagate to all
rtsock consumers,
potentially triggering bugs in their code. Same goes for
sin_port, sin_zero, etc.
The goal of this change is to make rtsock verify all sockaddr and
prefix consistency.
Said differently, `rib_action()` or internals should NOT require
to change any of the
sockaddrs supplied by `rt_addrinfo` structure due to
incorrectness.
To be more specific, this change implements the following:
* sockaddr cleanup/validation check is added immediately after
getting sockaddrs from rtm.
* Per-family dst/netmask checks clears host bits in dst and zeros
all dst/netmask "secondary" fields.
* The same netmask checking code converts /32(/128) netmasks to
"host" route case
(NULL netmask, RTF_HOST), removing the dualism.
* Instead of allowing ANY "known" sockaddr families (0<..allow only actually
supported ones (inet, inet6, link).
* Automatically convert `sockaddr_sdl` (AF_LINK) gateways to
`sockaddr_sdl_short`.
Reported by:Guy Yur
Reviewed By:donner
Differential Revision: https://reviews.freebsd.org/D28668
MFC after: 3 days
---
sys/net/rtsock.c | 201
+-
tests/sys/net/routing/rtsock_common.h | 4 -
2 files changed, 195 insertions(+), 10 deletions(-)
+static int
+cleanup_xaddrs_inet(struct rt_addrinfo *info)
+{
+ struct sockaddr_in *dst_sa, *mask_sa;
+
+ /* Check & fixup dst/netmask combination first */
+ dst_sa = (struct sockaddr_in *)info->rti_info[RTAX_DST];
+ mask_sa = (struct sockaddr_in *)info->rti_info[RTAX_NETMASK];
+
+ struct in_addr mask = {
+ .s_addr = mask_sa ? mask_sa->sin_addr.s_addr : INADDR_BROADCAST,
+ };
+ struct in_addr dst = {
+ .s_addr = htonl(ntohl(dst_sa->sin_addr.s_addr) &
ntohl(mask.s_addr))
+ };
+
This breaks things like `arp -d 10.0.2.1`. It always masks off the
network address, which is the right thing to do in the routing table,
but not in the arp table.
I’ve worked around it for now with this hack:
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 3c1fea497af6..533076db99a5 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -638,9 +638,12 @@ fill_addrinfo(struct rt_msghdr *rtm, int len,
u_int fibnum, struct rt_addrinfo *
return (EINVAL);
info->rti_flags = rtm->rtm_flags;
- error = cleanup_xaddrs(info);
- if (error != 0)
- return (error);
+ /* XXX HACK */
+ if (! (rtm->rtm_flags & RTF_LLDATA)) {
+ error = cleanup_xaddrs(info);
+ if (error != 0)
+ return (error);
+ }
saf = info->rti_info[RTAX_DST]->sa_family;
/*
* Verify that the caller has the appropriate privilege;
RTM_GET
But I’m not totally happy with this, obviously.
Best regards,
Kristof
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
Re: git: 2fe5a79425c7 - main - Fix dst/netmask handling in routing socket code.
On 19 Feb 2021, at 16:24, Kristof Provost wrote:
On 16 Feb 2021, at 21:31, Alexander V. Chernikov wrote:
The branch main has been updated by melifaro:
URL:
https://cgit.FreeBSD.org/src/commit/?id=2fe5a79425c79f7b828acd91da66d97230925fc8
commit 2fe5a79425c79f7b828acd91da66d97230925fc8
Author: Alexander V. Chernikov
AuthorDate: 2021-02-16 20:30:04 +
Commit: Alexander V. Chernikov
CommitDate: 2021-02-16 20:30:04 +
Fix dst/netmask handling in routing socket code.
Traditionally routing socket code did almost zero checks on
the input message except for the most basic size checks.
This resulted in the unclear KPI boundary for the routing system
code
(`rtrequest*` and now `rib_action()`) w.r.t message validness.
Multiple potential problems and nuances exists:
* Host bits in RTAX_DST sockaddr. Existing applications do send
prefixes
with hostbits uncleared. Even `route(8)` does this, as they hope
the kernel
would do the job of fixing it. Code inside `rib_action()` needs
to handle
it on its own (see `rt_maskedcopy()` ugly hack).
* There are multiple way of adding the host route: it can be DST
without
netmask or DST with /32(/128) netmask. Also, RTF_HOST has to be
set correspondingly.
Currently, these 2 options create 2 DIFFERENT routes in the
kernel.
* no sockaddr length/content checking for the "secondary" fields
exists: nothing
stops rtsock application to send sockaddr_in with length of 25
(instead of 16).
Kernel will accept it, install to RIB as is and propagate to all
rtsock consumers,
potentially triggering bugs in their code. Same goes for
sin_port, sin_zero, etc.
The goal of this change is to make rtsock verify all sockaddr and
prefix consistency.
Said differently, `rib_action()` or internals should NOT require
to change any of the
sockaddrs supplied by `rt_addrinfo` structure due to
incorrectness.
To be more specific, this change implements the following:
* sockaddr cleanup/validation check is added immediately after
getting sockaddrs from rtm.
* Per-family dst/netmask checks clears host bits in dst and zeros
all dst/netmask "secondary" fields.
* The same netmask checking code converts /32(/128) netmasks to
"host" route case
(NULL netmask, RTF_HOST), removing the dualism.
* Instead of allowing ANY "known" sockaddr families
(0<..
supported ones (inet, inet6, link).
* Automatically convert `sockaddr_sdl` (AF_LINK) gateways to
`sockaddr_sdl_short`.
Reported by:Guy Yur
Reviewed By:donner
Differential Revision: https://reviews.freebsd.org/D28668
MFC after: 3 days
---
sys/net/rtsock.c | 201
+-
tests/sys/net/routing/rtsock_common.h | 4 -
2 files changed, 195 insertions(+), 10 deletions(-)
+static int
+cleanup_xaddrs_inet(struct rt_addrinfo *info)
+{
+ struct sockaddr_in *dst_sa, *mask_sa;
+
+ /* Check & fixup dst/netmask combination first */
+ dst_sa = (struct sockaddr_in *)info->rti_info[RTAX_DST];
+ mask_sa = (struct sockaddr_in *)info->rti_info[RTAX_NETMASK];
+
+ struct in_addr mask = {
+ .s_addr = mask_sa ? mask_sa->sin_addr.s_addr : INADDR_BROADCAST,
+ };
+ struct in_addr dst = {
+ .s_addr = htonl(ntohl(dst_sa->sin_addr.s_addr) &
ntohl(mask.s_addr))
+ };
+
This breaks things like `arp -d 10.0.2.1`. It always masks off the
network address, which is the right thing to do in the routing table,
but not in the arp table.
I’ve worked around it for now with this hack:
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 3c1fea497af6..533076db99a5 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -638,9 +638,12 @@ fill_addrinfo(struct rt_msghdr *rtm, int len,
u_int fibnum, struct rt_addrinfo *
return (EINVAL);
info->rti_flags = rtm->rtm_flags;
- error = cleanup_xaddrs(info);
- if (error != 0)
- return (error);
+ /* XXX HACK */
+ if (! (rtm->rtm_flags & RTF_LLDATA)) {
+ error = cleanup_xaddrs(info);
+ if (error != 0)
+ return (error);
+ }
saf = info->rti_info[RTAX_DST]->sa_family;
/*
* Verify that the caller has the appropriate privilege;
RTM_GET
But I’m not totally happy with this, obviously.
This may be a bit more reasonable:
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 3c1fea497af6..5147b92e95d5 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -1393,6 +1393,10 @@ cleanup_xaddrs_inet(struct rt_addrinfo *info)
Re: git: 0ee0dbfb0d26 - main - Merge libcxxrt master 8049924686b8414d8e652cbd2a52c763b48e8456
On 18 Feb 2021, at 22:30, Dimitry Andric wrote: The branch main has been updated by dim: URL: https://cgit.FreeBSD.org/src/commit/?id=0ee0dbfb0d26cf4bc37f24f12e76c7f532b0f368 commit 0ee0dbfb0d26cf4bc37f24f12e76c7f532b0f368 Merge: 04d2d2d7fd22 3f8a54b20893 Author: Dimitry Andric AuthorDate: 2021-02-18 21:30:27 + Commit: Dimitry Andric CommitDate: 2021-02-18 21:30:27 + Merge libcxxrt master 8049924686b8414d8e652cbd2a52c763b48e8456 Interesting fixes: b3c73ba libelftc_dem_gnu3: Sync with elftoolchain r3877 7b2335c Mostly fix __cxa_demangle after #3 Reported by:arichardson PR: 253226 MFC after: 3 days With this commit I see kyua crashing with a bus error on amd64. Best regards, Kristof ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 9823eb6909fc - stable/13 - pf: Fix osfp configuration
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=9823eb6909fcd82bb9d70e77037542e527e3d6ff commit 9823eb6909fcd82bb9d70e77037542e527e3d6ff Author: Kristof Provost AuthorDate: 2021-02-18 07:36:46 + Commit: Kristof Provost CommitDate: 2021-02-21 11:48:20 + pf: Fix osfp configuration pf_rule_to_krule() incorrectly converted the rule osfp configuration to the krule structure. Reported by:delphij@ MFC after: 3 days (cherry picked from commit 2ed689a674c380e48245933d5326da4dda65f94d) --- sys/netpfil/pf/pf_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index edc8443dcc0a..bd8896cfb772 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1623,7 +1623,7 @@ pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) /* Don't allow userspace to set evaulations, packets or bytes. */ /* kif, anchor, overload_tbl are not copied over. */ - krule->os_fingerprint = krule->os_fingerprint; + krule->os_fingerprint = rule->os_fingerprint; krule->rtableid = rule->rtableid; bcopy(rule->timeout, krule->timeout, sizeof(krule->timeout)); ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: e26f82b9e6fb - stable/12 - pf: Fix osfp configuration
The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=e26f82b9e6fbea402c090f0d1699f969b5f92caf commit e26f82b9e6fbea402c090f0d1699f969b5f92caf Author: Kristof Provost AuthorDate: 2021-02-18 07:36:46 + Commit: Kristof Provost CommitDate: 2021-02-21 11:48:13 + pf: Fix osfp configuration pf_rule_to_krule() incorrectly converted the rule osfp configuration to the krule structure. Reported by:delphij@ MFC after: 3 days (cherry picked from commit 2ed689a674c380e48245933d5326da4dda65f94d) --- sys/netpfil/pf/pf_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index edf147699235..c3e8d0459c88 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1624,7 +1624,7 @@ pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) /* Don't allow userspace to set evaulations, packets or bytes. */ /* kif, anchor, overload_tbl are not copied over. */ - krule->os_fingerprint = krule->os_fingerprint; + krule->os_fingerprint = rule->os_fingerprint; krule->rtableid = rule->rtableid; bcopy(rule->timeout, krule->timeout, sizeof(krule->timeout)); ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: a310973472b5 - releng/13.0 - pf: Fix osfp configuration
The branch releng/13.0 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a310973472b56a1c224ba76ffaa5adff7211f244 commit a310973472b56a1c224ba76ffaa5adff7211f244 Author: Kristof Provost AuthorDate: 2021-02-18 07:36:46 + Commit: Kristof Provost CommitDate: 2021-02-21 16:31:27 + pf: Fix osfp configuration pf_rule_to_krule() incorrectly converted the rule osfp configuration to the krule structure. Approved by:re (kib) Reported by:delphij@ MFC after: 3 days (cherry picked from commit 2ed689a674c380e48245933d5326da4dda65f94d) (cherry picked from commit 9823eb6909fcd82bb9d70e77037542e527e3d6ff) --- sys/netpfil/pf/pf_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index edc8443dcc0a..bd8896cfb772 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1623,7 +1623,7 @@ pf_rule_to_krule(const struct pf_rule *rule, struct pf_krule *krule) /* Don't allow userspace to set evaulations, packets or bytes. */ /* kif, anchor, overload_tbl are not copied over. */ - krule->os_fingerprint = krule->os_fingerprint; + krule->os_fingerprint = rule->os_fingerprint; krule->rtableid = rule->rtableid; bcopy(rule->timeout, krule->timeout, sizeof(krule->timeout)); ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 5d3b3e47a68b - stable/13 - pf: duplicate frames only once when using dup-to pf rule
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5d3b3e47a68bf16b054add5f696d80789d1cb738
commit 5d3b3e47a68bf16b054add5f696d80789d1cb738
Author: Yannis Planus
AuthorDate: 2021-01-28 13:59:07 +
Commit: Kristof Provost
CommitDate: 2021-02-23 11:46:24 +
pf: duplicate frames only once when using dup-to pf rule
When using DUP-TO rule, frames are duplicated 3 times on both output
interfaces and duplication interface. Add a flag to not duplicate a
duplicated frame.
Inspired by a patch from Miłosz Kaniewski milosz.kaniewski at gmail.com
https://lists.freebsd.org/pipermail/freebsd-pf/2015-November/007886.html
Reviewed by:kp@
Differential Revision: https://reviews.freebsd.org/D27018
(cherry picked from commit 0c458752ceee14818034df7bfcdfb04129dceeda)
---
sys/netpfil/pf/pf.c | 50 ++--
sys/netpfil/pf/pf_mtag.h | 1 +
2 files changed, 45 insertions(+), 6 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 4cccb0101650..86354e69d11f 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5488,10 +5488,29 @@ pf_route(struct mbuf **m, struct pf_krule *r, int dir,
struct ifnet *oifp,
}
if (r->rt == PF_DUPTO) {
- if ((m0 = m_dup(*m, M_NOWAIT)) == NULL) {
- if (s)
+ if ((pd->pf_mtag->flags & PF_DUPLICATED)) {
+ if (s == NULL) {
+ ifp = r->rpool.cur->kif ?
+ r->rpool.cur->kif->pfik_ifp : NULL;
+ } else {
+ ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
PF_STATE_UNLOCK(s);
- return;
+ }
+ if (ifp == oifp) {
+ /* When the 2nd interface is not skipped */
+ return;
+ } else {
+ m0 = *m;
+ *m = NULL;
+ goto bad;
+ }
+ } else {
+ pd->pf_mtag->flags |= PF_DUPLICATED;
+ if (((m0 = m_dup(*m, M_NOWAIT)) == NULL)) {
+ if (s)
+ PF_STATE_UNLOCK(s);
+ return;
+ }
}
} else {
if ((r->rt == PF_REPLYTO) == (r->direction == dir)) {
@@ -5649,10 +5668,29 @@ pf_route6(struct mbuf **m, struct pf_krule *r, int dir,
struct ifnet *oifp,
}
if (r->rt == PF_DUPTO) {
- if ((m0 = m_dup(*m, M_NOWAIT)) == NULL) {
- if (s)
+ if ((pd->pf_mtag->flags & PF_DUPLICATED)) {
+ if (s == NULL) {
+ ifp = r->rpool.cur->kif ?
+ r->rpool.cur->kif->pfik_ifp : NULL;
+ } else {
+ ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
PF_STATE_UNLOCK(s);
- return;
+ }
+ if (ifp == oifp) {
+ /* When the 2nd interface is not skipped */
+ return;
+ } else {
+ m0 = *m;
+ *m = NULL;
+ goto bad;
+ }
+ } else {
+ pd->pf_mtag->flags |= PF_DUPLICATED;
+ if (((m0 = m_dup(*m, M_NOWAIT)) == NULL)) {
+ if (s)
+ PF_STATE_UNLOCK(s);
+ return;
+ }
}
} else {
if ((r->rt == PF_REPLYTO) == (r->direction == dir)) {
diff --git a/sys/netpfil/pf/pf_mtag.h b/sys/netpfil/pf/pf_mtag.h
index 67c79350e8eb..ad28ab7a7c30 100644
--- a/sys/netpfil/pf/pf_mtag.h
+++ b/sys/netpfil/pf/pf_mtag.h
@@ -42,6 +42,7 @@
#definePF_PACKET_LOOPED0x08
#definePF_FASTFWD_OURS_PRESENT 0x10
#definePF_REASSEMBLED 0x20
+#definePF_DUPLICATED 0x40
struct pf_mtag {
void*hdr; /* saved hdr pos in mbuf, for ECN */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 46b600875685 - stable/13 - pf tests: Test that dup-to doesn't produce extra duplicate packets
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=46b6008756858eae5bef28fe0fa4d87e8913ab38
commit 46b6008756858eae5bef28fe0fa4d87e8913ab38
Author: Kristof Provost
AuthorDate: 2021-01-28 10:02:20 +
Commit: Kristof Provost
CommitDate: 2021-02-23 11:46:25 +
pf tests: Test that dup-to doesn't produce extra duplicate packets
(cherry picked from commit cd579b6fba46b9f5005358d1e82def7b26703224)
---
tests/sys/netpfil/common/pft_ping.py | 32 ++
tests/sys/netpfil/common/sniffer.py | 7 +++-
tests/sys/netpfil/pf/Makefile| 1 +
tests/sys/netpfil/pf/dup.sh | 81
4 files changed, 119 insertions(+), 2 deletions(-)
diff --git a/tests/sys/netpfil/common/pft_ping.py
b/tests/sys/netpfil/common/pft_ping.py
index d960426e4b42..812250803309 100644
--- a/tests/sys/netpfil/common/pft_ping.py
+++ b/tests/sys/netpfil/common/pft_ping.py
@@ -34,6 +34,27 @@ from sniffer import Sniffer
PAYLOAD_MAGIC = bytes.fromhex('42c0ffee')
+dup_found = 0
+
+def check_dup(args, packet):
+ """
+ Verify that this is an ICMP packet, and that we only see one
+ """
+ global dup_found
+
+ icmp = packet.getlayer(sp.ICMP)
+ if not icmp:
+ return False
+
+ raw = packet.getlayer(sp.Raw)
+ if not raw:
+ return False
+ if raw.load != PAYLOAD_MAGIC:
+ return False
+
+ dup_found = dup_found + 1
+ return False
+
def check_ping_request(args, packet):
if args.ip6:
return check_ping6_request(args, packet)
@@ -169,6 +190,8 @@ def main():
help='The interface through which the packet(s) will be sent')
parser.add_argument('--recvif', nargs=1,
help='The interface on which to expect the ICMP echo response')
+ parser.add_argument('--checkdup', nargs=1,
+ help='The interface on which to expect the duplicated ICMP
packets')
parser.add_argument('--ip6', action='store_true',
help='Use IPv6')
parser.add_argument('--to', nargs=1,
@@ -202,6 +225,10 @@ def main():
sniffer = Sniffer(args, checkfn)
+ dupsniffer = None
+ if args.checkdup is not None:
+ dupsniffer = Sniffer(args, check_dup, recvif=args.checkdup[0])
+
if args.tcpsyn:
tcpsyn(args.sendif[0], args.to[0], args)
else:
@@ -210,6 +237,11 @@ def main():
else:
ping(args.sendif[0], args.to[0], args)
+ if dupsniffer:
+ dupsniffer.join()
+ if dup_found != 1:
+ sys.exit(1)
+
if sniffer:
sniffer.join()
diff --git a/tests/sys/netpfil/common/sniffer.py
b/tests/sys/netpfil/common/sniffer.py
index 58df32cce276..200ac750dd7f 100644
--- a/tests/sys/netpfil/common/sniffer.py
+++ b/tests/sys/netpfil/common/sniffer.py
@@ -30,11 +30,14 @@ import threading
import scapy.all as sp
class Sniffer(threading.Thread):
- def __init__(self, args, check_function):
+ def __init__(self, args, check_function, recvif=None):
threading.Thread.__init__(self)
self._args = args
- self._recvif = args.recvif[0]
+ if recvif is not None:
+ self._recvif = recvif
+ else:
+ self._recvif = args.recvif[0]
self._check_function = check_function
self.foundCorrectPacket = False
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 68f54c801297..6b1e34b69a6d 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -7,6 +7,7 @@ TESTS_SUBDIRS+= ioctl
ATF_TESTS_SH+= anchor \
checksum \
+ dup \
forward \
fragmentation \
icmp \
diff --git a/tests/sys/netpfil/pf/dup.sh b/tests/sys/netpfil/pf/dup.sh
new file mode 100644
index ..7b9a91804e96
--- /dev/null
+++ b/tests/sys/netpfil/pf/dup.sh
@@ -0,0 +1,81 @@
+# $FreeBSD$
+#
+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+#
+# Copyright (c) 2021 Kristof Provost
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#notice, this list of conditions and the following disclaimer in the
+#documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUT
git: 04535d6a572a - stable/13 - pf tests: Test unicast reverse path forwarding check
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=04535d6a572ac63b448a5def4525947bd00d9f8a
commit 04535d6a572ac63b448a5def4525947bd00d9f8a
Author: Kristof Provost
AuthorDate: 2021-02-15 21:16:36 +
Commit: Kristof Provost
CommitDate: 2021-02-23 11:46:25 +
pf tests: Test unicast reverse path forwarding check
Ensure that pf's urpf-failed keyword works as expected.
PR: 253479
MFC after: 1 week
Reviewed by:melifaro@
Differential Revision: https://reviews.freebsd.org/D28694
(cherry picked from commit 6b52139eb8e8eda0ea263b24735556194f918642)
---
tests/sys/netpfil/common/pft_ping.py | 52
tests/sys/netpfil/pf/pass_block.sh | 67
2 files changed, 119 insertions(+)
diff --git a/tests/sys/netpfil/common/pft_ping.py
b/tests/sys/netpfil/common/pft_ping.py
index 812250803309..957123e4f6f8 100644
--- a/tests/sys/netpfil/common/pft_ping.py
+++ b/tests/sys/netpfil/common/pft_ping.py
@@ -115,6 +115,35 @@ def check_ping6_request(args, packet):
return True
+def check_ping_reply(args, packet):
+ return check_ping4_reply(args, packet)
+
+def check_ping4_reply(args, packet):
+ """
+ Check that this is a reply to the ping request we sent
+ """
+ dst_ip = args.to[0]
+
+ ip = packet.getlayer(sp.IP)
+ if not ip:
+ return False
+ if ip.src != dst_ip:
+ return False
+
+ icmp = packet.getlayer(sp.ICMP)
+ if not icmp:
+ return False
+ if sp.icmptypes[icmp.type] != 'echo-reply':
+ return False
+
+ raw = packet.getlayer(sp.Raw)
+ if not raw:
+ return False
+ if raw.load != PAYLOAD_MAGIC:
+ return False
+
+ return True
+
def ping(send_if, dst_ip, args):
ether = sp.Ether()
ip = sp.IP(dst=dst_ip)
@@ -124,6 +153,9 @@ def ping(send_if, dst_ip, args):
if args.send_tos:
ip.tos = int(args.send_tos[0])
+ if args.fromaddr:
+ ip.src = args.fromaddr[0]
+
req = ether / ip / icmp / raw
sp.sendp(req, iface=send_if, verbose=False)
@@ -132,6 +164,9 @@ def ping6(send_if, dst_ip, args):
ip6 = sp.IPv6(dst=dst_ip)
icmp = sp.ICMPv6EchoRequest(data=sp.raw(PAYLOAD_MAGIC))
+ if args.fromaddr:
+ ip.src = args.fromaddr[0]
+
req = ether / ip6 / icmp
sp.sendp(req, iface=send_if, verbose=False)
@@ -189,6 +224,8 @@ def main():
required=True,
help='The interface through which the packet(s) will be sent')
parser.add_argument('--recvif', nargs=1,
+ help='The interface on which to expect the ICMP echo request')
+ parser.add_argument('--replyif', nargs=1,
help='The interface on which to expect the ICMP echo response')
parser.add_argument('--checkdup', nargs=1,
help='The interface on which to expect the duplicated ICMP
packets')
@@ -197,6 +234,8 @@ def main():
parser.add_argument('--to', nargs=1,
required=True,
help='The destination IP address for the ICMP echo request')
+ parser.add_argument('--fromaddr', nargs=1,
+ help='The source IP address for the ICMP echo request')
# TCP options
parser.add_argument('--tcpsyn', action='store_true',
@@ -225,6 +264,11 @@ def main():
sniffer = Sniffer(args, checkfn)
+ replysniffer = None
+ if not args.replyif is None:
+ checkfn=check_ping_reply
+ replysniffer = Sniffer(args, checkfn, recvif=args.replyif[0])
+
dupsniffer = None
if args.checkdup is not None:
dupsniffer = Sniffer(args, check_dup, recvif=args.checkdup[0])
@@ -250,5 +294,13 @@ def main():
else:
sys.exit(1)
+ if replysniffer:
+ replysniffer.join()
+
+ if replysniffer.foundCorrectPacket:
+ sys.exit(0)
+ else:
+ sys.exit(1)
+
if __name__ == '__main__':
main()
diff --git a/tests/sys/netpfil/pf/pass_block.sh
b/tests/sys/netpfil/pf/pass_block.sh
index 139adb43bddd..589b89891729 100644
--- a/tests/sys/netpfil/pf/pass_block.sh
+++ b/tests/sys/netpfil/pf/pass_block.sh
@@ -27,6 +27,8 @@
. $(atf_get_srcdir)/utils.subr
+common_dir=$(atf_get_srcdir)/../common
+
atf_test_case "v4" "cleanup"
v4_head()
{
@@ -189,10 +191,75 @@ nested_inline_cleanup()
pft_cleanup
}
+atf_test_case "urpf" "cleanup"
+urpf_head()
+{
+ atf_set de
git: 711ed156b945 - main - bridge: Support STP on VLAN devices
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=711ed156b94562c3dcb2ee9c1b3f240f960a75d2
commit 711ed156b94562c3dcb2ee9c1b3f240f960a75d2
Author: Kristof Provost
AuthorDate: 2021-02-20 09:11:30 +
Commit: Kristof Provost
CommitDate: 2021-02-23 12:54:06 +
bridge: Support STP on VLAN devices
VLAN devices have type IFT_L2VLAN, so the STP code mistakenly believed
they couldn't be used for STP. That's not the case, so add the
ITF_L2VLAN to the check.
Reviewed by:donner@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28857
---
sys/net/bridgestp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c
index a8bb51c11f51..c36dc61d1397 100644
--- a/sys/net/bridgestp.c
+++ b/sys/net/bridgestp.c
@@ -2232,6 +2232,7 @@ bstp_enable(struct bstp_port *bp)
switch (ifp->if_type) {
case IFT_ETHER: /* These can do spanning tree. */
+ case IFT_L2VLAN:
break;
default:
/* Nothing else can. */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 89fa9c34d76b - main - bridge/stp: Ensure we enter NET_EPOCH whenever we can send traffic
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=89fa9c34d76bbf85cd7cda60c1868f5e3dba4ec7
commit 89fa9c34d76bbf85cd7cda60c1868f5e3dba4ec7
Author: Kristof Provost
AuthorDate: 2021-02-21 20:18:46 +
Commit: Kristof Provost
CommitDate: 2021-02-23 12:54:07 +
bridge/stp: Ensure we enter NET_EPOCH whenever we can send traffic
Reviewed by:donner@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28858
---
sys/net/bridgestp.c | 9 +
sys/net/if_bridge.c | 9 -
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c
index c36dc61d1397..82524440c241 100644
--- a/sys/net/bridgestp.c
+++ b/sys/net/bridgestp.c
@@ -154,6 +154,8 @@ static void bstp_reinit(struct bstp_state *);
static void
bstp_transmit(struct bstp_state *bs, struct bstp_port *bp)
{
+ NET_EPOCH_ASSERT();
+
if (bs->bs_running == 0)
return;
@@ -346,6 +348,7 @@ bstp_send_bpdu(struct bstp_state *bs, struct bstp_port *bp,
struct ether_header *eh;
BSTP_LOCK_ASSERT(bs);
+ NET_EPOCH_ASSERT();
ifp = bp->bp_ifp;
@@ -923,6 +926,8 @@ bstp_update_state(struct bstp_state *bs, struct bstp_port
*bp)
static void
bstp_update_roles(struct bstp_state *bs, struct bstp_port *bp)
{
+ NET_EPOCH_ASSERT();
+
switch (bp->bp_role) {
case BSTP_ROLE_DISABLED:
/* Clear any flags if set */
@@ -1862,6 +1867,7 @@ bstp_disable_port(struct bstp_state *bs, struct bstp_port
*bp)
static void
bstp_tick(void *arg)
{
+ struct epoch_tracker et;
struct bstp_state *bs = arg;
struct bstp_port *bp;
@@ -1870,6 +1876,7 @@ bstp_tick(void *arg)
if (bs->bs_running == 0)
return;
+ NET_EPOCH_ENTER(et);
CURVNET_SET(bs->bs_vnet);
/* poll link events on interfaces that do not support linkstate */
@@ -1908,6 +1915,7 @@ bstp_tick(void *arg)
}
CURVNET_RESTORE();
+ NET_EPOCH_EXIT(et);
callout_reset(&bs->bs_bstpcallout, hz, bstp_tick, bs);
}
@@ -2229,6 +2237,7 @@ bstp_enable(struct bstp_port *bp)
struct ifnet *ifp = bp->bp_ifp;
KASSERT(bp->bp_active == 0, ("already a bstp member"));
+ NET_EPOCH_ASSERT(); /* Because bstp_update_roles() causes traffic. */
switch (ifp->if_type) {
case IFT_ETHER: /* These can do spanning tree. */
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 7c4e48ff04c6..3dba672aa0fe 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1326,6 +1326,7 @@ bridge_ioctl_gifflags(struct bridge_softc *sc, void *arg)
static int
bridge_ioctl_sifflags(struct bridge_softc *sc, void *arg)
{
+ struct epoch_tracker et;
struct ifbreq *req = arg;
struct bridge_iflist *bif;
struct bstp_port *bp;
@@ -1340,11 +1341,15 @@ bridge_ioctl_sifflags(struct bridge_softc *sc, void
*arg)
/* SPAN is readonly */
return (EINVAL);
+ NET_EPOCH_ENTER(et);
+
if (req->ifbr_ifsflags & IFBIF_STP) {
if ((bif->bif_flags & IFBIF_STP) == 0) {
error = bstp_enable(&bif->bif_stp);
- if (error)
+ if (error) {
+ NET_EPOCH_EXIT(et);
return (error);
+ }
}
} else {
if ((bif->bif_flags & IFBIF_STP) != 0)
@@ -1360,6 +1365,8 @@ bridge_ioctl_sifflags(struct bridge_softc *sc, void *arg)
/* Save the bits relating to the bridge */
bif->bif_flags = req->ifbr_ifsflags & IFBIFMASK;
+ NET_EPOCH_EXIT(et);
+
return (0);
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: c139b3c19b52 - main - arp/nd: Cope with late calls to iflladdr_event
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c139b3c19b52abe3b5ba23a8175e58e70c7a528d
commit c139b3c19b52abe3b5ba23a8175e58e70c7a528d
Author: Kristof Provost
AuthorDate: 2021-02-22 07:19:43 +
Commit: Kristof Provost
CommitDate: 2021-02-23 12:54:07 +
arp/nd: Cope with late calls to iflladdr_event
When tearing down vnet jails we can move an if_bridge out (as
part of the normal vnet_if_return()). This can, when it's clearing out
its list of member interfaces, change its link layer address.
That sends an iflladdr_event, but at that point we've already freed the
AF_INET/AF_INET6 if_afdata pointers.
In other words: when the iflladdr_event callbacks fire we can't assume
that ifp->if_afdata[AF_INET] will be set.
Reviewed by:donner@, melifaro@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28860
---
sys/netinet/if_ether.c | 4
sys/netinet6/nd6.c | 2 ++
2 files changed, 6 insertions(+)
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c
index e09ad3d47382..ef50ec9ca964 100644
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@@ -1479,6 +1479,10 @@ arp_handle_ifllchange(struct ifnet *ifp)
static void
arp_iflladdr(void *arg __unused, struct ifnet *ifp)
{
+ /* if_bridge can update its lladdr during if_vmove(), after we've done
+* if_detach_internal()/dom_ifdetach(). */
+ if (ifp->if_afdata[AF_INET] == NULL)
+ return;
lltable_update_ifaddr(LLTABLE(ifp));
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index 497c0bfc10e8..62f0ac733a23 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -208,6 +208,8 @@ nd6_lle_event(void *arg __unused, struct llentry *lle, int
evt)
static void
nd6_iflladdr(void *arg __unused, struct ifnet *ifp)
{
+ if (ifp->if_afdata[AF_INET6] == NULL)
+ return;
lltable_update_ifaddr(LLTABLE6(ifp));
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 26492ba2716f - main - bridge tests: Test STP on top of VLAN devices
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=26492ba2716f8b839f743bb663ce47405990fdf0
commit 26492ba2716f8b839f743bb663ce47405990fdf0
Author: Kristof Provost
AuthorDate: 2021-02-20 09:13:33 +
Commit: Kristof Provost
CommitDate: 2021-02-23 12:54:07 +
bridge tests: Test STP on top of VLAN devices
This is basically the same test as the existing STP test, but now on top
of VLAN interfaces instead of directly using the epair devices.
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28861
---
tests/sys/net/if_bridge_test.sh | 66 +
1 file changed, 66 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index b848a03b273d..bc9add68ce25 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -124,6 +124,71 @@ stp_cleanup()
vnet_cleanup
}
+atf_test_case "stp_vlan" "cleanup"
+stp_vlan_head()
+{
+ atf_set descr 'Spanning tree on VLAN test'
+ atf_set require.user root
+}
+
+stp_vlan_body()
+{
+ vnet_init
+
+ epair_one=$(vnet_mkepair)
+ epair_two=$(vnet_mkepair)
+ bridge_a=$(vnet_mkbridge)
+ bridge_b=$(vnet_mkbridge)
+
+ vnet_mkjail a ${bridge_a} ${epair_one}a ${epair_two}a
+ vnet_mkjail b ${bridge_b} ${epair_one}b ${epair_two}b
+
+ jexec a ifconfig ${epair_one}a up
+ jexec a ifconfig ${epair_two}a up
+ vlan_a_one=$(jexec a ifconfig vlan create vlandev ${epair_one}a vlan 42)
+ vlan_a_two=$(jexec a ifconfig vlan create vlandev ${epair_two}a vlan 42)
+ jexec a ifconfig ${vlan_a_one} up
+ jexec a ifconfig ${vlan_a_two} up
+ jexec a ifconfig ${bridge_a} addm ${vlan_a_one}
+ jexec a ifconfig ${bridge_a} addm ${vlan_a_two}
+
+ jexec b ifconfig ${epair_one}b up
+ jexec b ifconfig ${epair_two}b up
+ vlan_b_one=$(jexec b ifconfig vlan create vlandev ${epair_one}b vlan 42)
+ vlan_b_two=$(jexec b ifconfig vlan create vlandev ${epair_two}b vlan 42)
+ jexec b ifconfig ${vlan_b_one} up
+ jexec b ifconfig ${vlan_b_two} up
+ jexec b ifconfig ${bridge_b} addm ${vlan_b_one}
+ jexec b ifconfig ${bridge_b} addm ${vlan_b_two}
+
+ jexec a ifconfig ${bridge_a} 192.0.2.1/24
+
+ # Enable spanning tree
+ jexec a ifconfig ${bridge_a} stp ${vlan_a_one}
+ jexec a ifconfig ${bridge_a} stp ${vlan_a_two}
+ jexec b ifconfig ${bridge_b} stp ${vlan_b_one}
+ jexec b ifconfig ${bridge_b} stp ${vlan_b_two}
+
+ jexec b ifconfig ${bridge_b} up
+ jexec a ifconfig ${bridge_a} up
+
+ # Give STP time to do its thing
+ sleep 5
+
+ a_discard=$(jexec a ifconfig ${bridge_a} | grep discarding)
+ b_discard=$(jexec b ifconfig ${bridge_b} | grep discarding)
+
+ if [ -z "${a_discard}" ] && [ -z "${b_discard}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
+}
+
+stp_vlan_cleanup()
+{
+ vnet_cleanup
+}
+
atf_test_case "static" "cleanup"
static_head()
{
@@ -329,6 +394,7 @@ atf_init_test_cases()
{
atf_add_test_case "bridge_transmit_ipv4_unicast"
atf_add_test_case "stp"
+ atf_add_test_case "stp_vlan"
atf_add_test_case "static"
atf_add_test_case "span"
atf_add_test_case "inherit_mac"
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 38c0951386d8 - main - bridge: Remove members when assigned to a new vnet
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=38c0951386d82f4c51cf4e245253cdef18d2254a
commit 38c0951386d82f4c51cf4e245253cdef18d2254a
Author: Kristof Provost
AuthorDate: 2021-02-21 20:20:32 +
Commit: Kristof Provost
CommitDate: 2021-02-23 12:54:07 +
bridge: Remove members when assigned to a new vnet
When the bridge is moved to a different vnet we must remove all of its
member interfaces (and span interfaces), because we don't know if those
will be moved along with it. We don't want to hold references to
interfaces not in our vnet.
Reviewed by:donner@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28859
---
sys/net/ethernet.h | 4
sys/net/if_bridge.c| 25 +
sys/net/if_ethersubr.c | 3 ---
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/sys/net/ethernet.h b/sys/net/ethernet.h
index 38c0aa249272..f174ca9eb143 100644
--- a/sys/net/ethernet.h
+++ b/sys/net/ethernet.h
@@ -437,6 +437,10 @@ extern uint32_t ether_crc32_be(const uint8_t *,
size_t);
extern void ether_demux(struct ifnet *, struct mbuf *);
extern void ether_ifattach(struct ifnet *, const u_int8_t *);
extern void ether_ifdetach(struct ifnet *);
+#ifdef VIMAGE
+struct vnet;
+extern void ether_reassign(struct ifnet *, struct vnet *, char *);
+#endif
extern int ether_ioctl(struct ifnet *, u_long, caddr_t);
extern int ether_output(struct ifnet *, struct mbuf *,
const struct sockaddr *, struct route *);
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 3dba672aa0fe..3e6b5ba8e0c2 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -670,6 +670,28 @@ SYSCTL_PROC(_net_link_bridge, OID_AUTO, ipfw,
&VNET_NAME(pfil_ipfw), 0, &sysctl_pfil_ipfw, "I",
"Layer2 filter with IPFW");
+#ifdef VIMAGE
+static void
+bridge_reassign(struct ifnet *ifp, struct vnet *newvnet, char *arg)
+{
+ struct bridge_softc *sc = ifp->if_softc;
+ struct bridge_iflist *bif;
+
+ BRIDGE_LOCK(sc);
+
+ while ((bif = CK_LIST_FIRST(&sc->sc_iflist)) != NULL)
+ bridge_delete_member(sc, bif, 0);
+
+ while ((bif = CK_LIST_FIRST(&sc->sc_spanlist)) != NULL) {
+ bridge_delete_span(sc, bif);
+ }
+
+ BRIDGE_UNLOCK(sc);
+
+ ether_reassign(ifp, newvnet, arg);
+}
+#endif
+
/*
* bridge_clone_create:
*
@@ -716,6 +738,9 @@ bridge_clone_create(struct if_clone *ifc, int unit, caddr_t
params)
/* Now undo some of the damage... */
ifp->if_baudrate = 0;
ifp->if_type = IFT_BRIDGE;
+#ifdef VIMAGE
+ ifp->if_reassign = bridge_reassign;
+#endif
BRIDGE_LIST_LOCK();
LIST_INSERT_HEAD(&V_bridge_list, sc, sc_list);
diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c
index 77c138d7a092..01c2d2f7b3e8 100644
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@@ -117,9 +117,6 @@ static const u_char etherbroadcastaddr[ETHER_ADDR_LEN] =
static int ether_resolvemulti(struct ifnet *, struct sockaddr **,
struct sockaddr *);
-#ifdef VIMAGE
-static void ether_reassign(struct ifnet *, struct vnet *, char *);
-#endif
static int ether_requestencap(struct ifnet *, struct if_encap_req *);
#define senderr(e) do { error = (e); goto bad;} while (0)
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: ef160e5cb919 - stable/13 - pf: Remove unused return value from (de)hook_pf()
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=ef160e5cb919659951b3d4f70a966e58d5dce56f
commit ef160e5cb919659951b3d4f70a966e58d5dce56f
Author: Kristof Provost
AuthorDate: 2021-02-16 11:40:51 +
Commit: Kristof Provost
CommitDate: 2021-02-24 08:03:43 +
pf: Remove unused return value from (de)hook_pf()
These functions always return 0, which is good, because the code calling
them doesn't handle this error gracefully.
As the functions always succeed remove their return value, and the code
handling their errors (because it was never executed anyway).
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC (“Netgate”’)
(cherry picked from commit 8a439f324e9010a122fa4c00426bde70dc373c2f)
---
sys/netpfil/pf/pf_ioctl.c | 40 +---
1 file changed, 9 insertions(+), 31 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index bd8896cfb772..97be46509acc 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -213,8 +213,8 @@ static pfil_return_t pf_check6_out(struct mbuf **m, struct
ifnet *ifp,
int flags, void *ruleset __unused, struct inpcb *inp);
#endif
-static int hook_pf(void);
-static int dehook_pf(void);
+static voidhook_pf(void);
+static voiddehook_pf(void);
static int shutdown_pf(void);
static int pf_load(void);
static voidpf_unload(void);
@@ -1814,12 +1814,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int
flags, struct thread *td
else {
int cpu;
- error = hook_pf();
- if (error) {
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: pfil registration failed\n"));
- break;
- }
+ hook_pf();
V_pf_status.running = 1;
V_pf_status.since = time_second;
@@ -1836,12 +1831,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int
flags, struct thread *td
error = ENOENT;
else {
V_pf_status.running = 0;
- error = dehook_pf();
- if (error) {
- V_pf_status.running = 1;
- DPFPRINTF(PF_DEBUG_MISC,
- ("pf: pfil unregistration failed\n"));
- }
+ dehook_pf();
V_pf_status.since = time_second;
DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
}
@@ -4565,14 +4555,14 @@ VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_out_hook);
#defineV_pf_ip6_out_hook VNET(pf_ip6_out_hook)
#endif
-static int
+static void
hook_pf(void)
{
struct pfil_hook_args pha;
struct pfil_link_args pla;
if (V_pf_pfil_hooked)
- return (0);
+ return;
pha.pa_version = PFIL_VERSION;
pha.pa_modname = "pf";
@@ -4620,15 +4610,14 @@ hook_pf(void)
#endif
V_pf_pfil_hooked = 1;
- return (0);
}
-static int
+static void
dehook_pf(void)
{
if (V_pf_pfil_hooked == 0)
- return (0);
+ return;
#ifdef INET
pfil_remove_hook(V_pf_ip4_in_hook);
@@ -4640,7 +4629,6 @@ dehook_pf(void)
#endif
V_pf_pfil_hooked = 0;
- return (0);
}
static void
@@ -4688,20 +4676,10 @@ pf_load(void)
static void
pf_unload_vnet(void)
{
- int error;
V_pf_vnet_active = 0;
V_pf_status.running = 0;
- error = dehook_pf();
- if (error) {
- /*
-* Should not happen!
-* XXX Due to error code ESRCH, kldunload will show
-* a message like 'No such process'.
-*/
- printf("%s : pfil unregisteration fail\n", __FUNCTION__);
- return;
- }
+ dehook_pf();
PF_RULES_WLOCK();
shutdown_pf();
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 98e40918a6fa - stable/13 - pf tests: Explicitly ask for python3
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=98e40918a6fa5113404b0fae15707a9804f447bd commit 98e40918a6fa5113404b0fae15707a9804f447bd Author: Kristof Provost AuthorDate: 2021-02-17 10:45:54 + Commit: Kristof Provost CommitDate: 2021-02-24 08:04:19 + pf tests: Explicitly ask for python3 If we install the scapy package (which we do list as a dependency) we don't automatically install python (but we do have python3). MFC after: 1 week Sponsored by: Rubicon Communications, LLC (“Netgate”’) (cherry picked from commit 4a7d84058d88244c405fc0b73d6985681eb661f5) --- tests/sys/netpfil/common/pft_ping.py | 2 +- tests/sys/netpfil/pf/CVE-2019-5597.py | 2 +- tests/sys/netpfil/pf/CVE-2019-5598.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/sys/netpfil/common/pft_ping.py b/tests/sys/netpfil/common/pft_ping.py index 957123e4f6f8..916a019d2f4a 100644 --- a/tests/sys/netpfil/common/pft_ping.py +++ b/tests/sys/netpfil/common/pft_ping.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # SPDX-License-Identifier: BSD-2-Clause # diff --git a/tests/sys/netpfil/pf/CVE-2019-5597.py b/tests/sys/netpfil/pf/CVE-2019-5597.py index bb95e95c13b7..1050af506f8d 100644 --- a/tests/sys/netpfil/pf/CVE-2019-5597.py +++ b/tests/sys/netpfil/pf/CVE-2019-5597.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # diff --git a/tests/sys/netpfil/pf/CVE-2019-5598.py b/tests/sys/netpfil/pf/CVE-2019-5598.py index 53616e681609..ac1e4f3438f5 100644 --- a/tests/sys/netpfil/pf/CVE-2019-5598.py +++ b/tests/sys/netpfil/pf/CVE-2019-5598.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 720206821fe7 - stable/13 - pf: Assert that pfil_link() calls succeed
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=720206821fe75cf6e80f78307ef10ec125bbd589
commit 720206821fe75cf6e80f78307ef10ec125bbd589
Author: Kristof Provost
AuthorDate: 2021-02-17 10:44:37 +
Commit: Kristof Provost
CommitDate: 2021-02-24 08:03:56 +
pf: Assert that pfil_link() calls succeed
These should only fail if we use them incorrectly, so assert that they
succeed.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC (“Netgate”’)
(cherry picked from commit c4e0f7aa1ae7729df8c3e525e511b84f8052375c)
---
sys/netpfil/pf/pf_ioctl.c | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 97be46509acc..c32a961f5a0b 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -4560,6 +4560,7 @@ hook_pf(void)
{
struct pfil_hook_args pha;
struct pfil_link_args pla;
+ int ret;
if (V_pf_pfil_hooked)
return;
@@ -4579,7 +4580,8 @@ hook_pf(void)
pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
pla.pa_head = V_inet_pfil_head;
pla.pa_hook = V_pf_ip4_in_hook;
- (void)pfil_link(&pla);
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
pha.pa_func = pf_check_out;
pha.pa_flags = PFIL_OUT;
pha.pa_rulname = "default-out";
@@ -4587,7 +4589,8 @@ hook_pf(void)
pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
pla.pa_head = V_inet_pfil_head;
pla.pa_hook = V_pf_ip4_out_hook;
- (void)pfil_link(&pla);
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
#endif
#ifdef INET6
pha.pa_type = PFIL_TYPE_IP6;
@@ -4598,7 +4601,8 @@ hook_pf(void)
pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
pla.pa_head = V_inet6_pfil_head;
pla.pa_hook = V_pf_ip6_in_hook;
- (void)pfil_link(&pla);
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
pha.pa_func = pf_check6_out;
pha.pa_rulname = "default-out6";
pha.pa_flags = PFIL_OUT;
@@ -4606,7 +4610,8 @@ hook_pf(void)
pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
pla.pa_head = V_inet6_pfil_head;
pla.pa_hook = V_pf_ip6_out_hook;
- (void)pfil_link(&pla);
+ ret = pfil_link(&pla);
+ MPASS(ret == 0);
#endif
V_pf_pfil_hooked = 1;
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: f3245be3499b - main - net: remove legacy in_addmulti()
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f3245be3499b60e790f59f84ebe24f9cc91dd982
commit f3245be3499b60e790f59f84ebe24f9cc91dd982
Author: Kristof Provost
AuthorDate: 2021-02-23 19:21:19 +
Commit: Kristof Provost
CommitDate: 2021-02-25 09:13:52 +
net: remove legacy in_addmulti()
Despite the comment to the contrary neither pf nor carp use
in_addmulti(). Nothing does, so get rid of it.
Carp stopped using it in 08b68b0e4c6b132127919cfbaf7275c727ca7843
(2011). It's unclear when pf stopped using it, but before
d6d3f01e0a3395c1fae34a3c4be7b051cb2d7581 (2012).
Reviewed by:bz@, melifaro@
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D28918
---
sys/netinet/in_mcast.c | 29 -
sys/netinet/in_var.h | 2 --
2 files changed, 31 deletions(-)
diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c
index 6d390a0b263c..392856785dd2 100644
--- a/sys/netinet/in_mcast.c
+++ b/sys/netinet/in_mcast.c
@@ -120,8 +120,6 @@ int ifma_restart;
* Functions with non-static linkage defined in this file should be
* declared in in_var.h:
* imo_multi_filter()
- * in_addmulti()
- * in_delmulti()
* in_joingroup()
* in_joingroup_locked()
* in_leavegroup()
@@ -130,9 +128,6 @@ int ifma_restart;
* inp_freemoptions()
* inp_getmoptions()
* inp_setmoptions()
- *
- * XXX: Both carp and pf need to use the legacy (*,G) KPIs in_addmulti()
- * and in_delmulti().
*/
static voidimf_commit(struct in_mfilter *);
static int imf_get_source(struct in_mfilter *imf,
@@ -1367,30 +1362,6 @@ in_leavegroup_locked(struct in_multi *inm, /*const*/
struct in_mfilter *imf)
}
/*#ifndef BURN_BRIDGES*/
-/*
- * Join an IPv4 multicast group in (*,G) exclusive mode.
- * The group must be a 224.0.0.0/24 link-scope group.
- * This KPI is for legacy kernel consumers only.
- */
-struct in_multi *
-in_addmulti(struct in_addr *ap, struct ifnet *ifp)
-{
- struct in_multi *pinm;
- int error;
-#ifdef INVARIANTS
- char addrbuf[INET_ADDRSTRLEN];
-#endif
-
- KASSERT(IN_LOCAL_GROUP(ntohl(ap->s_addr)),
- ("%s: %s not in 224.0.0.0/24", __func__,
- inet_ntoa_r(*ap, addrbuf)));
-
- error = in_joingroup(ifp, ap, NULL, &pinm);
- if (error != 0)
- pinm = NULL;
-
- return (pinm);
-}
/*
* Block or unblock an ASM multicast source on an inpcb.
diff --git a/sys/netinet/in_var.h b/sys/netinet/in_var.h
index c7ebff80e56d..b42ca00d5ae7 100644
--- a/sys/netinet/in_var.h
+++ b/sys/netinet/in_var.h
@@ -450,8 +450,6 @@ int inm_record_source(struct in_multi *inm, const
in_addr_t);
void inm_release_deferred(struct in_multi *);
void inm_release_list_deferred(struct in_multi_head *);
void inm_release_wait(void *);
-struct in_multi *
-in_addmulti(struct in_addr *, struct ifnet *);
intin_joingroup(struct ifnet *, const struct in_addr *,
/*const*/ struct in_mfilter *, struct in_multi **);
intin_joingroup_locked(struct ifnet *, const struct in_addr *,
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: f5537cd0693c - main - bridgestp: Ensure we send STP on VLAN interfaces
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f5537cd0693c85efdb2180a0a107c51eae15ba39
commit f5537cd0693c85efdb2180a0a107c51eae15ba39
Author: Kristof Provost
AuthorDate: 2021-02-24 15:38:53 +
Commit: Kristof Provost
CommitDate: 2021-02-25 09:16:25 +
bridgestp: Ensure we send STP on VLAN interfaces
Reviewed by:donner@
MFC after: 1 week
X-MFC-with: 711ed156b94562c3dcb2ee9c1b3f240f960a75d2
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28916
---
sys/net/bridgestp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c
index 82524440c241..9e3a3e14ecda 100644
--- a/sys/net/bridgestp.c
+++ b/sys/net/bridgestp.c
@@ -2052,7 +2052,7 @@ bstp_reinit(struct bstp_state *bs)
*/
NET_EPOCH_ENTER(et);
CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) {
- if (ifp->if_type != IFT_ETHER)
+ if (ifp->if_type != IFT_ETHER && ifp->if_type != IFT_L2VLAN)
continue; /* Not Ethernet */
if (ifp->if_bridge != bridgeptr)
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 7a4dbffa4205 - main - bridge tests: Test that we also forward on some interfaces
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=7a4dbffa4205fc274b4884a6332d4831c5791320
commit 7a4dbffa4205fc274b4884a6332d4831c5791320
Author: Kristof Provost
AuthorDate: 2021-02-24 15:40:37 +
Commit: Kristof Provost
CommitDate: 2021-02-25 09:17:03 +
bridge tests: Test that we also forward on some interfaces
Ensure that we not only block on some interfaces, but also forward on
some. Without the previous commit we wound up discarding on all ports,
rather than only on the ports needed to break the loop.
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28917
---
tests/sys/net/if_bridge_test.sh | 18 ++
1 file changed, 18 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index bc9add68ce25..1f10fe325a2c 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -117,6 +117,15 @@ stp_body()
then
atf_fail "STP failed to detect bridging loop"
fi
+
+ # We must also have at least some forwarding interfaces
+ a_forwarding=$(jexec a ifconfig ${bridge_a} | grep forwarding)
+ b_forwarding=$(jexec b ifconfig ${bridge_b} | grep forwarding)
+
+ if [ -z "${a_forwarding}" ] && [ -z "${b_forwarding}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
}
stp_cleanup()
@@ -182,6 +191,15 @@ stp_vlan_body()
then
atf_fail "STP failed to detect bridging loop"
fi
+
+ # We must also have at least some forwarding interfaces
+ a_forwarding=$(jexec a ifconfig ${bridge_a} | grep forwarding)
+ b_forwarding=$(jexec b ifconfig ${bridge_b} | grep forwarding)
+
+ if [ -z "${a_forwarding}" ] && [ -z "${b_forwarding}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
}
stp_vlan_cleanup()
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 5f1b1f184b7f - main - pf: Fix incorrect fragment handling
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5f1b1f184b7f12330cf4a027e3db7c6700c67640
commit 5f1b1f184b7f12330cf4a027e3db7c6700c67640
Author: Kristof Provost
AuthorDate: 2021-02-25 07:07:36 +
Commit: Kristof Provost
CommitDate: 2021-02-25 20:51:08 +
pf: Fix incorrect fragment handling
A sequence of overlapping IPv4 fragments could crash the kernel in
pf due to an assertion.
Reported by:Alexander Bluhm
Obtained from: OpenBSD
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf_norm.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index b7a84437630b..d7310c7bccb4 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -549,6 +549,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
struct pf_frent *after, *next, *prev;
struct pf_fragment *frag;
uint16_ttotal;
+ int old_index, new_index;
PF_FRAG_ASSERT();
@@ -660,8 +661,30 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
DPFPRINTF(("adjust overlap %d\n", aftercut));
if (aftercut < after->fe_len) {
m_adj(after->fe_m, aftercut);
+ old_index = pf_frent_index(after);
after->fe_off += aftercut;
after->fe_len -= aftercut;
+ new_index = pf_frent_index(after);
+ if (old_index != new_index) {
+ DPFPRINTF(("frag index %d, new %d",
+ old_index, new_index));
+ /* Fragment switched queue as fe_off changed */
+ after->fe_off -= aftercut;
+ after->fe_len += aftercut;
+ /* Remove restored fragment from old queue */
+ pf_frent_remove(frag, after);
+ after->fe_off += aftercut;
+ after->fe_len -= aftercut;
+ /* Insert into correct queue */
+ if (pf_frent_insert(frag, after, prev)) {
+ DPFPRINTF(
+ ("fragment requeue limit
exceeded"));
+ m_freem(after->fe_m);
+ uma_zfree(V_pf_frent_z, after);
+ /* There is not way to recover */
+ goto bad_fragment;
+ }
+ }
break;
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 86ebf4d3e12c - stable/13 - pf: Fix incorrect fragment handling
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=86ebf4d3e12c3eae94d3e9a8dcf5bd5741889b58
commit 86ebf4d3e12c3eae94d3e9a8dcf5bd5741889b58
Author: Kristof Provost
AuthorDate: 2021-02-25 07:07:36 +
Commit: Kristof Provost
CommitDate: 2021-02-28 15:16:29 +
pf: Fix incorrect fragment handling
A sequence of overlapping IPv4 fragments could crash the kernel in
pf due to an assertion.
Reported by:Alexander Bluhm
Obtained from: OpenBSD
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 5f1b1f184b7f12330cf4a027e3db7c6700c67640)
---
sys/netpfil/pf/pf_norm.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index b7a84437630b..d7310c7bccb4 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -549,6 +549,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
struct pf_frent *after, *next, *prev;
struct pf_fragment *frag;
uint16_ttotal;
+ int old_index, new_index;
PF_FRAG_ASSERT();
@@ -660,8 +661,30 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
DPFPRINTF(("adjust overlap %d\n", aftercut));
if (aftercut < after->fe_len) {
m_adj(after->fe_m, aftercut);
+ old_index = pf_frent_index(after);
after->fe_off += aftercut;
after->fe_len -= aftercut;
+ new_index = pf_frent_index(after);
+ if (old_index != new_index) {
+ DPFPRINTF(("frag index %d, new %d",
+ old_index, new_index));
+ /* Fragment switched queue as fe_off changed */
+ after->fe_off -= aftercut;
+ after->fe_len += aftercut;
+ /* Remove restored fragment from old queue */
+ pf_frent_remove(frag, after);
+ after->fe_off += aftercut;
+ after->fe_len -= aftercut;
+ /* Insert into correct queue */
+ if (pf_frent_insert(frag, after, prev)) {
+ DPFPRINTF(
+ ("fragment requeue limit
exceeded"));
+ m_freem(after->fe_m);
+ uma_zfree(V_pf_frent_z, after);
+ /* There is not way to recover */
+ goto bad_fragment;
+ }
+ }
break;
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: f520c87f3a09 - stable/12 - Revert "pf: Limit the maximum number of fragments per packet"
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f520c87f3a0993e9b1e872f38177639468f2e64c
commit f520c87f3a0993e9b1e872f38177639468f2e64c
Author: Kristof Provost
AuthorDate: 2018-11-02 15:01:59 +
Commit: Kristof Provost
CommitDate: 2021-02-28 15:36:05 +
Revert "pf: Limit the maximum number of fragments per packet"
This reverts commit r337969.
We'll handle this the OpenBSD way, in upcoming commits.
(cherry picked from commit 19a22ae31328d9a960732a0904116c1b5566351b)
---
sys/netpfil/pf/pf_norm.c | 8
1 file changed, 8 deletions(-)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index b453bda84721..cadc7a73dca4 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -91,10 +91,8 @@ struct pf_fragment {
TAILQ_ENTRY(pf_fragment) frag_next;
uint32_tfr_timeout;
uint16_tfr_maxlen; /* maximum length of single fragment */
- uint16_tfr_entries; /* Total number of pf_fragment entries
*/
TAILQ_HEAD(pf_fragq, pf_frent) fr_queue;
};
-#define PF_MAX_FRENT_PER_FRAGMENT 64
struct pf_fragment_tag {
uint16_tft_hdrlen; /* header length of reassembled pkt */
@@ -386,7 +384,6 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
*(struct pf_fragment_cmp *)frag = *key;
frag->fr_timeout = time_uptime;
frag->fr_maxlen = frent->fe_len;
- frag->fr_entries = 0;
TAILQ_INIT(&frag->fr_queue);
RB_INSERT(pf_frag_tree, &V_pf_frag_tree, frag);
@@ -398,9 +395,6 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
return (frag);
}
- if (frag->fr_entries >= PF_MAX_FRENT_PER_FRAGMENT)
- goto bad_fragment;
-
KASSERT(!TAILQ_EMPTY(&frag->fr_queue), ("!TAILQ_EMPTY()->fr_queue"));
/* Remember maximum fragment len for refragmentation. */
@@ -473,8 +467,6 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
else
TAILQ_INSERT_AFTER(&frag->fr_queue, prev, frent, fr_next);
- frag->fr_entries++;
-
return (frag);
bad_fragment:
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 1d6a2a742c1b - stable/12 - pf: Count holes rather than fragments for reassembly
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1d6a2a742c1bcc342408df99bc5f20dec404b1e4
commit 1d6a2a742c1bcc342408df99bc5f20dec404b1e4
Author: Kristof Provost
AuthorDate: 2018-11-02 15:23:57 +
Commit: Kristof Provost
CommitDate: 2021-02-28 15:36:10 +
pf: Count holes rather than fragments for reassembly
Avoid traversing the list of fragment entris to check whether the
pf(4) reassembly is complete. Instead count the holes that are
created when inserting a fragment. If there are no holes left, the
fragments are continuous.
Obtained from: OpenBSD
Differential Revision: https://reviews.freebsd.org/D17732
(cherry picked from commit 2b1c354ee6fb075953d2c3e81c8221f4115ce981)
---
sys/netpfil/pf/pf_norm.c | 83 ++--
1 file changed, 45 insertions(+), 38 deletions(-)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index cadc7a73dca4..cd94d1de7cf7 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -2,7 +2,7 @@
* SPDX-License-Identifier: BSD-2-Clause
*
* Copyright 2001 Niels Provos
- * Copyright 2011 Alexander Bluhm
+ * Copyright 2011-2018 Alexander Bluhm
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -91,6 +91,7 @@ struct pf_fragment {
TAILQ_ENTRY(pf_fragment) frag_next;
uint32_tfr_timeout;
uint16_tfr_maxlen; /* maximum length of single fragment */
+ u_int16_t fr_holes; /* number of holes in the queue */
TAILQ_HEAD(pf_fragq, pf_frent) fr_queue;
};
@@ -132,11 +133,11 @@ static void pf_remove_fragment(struct pf_fragment
*);
static int pf_normalize_tcpopt(struct pf_krule *, struct mbuf *,
struct tcphdr *, int, sa_family_t);
static struct pf_frent *pf_create_fragment(u_short *);
+static int pf_frent_holes(struct pf_frent *frent);
static struct pf_fragment *pf_find_fragment(struct pf_fragment_cmp *key,
struct pf_frag_tree *tree);
static struct pf_fragment *pf_fillup_fragment(struct pf_fragment_cmp *,
struct pf_frent *, u_short *);
-static int pf_isfull_fragment(struct pf_fragment *);
static struct mbuf *pf_join_fragment(struct pf_fragment *);
#ifdef INET
static voidpf_scrub_ip(struct mbuf **, uint32_t, uint8_t, uint8_t);
@@ -333,6 +334,39 @@ pf_create_fragment(u_short *reason)
return (frent);
}
+/*
+ * Calculate the additional holes that were created in the fragment
+ * queue by inserting this fragment. A fragment in the middle
+ * creates one more hole by splitting. For each connected side,
+ * it loses one hole.
+ * Fragment entry must be in the queue when calling this function.
+ */
+static int
+pf_frent_holes(struct pf_frent *frent)
+{
+ struct pf_frent *prev = TAILQ_PREV(frent, pf_fragq, fr_next);
+ struct pf_frent *next = TAILQ_NEXT(frent, fr_next);
+ int holes = 1;
+
+ if (prev == NULL) {
+ if (frent->fe_off == 0)
+ holes--;
+ } else {
+ KASSERT(frent->fe_off != 0, ("frent->fe_off != 0"));
+ if (frent->fe_off == prev->fe_off + prev->fe_len)
+ holes--;
+ }
+ if (next == NULL) {
+ if (!frent->fe_mff)
+ holes--;
+ } else {
+ KASSERT(frent->fe_mff, ("frent->fe_mff"));
+ if (next->fe_off == frent->fe_off + frent->fe_len)
+ holes--;
+ }
+ return holes;
+}
+
static struct pf_fragment *
pf_fillup_fragment(struct pf_fragment_cmp *key, struct pf_frent *frent,
u_short *reason)
@@ -384,6 +418,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
*(struct pf_fragment_cmp *)frag = *key;
frag->fr_timeout = time_uptime;
frag->fr_maxlen = frent->fe_len;
+ frag->fr_holes = 1;
TAILQ_INIT(&frag->fr_queue);
RB_INSERT(pf_frag_tree, &V_pf_frag_tree, frag);
@@ -391,6 +426,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
/* We do not have a previous fragment. */
TAILQ_INSERT_HEAD(&frag->fr_queue, frent, fr_next);
+ frag->fr_holes += pf_frent_holes(frent);
return (frag);
}
@@ -457,6 +493,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
/* This fragment is completely overlapped, lose it. */
next = TAILQ_NEXT(after, fr_next);
+ frag->fr_holes -= pf_frent_holes(after);
m_freem(after->fe_m);
TAILQ_REMOVE(&frag->fr_queue, after, f
git: 11bf4f2fbb3c - stable/12 - pf: Split the fragment reassembly queue into smaller parts
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=11bf4f2fbb3c10ceeda799893b61cb2d3d41521d
commit 11bf4f2fbb3c10ceeda799893b61cb2d3d41521d
Author: Kristof Provost
AuthorDate: 2018-11-02 15:26:51 +
Commit: Kristof Provost
CommitDate: 2021-02-28 15:36:18 +
pf: Split the fragment reassembly queue into smaller parts
Remember 16 entry points based on the fragment offset. Instead of
a worst case of 8196 list traversals we now check a maximum of 512
list entries or 16 array elements.
Obtained from: OpenBSD
Differential Revision: https://reviews.freebsd.org/D17733
(cherry picked from commit fd2ea405e601bd5e240153c5de0f7c264946ce6f)
---
sys/net/pfvar.h | 6 ++
sys/netpfil/pf/pf_norm.c | 181 ++-
2 files changed, 168 insertions(+), 19 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index dcc5bf51fdf6..d6c2bf9120e9 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1005,6 +1005,12 @@ struct pf_divert {
#define PFFRAG_FRENT_HIWAT 5000/* Number of fragment entries */
#define PFR_KENTRY_HIWAT 20 /* Number of table entries */
+/*
+ * Limit the length of the fragment queue traversal. Remember
+ * search entry points based on the fragment offset.
+ */
+#define PF_FRAG_ENTRY_POINTS 16
+
/*
* ioctl parameter structures
*/
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index cd94d1de7cf7..0e2fdca4c2ce 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -87,6 +87,7 @@ struct pf_fragment {
#define fr_af fr_key.frc_af
#define fr_proto fr_key.frc_proto
+ struct pf_frent *fr_firstoff[PF_FRAG_ENTRY_POINTS];
RB_ENTRY(pf_fragment) fr_entry;
TAILQ_ENTRY(pf_fragment) frag_next;
uint32_tfr_timeout;
@@ -136,6 +137,13 @@ static struct pf_frent *pf_create_fragment(u_short *);
static int pf_frent_holes(struct pf_frent *frent);
static struct pf_fragment *pf_find_fragment(struct pf_fragment_cmp *key,
struct pf_frag_tree *tree);
+static inline int pf_frent_index(struct pf_frent *);
+static voidpf_frent_insert(struct pf_fragment *,
+ struct pf_frent *, struct pf_frent *);
+void pf_frent_remove(struct pf_fragment *,
+ struct pf_frent *);
+struct pf_frent*pf_frent_previous(struct pf_fragment *,
+ struct pf_frent *);
static struct pf_fragment *pf_fillup_fragment(struct pf_fragment_cmp *,
struct pf_frent *, u_short *);
static struct mbuf *pf_join_fragment(struct pf_fragment *);
@@ -308,6 +316,7 @@ pf_remove_fragment(struct pf_fragment *frag)
{
PF_FRAG_ASSERT();
+ KASSERT(frag, ("frag != NULL"));
RB_REMOVE(pf_frag_tree, &V_pf_frag_tree, frag);
TAILQ_REMOVE(&V_pf_fragqueue, frag, frag_next);
@@ -367,9 +376,150 @@ pf_frent_holes(struct pf_frent *frent)
return holes;
}
+static inline int
+pf_frent_index(struct pf_frent *frent)
+{
+ /*
+* We have an array of 16 entry points to the queue. A full size
+* 65535 octet IP packet can have 8192 fragments. So the queue
+* traversal length is at most 512 and at most 16 entry points are
+* checked. We need 128 additional bytes on a 64 bit architecture.
+*/
+ CTASSERT(((u_int16_t)0x &~ 7) / (0x1 / PF_FRAG_ENTRY_POINTS) ==
+ 16 - 1);
+ CTASSERT(((u_int16_t)0x >> 3) / PF_FRAG_ENTRY_POINTS == 512 - 1);
+
+ return frent->fe_off / (0x1 / PF_FRAG_ENTRY_POINTS);
+}
+
+static void
+pf_frent_insert(struct pf_fragment *frag, struct pf_frent *frent,
+struct pf_frent *prev)
+{
+ int index;
+
+ if (prev == NULL) {
+ TAILQ_INSERT_HEAD(&frag->fr_queue, frent, fr_next);
+ } else {
+ KASSERT(prev->fe_off + prev->fe_len <= frent->fe_off,
+ ("overlapping fragment"));
+ TAILQ_INSERT_AFTER(&frag->fr_queue, prev, frent, fr_next);
+ }
+
+ index = pf_frent_index(frent);
+ if (frag->fr_firstoff[index] == NULL) {
+ KASSERT(prev == NULL || pf_frent_index(prev) < index,
+ ("prev == NULL || pf_frent_index(pref) < index"));
+ frag->fr_firstoff[index] = frent;
+ } else {
+ if (frent->fe_off < frag->fr_firstoff[index]->fe_off) {
+ KASSERT(prev == NULL || pf_frent_index(prev) < index,
+ ("prev == NULL || pf_frent_index(pref) < index"));
+ frag->fr_firstoff[index] = frent;
+ } else {
+ KASSERT(prev != NULL, ("prev != NULL&q
git: 8de214ad4d22 - stable/12 - pf: Limit the fragment entry queue length to 64 per bucket.
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=8de214ad4d225418c8c7befe975637e236ddf93d
commit 8de214ad4d225418c8c7befe975637e236ddf93d
Author: Kristof Provost
AuthorDate: 2018-11-02 15:32:04 +
Commit: Kristof Provost
CommitDate: 2021-02-28 15:36:22 +
pf: Limit the fragment entry queue length to 64 per bucket.
So we have a global limit of 1024 fragments, but it is fine grained to
the region of the packet. Smaller packets may have less fragments.
This costs another 16 bytes of memory per reassembly and devides the
worst case for searching by 8.
Obtained from: OpenBSD
Differential Revision: https://reviews.freebsd.org/D17734
(cherry picked from commit 790194cd472b1d17e08940e9f839322abcf14ec9)
---
sys/net/pfvar.h | 7 +++
sys/netpfil/pf/pf_norm.c | 34 +-
2 files changed, 36 insertions(+), 5 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index d6c2bf9120e9..3a535d04f12f 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1011,6 +1011,13 @@ struct pf_divert {
*/
#define PF_FRAG_ENTRY_POINTS 16
+/*
+ * The number of entries in the fragment queue must be limited
+ * to avoid DoS by linear seaching. Instead of a global limit,
+ * use a limit per entry point. For large packets these sum up.
+ */
+#define PF_FRAG_ENTRY_LIMIT64
+
/*
* ioctl parameter structures
*/
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 0e2fdca4c2ce..eb310e27b9ae 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -87,7 +87,10 @@ struct pf_fragment {
#define fr_af fr_key.frc_af
#define fr_proto fr_key.frc_proto
+ /* pointers to queue element */
struct pf_frent *fr_firstoff[PF_FRAG_ENTRY_POINTS];
+ /* count entries between pointers */
+ uint8_t fr_entries[PF_FRAG_ENTRY_POINTS];
RB_ENTRY(pf_fragment) fr_entry;
TAILQ_ENTRY(pf_fragment) frag_next;
uint32_tfr_timeout;
@@ -138,7 +141,7 @@ static int pf_frent_holes(struct pf_frent *frent);
static struct pf_fragment *pf_find_fragment(struct pf_fragment_cmp *key,
struct pf_frag_tree *tree);
static inline int pf_frent_index(struct pf_frent *);
-static voidpf_frent_insert(struct pf_fragment *,
+static int pf_frent_insert(struct pf_fragment *,
struct pf_frent *, struct pf_frent *);
void pf_frent_remove(struct pf_fragment *,
struct pf_frent *);
@@ -392,12 +395,24 @@ pf_frent_index(struct pf_frent *frent)
return frent->fe_off / (0x1 / PF_FRAG_ENTRY_POINTS);
}
-static void
+static int
pf_frent_insert(struct pf_fragment *frag, struct pf_frent *frent,
struct pf_frent *prev)
{
int index;
+ CTASSERT(PF_FRAG_ENTRY_LIMIT <= 0xff);
+
+ /*
+* A packet has at most 65536 octets. With 16 entry points, each one
+* spawns 4096 octets. We limit these to 64 fragments each, which
+* means on average every fragment must have at least 64 octets.
+*/
+ index = pf_frent_index(frent);
+ if (frag->fr_entries[index] >= PF_FRAG_ENTRY_LIMIT)
+ return ENOBUFS;
+ frag->fr_entries[index]++;
+
if (prev == NULL) {
TAILQ_INSERT_HEAD(&frag->fr_queue, frent, fr_next);
} else {
@@ -406,7 +421,6 @@ pf_frent_insert(struct pf_fragment *frag, struct pf_frent
*frent,
TAILQ_INSERT_AFTER(&frag->fr_queue, prev, frent, fr_next);
}
- index = pf_frent_index(frent);
if (frag->fr_firstoff[index] == NULL) {
KASSERT(prev == NULL || pf_frent_index(prev) < index,
("prev == NULL || pf_frent_index(pref) < index"));
@@ -424,6 +438,8 @@ pf_frent_insert(struct pf_fragment *frag, struct pf_frent
*frent,
}
frag->fr_holes += pf_frent_holes(frent);
+
+ return 0;
}
void
@@ -460,6 +476,9 @@ pf_frent_remove(struct pf_fragment *frag, struct pf_frent
*frent)
}
TAILQ_REMOVE(&frag->fr_queue, frent, fr_next);
+
+ KASSERT(frag->fr_entries[index] > 0, ("No fragments remaining"));
+ frag->fr_entries[index]--;
}
struct pf_frent *
@@ -567,6 +586,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
*(struct pf_fragment_cmp *)frag = *key;
memset(frag->fr_firstoff, 0, sizeof(frag->fr_firstoff));
+ memset(frag->fr_entries, 0, sizeof(frag->fr_entries));
frag->fr_timeout = time_uptime;
frag->fr_maxlen = frent->fe_len;
frag->fr_holes = 1;
@@ -575,7 +595,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
RB_INSERT(pf_
git: 555726fda685 - stable/12 - pf: Fix build if INVARIANTS is not set
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=555726fda685ab5be9ccdbfcb73b9336dc2d75af
commit 555726fda685ab5be9ccdbfcb73b9336dc2d75af
Author: Kristof Provost
AuthorDate: 2018-11-02 19:23:50 +
Commit: Kristof Provost
CommitDate: 2021-02-28 15:36:29 +
pf: Fix build if INVARIANTS is not set
r340061 included a number of assertions pf_frent_remove(), but these
assertions
were the only use of the 'prev' variable. As a result builds without
INVARIANTS had an unused variable, and failed.
Reported by:vangyzen@
(cherry picked from commit 58ef854f8b05508f41aff3bdaf1564c8dd4c1d4f)
---
sys/netpfil/pf/pf_norm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index eb310e27b9ae..0770fcfd4c58 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -445,7 +445,9 @@ pf_frent_insert(struct pf_fragment *frag, struct pf_frent
*frent,
void
pf_frent_remove(struct pf_fragment *frag, struct pf_frent *frent)
{
+#ifdef INVARIANTS
struct pf_frent *prev = TAILQ_PREV(frent, pf_fragq, fr_next);
+#endif
struct pf_frent *next = TAILQ_NEXT(frent, fr_next);
int index;
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 5f5a45463ea0 - stable/12 - pf: Fix incorrect fragment handling
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5f5a45463ea068983092588ab897602f7aea328b
commit 5f5a45463ea068983092588ab897602f7aea328b
Author: Kristof Provost
AuthorDate: 2021-02-25 07:07:36 +
Commit: Kristof Provost
CommitDate: 2021-02-28 15:37:07 +
pf: Fix incorrect fragment handling
A sequence of overlapping IPv4 fragments could crash the kernel in
pf due to an assertion.
Reported by:Alexander Bluhm
Obtained from: OpenBSD
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 5f1b1f184b7f12330cf4a027e3db7c6700c67640)
---
sys/netpfil/pf/pf_norm.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 0770fcfd4c58..2a3c1d442fd4 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -545,6 +545,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
struct pf_frent *after, *next, *prev;
struct pf_fragment *frag;
uint16_ttotal;
+ int old_index, new_index;
PF_FRAG_ASSERT();
@@ -656,8 +657,30 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
DPFPRINTF(("adjust overlap %d", aftercut));
if (aftercut < after->fe_len) {
m_adj(after->fe_m, aftercut);
+ old_index = pf_frent_index(after);
after->fe_off += aftercut;
after->fe_len -= aftercut;
+ new_index = pf_frent_index(after);
+ if (old_index != new_index) {
+ DPFPRINTF(("frag index %d, new %d",
+ old_index, new_index));
+ /* Fragment switched queue as fe_off changed */
+ after->fe_off -= aftercut;
+ after->fe_len += aftercut;
+ /* Remove restored fragment from old queue */
+ pf_frent_remove(frag, after);
+ after->fe_off += aftercut;
+ after->fe_len -= aftercut;
+ /* Insert into correct queue */
+ if (pf_frent_insert(frag, after, prev)) {
+ DPFPRINTF(
+ ("fragment requeue limit
exceeded"));
+ m_freem(after->fe_m);
+ uma_zfree(V_pf_frent_z, after);
+ /* There is not way to recover */
+ goto bad_fragment;
+ }
+ }
break;
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: a7926435c12e - releng/13.0 - pf: Fix incorrect fragment handling
The branch releng/13.0 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a7926435c12e2304f46c9efadd4216f469f68acc
commit a7926435c12e2304f46c9efadd4216f469f68acc
Author: Kristof Provost
AuthorDate: 2021-02-25 07:07:36 +
Commit: Kristof Provost
CommitDate: 2021-03-01 07:04:47 +
pf: Fix incorrect fragment handling
A sequence of overlapping IPv4 fragments could crash the kernel in
pf due to an assertion.
Approved by:re (gjb)
Reported by:Alexander Bluhm
Obtained from: OpenBSD
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 5f1b1f184b7f12330cf4a027e3db7c6700c67640)
(cherry picked from commit 86ebf4d3e12c3eae94d3e9a8dcf5bd5741889b58)
---
sys/netpfil/pf/pf_norm.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index b7a84437630b..d7310c7bccb4 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -549,6 +549,7 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
struct pf_frent *after, *next, *prev;
struct pf_fragment *frag;
uint16_ttotal;
+ int old_index, new_index;
PF_FRAG_ASSERT();
@@ -660,8 +661,30 @@ pf_fillup_fragment(struct pf_fragment_cmp *key, struct
pf_frent *frent,
DPFPRINTF(("adjust overlap %d\n", aftercut));
if (aftercut < after->fe_len) {
m_adj(after->fe_m, aftercut);
+ old_index = pf_frent_index(after);
after->fe_off += aftercut;
after->fe_len -= aftercut;
+ new_index = pf_frent_index(after);
+ if (old_index != new_index) {
+ DPFPRINTF(("frag index %d, new %d",
+ old_index, new_index));
+ /* Fragment switched queue as fe_off changed */
+ after->fe_off -= aftercut;
+ after->fe_len += aftercut;
+ /* Remove restored fragment from old queue */
+ pf_frent_remove(frag, after);
+ after->fe_off += aftercut;
+ after->fe_len -= aftercut;
+ /* Insert into correct queue */
+ if (pf_frent_insert(frag, after, prev)) {
+ DPFPRINTF(
+ ("fragment requeue limit
exceeded"));
+ m_freem(after->fe_m);
+ uma_zfree(V_pf_frent_z, after);
+ /* There is not way to recover */
+ goto bad_fragment;
+ }
+ }
break;
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 02a34c9198d2 - stable/12 - bridge: Support STP on VLAN devices
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=02a34c9198d2d9c73150e4cae4910fe4af21a39c
commit 02a34c9198d2d9c73150e4cae4910fe4af21a39c
Author: Kristof Provost
AuthorDate: 2021-02-20 09:11:30 +
Commit: Kristof Provost
CommitDate: 2021-03-02 08:30:37 +
bridge: Support STP on VLAN devices
VLAN devices have type IFT_L2VLAN, so the STP code mistakenly believed
they couldn't be used for STP. That's not the case, so add the
ITF_L2VLAN to the check.
Reviewed by:donner@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28857
(cherry picked from commit 711ed156b94562c3dcb2ee9c1b3f240f960a75d2)
---
sys/net/bridgestp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c
index d613051eb565..ed83a2d646f5 100644
--- a/sys/net/bridgestp.c
+++ b/sys/net/bridgestp.c
@@ -2232,6 +2232,7 @@ bstp_enable(struct bstp_port *bp)
switch (ifp->if_type) {
case IFT_ETHER: /* These can do spanning tree. */
+ case IFT_L2VLAN:
break;
default:
/* Nothing else can. */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: c3438a8438fe - stable/13 - bridge: Support STP on VLAN devices
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c3438a8438fe44be4d63f1f9091f844cafdcb482
commit c3438a8438fe44be4d63f1f9091f844cafdcb482
Author: Kristof Provost
AuthorDate: 2021-02-20 09:11:30 +
Commit: Kristof Provost
CommitDate: 2021-03-02 14:50:21 +
bridge: Support STP on VLAN devices
VLAN devices have type IFT_L2VLAN, so the STP code mistakenly believed
they couldn't be used for STP. That's not the case, so add the
ITF_L2VLAN to the check.
Reviewed by:donner@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28857
(cherry picked from commit 711ed156b94562c3dcb2ee9c1b3f240f960a75d2)
---
sys/net/bridgestp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c
index a8bb51c11f51..c36dc61d1397 100644
--- a/sys/net/bridgestp.c
+++ b/sys/net/bridgestp.c
@@ -2232,6 +2232,7 @@ bstp_enable(struct bstp_port *bp)
switch (ifp->if_type) {
case IFT_ETHER: /* These can do spanning tree. */
+ case IFT_L2VLAN:
break;
default:
/* Nothing else can. */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 6a0355a0fe75 - stable/12 - bridge: Remove members when assigned to a new vnet
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=6a0355a0fe751368c66ea2e7debee86badb50d2a
commit 6a0355a0fe751368c66ea2e7debee86badb50d2a
Author: Kristof Provost
AuthorDate: 2021-02-21 20:20:32 +
Commit: Kristof Provost
CommitDate: 2021-03-02 08:31:02 +
bridge: Remove members when assigned to a new vnet
When the bridge is moved to a different vnet we must remove all of its
member interfaces (and span interfaces), because we don't know if those
will be moved along with it. We don't want to hold references to
interfaces not in our vnet.
Reviewed by:donner@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28859
(cherry picked from commit 38c0951386d82f4c51cf4e245253cdef18d2254a)
---
sys/net/ethernet.h | 4
sys/net/if_bridge.c| 25 +
sys/net/if_ethersubr.c | 3 ---
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/sys/net/ethernet.h b/sys/net/ethernet.h
index fdfc41b55037..1f718e6e69d2 100644
--- a/sys/net/ethernet.h
+++ b/sys/net/ethernet.h
@@ -429,6 +429,10 @@ extern uint32_t ether_crc32_be(const uint8_t *,
size_t);
extern void ether_demux(struct ifnet *, struct mbuf *);
extern void ether_ifattach(struct ifnet *, const u_int8_t *);
extern void ether_ifdetach(struct ifnet *);
+#ifdef VIMAGE
+struct vnet;
+extern void ether_reassign(struct ifnet *, struct vnet *, char *);
+#endif
extern int ether_ioctl(struct ifnet *, u_long, caddr_t);
extern int ether_output(struct ifnet *, struct mbuf *,
const struct sockaddr *, struct route *);
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 6ff9cd95e090..4e5c9ada12d1 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -674,6 +674,28 @@ SYSCTL_PROC(_net_link_bridge, OID_AUTO, ipfw,
&VNET_NAME(pfil_ipfw), 0, &sysctl_pfil_ipfw, "I",
"Layer2 filter with IPFW");
+#ifdef VIMAGE
+static void
+bridge_reassign(struct ifnet *ifp, struct vnet *newvnet, char *arg)
+{
+ struct bridge_softc *sc = ifp->if_softc;
+ struct bridge_iflist *bif;
+
+ BRIDGE_LOCK(sc);
+
+ while ((bif = CK_LIST_FIRST(&sc->sc_iflist)) != NULL)
+ bridge_delete_member(sc, bif, 0);
+
+ while ((bif = CK_LIST_FIRST(&sc->sc_spanlist)) != NULL) {
+ bridge_delete_span(sc, bif);
+ }
+
+ BRIDGE_UNLOCK(sc);
+
+ ether_reassign(ifp, newvnet, arg);
+}
+#endif
+
/*
* bridge_clone_create:
*
@@ -756,6 +778,9 @@ bridge_clone_create(struct if_clone *ifc, int unit, caddr_t
params)
/* Now undo some of the damage... */
ifp->if_baudrate = 0;
ifp->if_type = IFT_BRIDGE;
+#ifdef VIMAGE
+ ifp->if_reassign = bridge_reassign;
+#endif
BRIDGE_LIST_LOCK();
LIST_INSERT_HEAD(&V_bridge_list, sc, sc_list);
diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c
index 532d6a7a342b..5e255f862221 100644
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@@ -117,9 +117,6 @@ static const u_char etherbroadcastaddr[ETHER_ADDR_LEN] =
static int ether_resolvemulti(struct ifnet *, struct sockaddr **,
struct sockaddr *);
-#ifdef VIMAGE
-static void ether_reassign(struct ifnet *, struct vnet *, char *);
-#endif
static int ether_requestencap(struct ifnet *, struct if_encap_req *);
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 2d1773f32319 - stable/12 - bridge/stp: Ensure we enter NET_EPOCH whenever we can send traffic
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=2d1773f323195f2ff4910b1ce0f66207dcae79f3
commit 2d1773f323195f2ff4910b1ce0f66207dcae79f3
Author: Kristof Provost
AuthorDate: 2021-02-21 20:18:46 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:06 +
bridge/stp: Ensure we enter NET_EPOCH whenever we can send traffic
Reviewed by:donner@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28858
(cherry picked from commit 89fa9c34d76bbf85cd7cda60c1868f5e3dba4ec7)
---
sys/net/bridgestp.c | 2 ++
sys/net/if_bridge.c | 8 +++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c
index ed83a2d646f5..d0259c37bf84 100644
--- a/sys/net/bridgestp.c
+++ b/sys/net/bridgestp.c
@@ -1871,6 +1871,7 @@ bstp_tick(void *arg)
if (bs->bs_running == 0)
return;
+ NET_EPOCH_ENTER();
CURVNET_SET(bs->bs_vnet);
/* poll link events on interfaces that do not support linkstate */
@@ -1909,6 +1910,7 @@ bstp_tick(void *arg)
}
CURVNET_RESTORE();
+ NET_EPOCH_EXIT();
callout_reset(&bs->bs_bstpcallout, hz, bstp_tick, bs);
}
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 4e5c9ada12d1..8b25c28eb554 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1408,11 +1408,15 @@ bridge_ioctl_sifflags(struct bridge_softc *sc, void
*arg)
/* SPAN is readonly */
return (EINVAL);
+ NET_EPOCH_ENTER();
+
if (req->ifbr_ifsflags & IFBIF_STP) {
if ((bif->bif_flags & IFBIF_STP) == 0) {
error = bstp_enable(&bif->bif_stp);
- if (error)
+ if (error) {
+ NET_EPOCH_EXIT();
return (error);
+ }
}
} else {
if ((bif->bif_flags & IFBIF_STP) != 0)
@@ -1428,6 +1432,8 @@ bridge_ioctl_sifflags(struct bridge_softc *sc, void *arg)
/* Save the bits relating to the bridge */
bif->bif_flags = req->ifbr_ifsflags & IFBIFMASK;
+ NET_EPOCH_EXIT();
+
return (0);
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: a20033be9ed8 - stable/13 - bridge: Remove members when assigned to a new vnet
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a20033be9ed86295d3baac176d99b59c2f6ec7e5
commit a20033be9ed86295d3baac176d99b59c2f6ec7e5
Author: Kristof Provost
AuthorDate: 2021-02-21 20:20:32 +
Commit: Kristof Provost
CommitDate: 2021-03-02 14:50:21 +
bridge: Remove members when assigned to a new vnet
When the bridge is moved to a different vnet we must remove all of its
member interfaces (and span interfaces), because we don't know if those
will be moved along with it. We don't want to hold references to
interfaces not in our vnet.
Reviewed by:donner@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28859
(cherry picked from commit 38c0951386d82f4c51cf4e245253cdef18d2254a)
---
sys/net/ethernet.h | 4
sys/net/if_bridge.c| 25 +
sys/net/if_ethersubr.c | 3 ---
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/sys/net/ethernet.h b/sys/net/ethernet.h
index 38c0aa249272..f174ca9eb143 100644
--- a/sys/net/ethernet.h
+++ b/sys/net/ethernet.h
@@ -437,6 +437,10 @@ extern uint32_t ether_crc32_be(const uint8_t *,
size_t);
extern void ether_demux(struct ifnet *, struct mbuf *);
extern void ether_ifattach(struct ifnet *, const u_int8_t *);
extern void ether_ifdetach(struct ifnet *);
+#ifdef VIMAGE
+struct vnet;
+extern void ether_reassign(struct ifnet *, struct vnet *, char *);
+#endif
extern int ether_ioctl(struct ifnet *, u_long, caddr_t);
extern int ether_output(struct ifnet *, struct mbuf *,
const struct sockaddr *, struct route *);
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 7c4e48ff04c6..24338267229b 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -670,6 +670,28 @@ SYSCTL_PROC(_net_link_bridge, OID_AUTO, ipfw,
&VNET_NAME(pfil_ipfw), 0, &sysctl_pfil_ipfw, "I",
"Layer2 filter with IPFW");
+#ifdef VIMAGE
+static void
+bridge_reassign(struct ifnet *ifp, struct vnet *newvnet, char *arg)
+{
+ struct bridge_softc *sc = ifp->if_softc;
+ struct bridge_iflist *bif;
+
+ BRIDGE_LOCK(sc);
+
+ while ((bif = CK_LIST_FIRST(&sc->sc_iflist)) != NULL)
+ bridge_delete_member(sc, bif, 0);
+
+ while ((bif = CK_LIST_FIRST(&sc->sc_spanlist)) != NULL) {
+ bridge_delete_span(sc, bif);
+ }
+
+ BRIDGE_UNLOCK(sc);
+
+ ether_reassign(ifp, newvnet, arg);
+}
+#endif
+
/*
* bridge_clone_create:
*
@@ -716,6 +738,9 @@ bridge_clone_create(struct if_clone *ifc, int unit, caddr_t
params)
/* Now undo some of the damage... */
ifp->if_baudrate = 0;
ifp->if_type = IFT_BRIDGE;
+#ifdef VIMAGE
+ ifp->if_reassign = bridge_reassign;
+#endif
BRIDGE_LIST_LOCK();
LIST_INSERT_HEAD(&V_bridge_list, sc, sc_list);
diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c
index 77c138d7a092..01c2d2f7b3e8 100644
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@@ -117,9 +117,6 @@ static const u_char etherbroadcastaddr[ETHER_ADDR_LEN] =
static int ether_resolvemulti(struct ifnet *, struct sockaddr **,
struct sockaddr *);
-#ifdef VIMAGE
-static void ether_reassign(struct ifnet *, struct vnet *, char *);
-#endif
static int ether_requestencap(struct ifnet *, struct if_encap_req *);
#define senderr(e) do { error = (e); goto bad;} while (0)
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 05ac80ac0f3a - stable/13 - arp/nd: Cope with late calls to iflladdr_event
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=05ac80ac0f3a41092a07e947fea1ed2e5f047d15
commit 05ac80ac0f3a41092a07e947fea1ed2e5f047d15
Author: Kristof Provost
AuthorDate: 2021-02-22 07:19:43 +
Commit: Kristof Provost
CommitDate: 2021-03-02 14:50:21 +
arp/nd: Cope with late calls to iflladdr_event
When tearing down vnet jails we can move an if_bridge out (as
part of the normal vnet_if_return()). This can, when it's clearing out
its list of member interfaces, change its link layer address.
That sends an iflladdr_event, but at that point we've already freed the
AF_INET/AF_INET6 if_afdata pointers.
In other words: when the iflladdr_event callbacks fire we can't assume
that ifp->if_afdata[AF_INET] will be set.
Reviewed by:donner@, melifaro@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28860
(cherry picked from commit c139b3c19b52abe3b5ba23a8175e58e70c7a528d)
---
sys/netinet/if_ether.c | 4
sys/netinet6/nd6.c | 2 ++
2 files changed, 6 insertions(+)
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c
index e09ad3d47382..ef50ec9ca964 100644
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@@ -1479,6 +1479,10 @@ arp_handle_ifllchange(struct ifnet *ifp)
static void
arp_iflladdr(void *arg __unused, struct ifnet *ifp)
{
+ /* if_bridge can update its lladdr during if_vmove(), after we've done
+* if_detach_internal()/dom_ifdetach(). */
+ if (ifp->if_afdata[AF_INET] == NULL)
+ return;
lltable_update_ifaddr(LLTABLE(ifp));
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index 497c0bfc10e8..62f0ac733a23 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -208,6 +208,8 @@ nd6_lle_event(void *arg __unused, struct llentry *lle, int
evt)
static void
nd6_iflladdr(void *arg __unused, struct ifnet *ifp)
{
+ if (ifp->if_afdata[AF_INET6] == NULL)
+ return;
lltable_update_ifaddr(LLTABLE6(ifp));
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 791f370cb5d6 - stable/12 - bridge: Basic test case
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=791f370cb5d6a24a1938a4e0147cc2734df6d076
commit 791f370cb5d6a24a1938a4e0147cc2734df6d076
Author: Kristof Provost
AuthorDate: 2020-02-16 13:16:40 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:06 +
bridge: Basic test case
Very basic bridge test: Set up two jails and test that they can pass IPv4
traffic over the bridge.
Reviewed by:melifaro, philip
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D23697
(cherry picked from commit 095aabf7dc814ae96d83bc5327a4b1f2e23be419)
---
tests/sys/common/vnet.subr | 7
tests/sys/net/Makefile | 5 +--
tests/sys/net/if_bridge_test.sh | 74 +
3 files changed, 84 insertions(+), 2 deletions(-)
diff --git a/tests/sys/common/vnet.subr b/tests/sys/common/vnet.subr
index 53b387ec07e5..d86afaf6aafa 100644
--- a/tests/sys/common/vnet.subr
+++ b/tests/sys/common/vnet.subr
@@ -16,6 +16,13 @@ vnet_mkepair()
echo ${ifname%a}
}
+vnet_mkbridge()
+{
+ ifname=$(ifconfig bridge create)
+ echo $ifname >> created_interfaces.lst
+ echo ${ifname}
+}
+
vnet_mkjail()
{
jailname=$1
diff --git a/tests/sys/net/Makefile b/tests/sys/net/Makefile
index 5989f8be0727..bbb1d1337b2f 100644
--- a/tests/sys/net/Makefile
+++ b/tests/sys/net/Makefile
@@ -5,10 +5,11 @@
TESTSDIR= ${TESTSBASE}/sys/net
BINDIR=${TESTSDIR}
-ATF_TESTS_SH+= if_lagg_test
+ATF_TESTS_C+= if_epair
+ATF_TESTS_SH+= if_bridge_test
ATF_TESTS_SH+= if_clone_test
+ATF_TESTS_SH+= if_lagg_test
ATF_TESTS_SH+= if_tun_test
-ATF_TESTS_C+= if_epair
# The tests are written to be run in parallel, but doing so leads to random
# panics. I think it's because the kernel's list of interfaces isn't properly
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
new file mode 100755
index ..384857bff589
--- /dev/null
+++ b/tests/sys/net/if_bridge_test.sh
@@ -0,0 +1,74 @@
+# $FreeBSD$
+#
+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+#
+# Copyright (c) 2020 The FreeBSD Foundation
+# All rights reserved.
+#
+# This software was developed by Kristof Provost under sponsorship
+# from the FreeBSD Foundation.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#notice, this list of conditions and the following disclaimer in the
+#documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+. $(atf_get_srcdir)/../common/vnet.subr
+
+atf_test_case "bridge_transmit_ipv4_unicast" "cleanup"
+bridge_transmit_ipv4_unicast_head()
+{
+ atf_set descr 'bridge_transmit_ipv4_unicast bridging test'
+ atf_set require.user root
+}
+
+bridge_transmit_ipv4_unicast_body()
+{
+ vnet_init
+
+ epair_alcatraz=$(vnet_mkepair)
+ epair_singsing=$(vnet_mkepair)
+
+ vnet_mkjail alcatraz ${epair_alcatraz}b
+ vnet_mkjail singsing ${epair_singsing}b
+
+ jexec alcatraz ifconfig ${epair_alcatraz}b 192.0.2.1/24 up
+ jexec singsing ifconfig ${epair_singsing}b 192.0.2.2/24 up
+
+ bridge=$(vnet_mkbridge)
+
+ ifconfig ${bridge} up
+ ifconfig ${epair_alcatraz}a up
+ ifconfig ${epair_singsing}a up
+ ifconfig ${bridge} addm ${epair_alcatraz}a
+ ifconfig ${bridge} addm ${epair_singsing}a
+
+ atf_check -s exit:0 -o ignore jexec alcatraz ping -c 3 -t 1 192.0.2.2
+ atf_check -s exit:0 -o ignore jexec singsing ping -c 3 -t 1 192.0.2.1
+}
+
+bridge_transmit_ipv4_unicast_cleanup()
+{
+ vnet_cleanup
+}
+
+atf_init_test_cases()
+{
+ atf_add_test_case "bridge_transmit_ipv4_unicast"
+}
___
dev-commits-src-all@freebsd.org mailing
git: 5b8932427605 - stable/12 - bridge test: spanning tree
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5b893242760570495abb09974455ab32a8fd6b95
commit 5b893242760570495abb09974455ab32a8fd6b95
Author: Kristof Provost
AuthorDate: 2020-03-10 06:28:45 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:06 +
bridge test: spanning tree
Basic test case where we create a bridge loop, verify that we really are
looping and then enable spanning tree to resolve the loop.
Reviewed by:philip
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D23959
(cherry picked from commit 6f0a65b080aac1b3144c7489b020b26b345d1a1b)
---
tests/sys/net/if_bridge_test.sh | 69 +
1 file changed, 69 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index c51321187018..afb260a86cc3 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -67,7 +67,76 @@ bridge_transmit_ipv4_unicast_cleanup()
vnet_cleanup
}
+atf_test_case "stp" "cleanup"
+stp_head()
+{
+ atf_set descr 'Spanning tree test'
+ atf_set require.user root
+ atf_set require.progs jq
+}
+
+stp_body()
+{
+ vnet_init
+
+ epair_one=$(vnet_mkepair)
+ epair_two=$(vnet_mkepair)
+ bridge_a=$(vnet_mkbridge)
+ bridge_b=$(vnet_mkbridge)
+
+ vnet_mkjail a ${bridge_a} ${epair_one}a ${epair_two}a
+ vnet_mkjail b ${bridge_b} ${epair_one}b ${epair_two}b
+
+ jexec a ifconfig ${bridge_a} up
+ jexec a ifconfig ${epair_one}a up
+ jexec a ifconfig ${epair_two}a up
+ jexec a ifconfig ${bridge_a} addm ${epair_one}a
+ jexec a ifconfig ${bridge_a} addm ${epair_two}a
+
+ jexec b ifconfig ${bridge_b} up
+ jexec b ifconfig ${epair_one}b up
+ jexec b ifconfig ${epair_two}b up
+ jexec b ifconfig ${bridge_b} addm ${epair_one}b
+ jexec b ifconfig ${bridge_b} addm ${epair_two}b
+
+ jexec a ifconfig ${bridge_a} 192.0.2.1/24
+
+ # Give the interfaces some time to come up and pass some traffic
+ sleep 5
+
+ # Confirm that there's looping traffic
+ nbr=$(jexec a netstat -I ${bridge_a} --libxo json \
+ | jq ".statistics.interface[0].\"received-packets\"")
+ if [ ${nbr} -lt 100 ]
+ then
+ atf_fail "Expected bridging loop, but found very few packets."
+ fi
+
+ # Enable spanning tree
+ jexec a ifconfig ${bridge_a} stp ${epair_one}a
+ jexec a ifconfig ${bridge_a} stp ${epair_two}a
+ jexec b ifconfig ${bridge_b} stp ${epair_one}b
+ jexec b ifconfig ${bridge_b} stp ${epair_two}b
+
+ # Give STP time to do its thing
+ sleep 5
+
+ a_discard=$(jexec a ifconfig ${bridge_a} | grep discarding)
+ b_discard=$(jexec b ifconfig ${bridge_b} | grep discarding)
+
+ if [ -z "${a_discard}" ] && [ -z "${b_discard}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
+}
+
+stp_cleanup()
+{
+ vnet_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "bridge_transmit_ipv4_unicast"
+ atf_add_test_case "stp"
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 2c19b99c2f1c - stable/13 - bridge tests: Test STP on top of VLAN devices
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=2c19b99c2f1c78bebb931f9465146ad4e7f1dec9
commit 2c19b99c2f1c78bebb931f9465146ad4e7f1dec9
Author: Kristof Provost
AuthorDate: 2021-02-20 09:13:33 +
Commit: Kristof Provost
CommitDate: 2021-03-02 14:50:21 +
bridge tests: Test STP on top of VLAN devices
This is basically the same test as the existing STP test, but now on top
of VLAN interfaces instead of directly using the epair devices.
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28861
(cherry picked from commit 26492ba2716f8b839f743bb663ce47405990fdf0)
---
tests/sys/net/if_bridge_test.sh | 66 +
1 file changed, 66 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index b848a03b273d..bc9add68ce25 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -124,6 +124,71 @@ stp_cleanup()
vnet_cleanup
}
+atf_test_case "stp_vlan" "cleanup"
+stp_vlan_head()
+{
+ atf_set descr 'Spanning tree on VLAN test'
+ atf_set require.user root
+}
+
+stp_vlan_body()
+{
+ vnet_init
+
+ epair_one=$(vnet_mkepair)
+ epair_two=$(vnet_mkepair)
+ bridge_a=$(vnet_mkbridge)
+ bridge_b=$(vnet_mkbridge)
+
+ vnet_mkjail a ${bridge_a} ${epair_one}a ${epair_two}a
+ vnet_mkjail b ${bridge_b} ${epair_one}b ${epair_two}b
+
+ jexec a ifconfig ${epair_one}a up
+ jexec a ifconfig ${epair_two}a up
+ vlan_a_one=$(jexec a ifconfig vlan create vlandev ${epair_one}a vlan 42)
+ vlan_a_two=$(jexec a ifconfig vlan create vlandev ${epair_two}a vlan 42)
+ jexec a ifconfig ${vlan_a_one} up
+ jexec a ifconfig ${vlan_a_two} up
+ jexec a ifconfig ${bridge_a} addm ${vlan_a_one}
+ jexec a ifconfig ${bridge_a} addm ${vlan_a_two}
+
+ jexec b ifconfig ${epair_one}b up
+ jexec b ifconfig ${epair_two}b up
+ vlan_b_one=$(jexec b ifconfig vlan create vlandev ${epair_one}b vlan 42)
+ vlan_b_two=$(jexec b ifconfig vlan create vlandev ${epair_two}b vlan 42)
+ jexec b ifconfig ${vlan_b_one} up
+ jexec b ifconfig ${vlan_b_two} up
+ jexec b ifconfig ${bridge_b} addm ${vlan_b_one}
+ jexec b ifconfig ${bridge_b} addm ${vlan_b_two}
+
+ jexec a ifconfig ${bridge_a} 192.0.2.1/24
+
+ # Enable spanning tree
+ jexec a ifconfig ${bridge_a} stp ${vlan_a_one}
+ jexec a ifconfig ${bridge_a} stp ${vlan_a_two}
+ jexec b ifconfig ${bridge_b} stp ${vlan_b_one}
+ jexec b ifconfig ${bridge_b} stp ${vlan_b_two}
+
+ jexec b ifconfig ${bridge_b} up
+ jexec a ifconfig ${bridge_a} up
+
+ # Give STP time to do its thing
+ sleep 5
+
+ a_discard=$(jexec a ifconfig ${bridge_a} | grep discarding)
+ b_discard=$(jexec b ifconfig ${bridge_b} | grep discarding)
+
+ if [ -z "${a_discard}" ] && [ -z "${b_discard}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
+}
+
+stp_vlan_cleanup()
+{
+ vnet_cleanup
+}
+
atf_test_case "static" "cleanup"
static_head()
{
@@ -329,6 +394,7 @@ atf_init_test_cases()
{
atf_add_test_case "bridge_transmit_ipv4_unicast"
atf_add_test_case "stp"
+ atf_add_test_case "stp_vlan"
atf_add_test_case "static"
atf_add_test_case "span"
atf_add_test_case "inherit_mac"
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 51ddfd32cc99 - stable/12 - bridge test: adding and removing static addresses
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=51ddfd32cc9952a916d63b0c6780322b90f0873c
commit 51ddfd32cc9952a916d63b0c6780322b90f0873c
Author: Kristof Provost
AuthorDate: 2020-03-10 06:29:59 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:06 +
bridge test: adding and removing static addresses
Reviewed by:philip
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D23960
(cherry picked from commit d99bb677c1cf43b22e91d54c49a8b7f0592e6fce)
---
tests/sys/net/if_bridge_test.sh | 57 +
1 file changed, 57 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index afb260a86cc3..34b72c33bb36 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -135,8 +135,65 @@ stp_cleanup()
vnet_cleanup
}
+atf_test_case "static" "cleanup"
+static_head()
+{
+ atf_set descr 'Bridge static address test'
+ atf_set require.user root
+}
+
+static_body()
+{
+ vnet_init
+
+ epair=$(vnet_mkepair)
+ bridge=$(vnet_mkbridge)
+
+ vnet_mkjail one ${bridge} ${epair}a
+
+ ifconfig ${epair}b up
+
+ jexec one ifconfig ${bridge} up
+ jexec one ifconfig ${epair}a up
+ jexec one ifconfig ${bridge} addm ${epair}a
+
+ # Wrong interface
+ atf_check -s exit:1 -o ignore -e ignore \
+ jexec one ifconfig ${bridge} static ${epair}b 00:01:02:03:04:05
+
+ # Bad address format
+ atf_check -s exit:1 -o ignore -e ignore \
+ jexec one ifconfig ${bridge} static ${epair}a 00:01:02:03:04
+
+ # Correct add
+ atf_check -s exit:0 -o ignore \
+ jexec one ifconfig ${bridge} static ${epair}a 00:01:02:03:04:05
+
+ # List addresses
+ atf_check -s exit:0 -o ignore \
+ jexec one ifconfig ${bridge} addr
+
+ # Delete with bad address format
+ atf_check -s exit:1 -o ignore -e ignore \
+ jexec one ifconfig ${bridge} deladdr 00:01:02:03:04
+
+ # Delete with unlisted address
+ atf_check -s exit:1 -o ignore -e ignore \
+ jexec one ifconfig ${bridge} deladdr 00:01:02:03:04:06
+
+ # Correct delete
+ atf_check -s exit:0 -o ignore \
+ jexec one ifconfig ${bridge} deladdr 00:01:02:03:04:05
+}
+
+static_cleanup()
+{
+ vnet_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "bridge_transmit_ipv4_unicast"
atf_add_test_case "stp"
+ atf_add_test_case "static"
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: a285c84d517f - stable/12 - arp/nd: Cope with late calls to iflladdr_event
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=a285c84d517f4b987dfbbcec876d1fd812065a27
commit a285c84d517f4b987dfbbcec876d1fd812065a27
Author: Kristof Provost
AuthorDate: 2021-02-22 07:19:43 +
Commit: Kristof Provost
CommitDate: 2021-03-02 08:31:13 +
arp/nd: Cope with late calls to iflladdr_event
When tearing down vnet jails we can move an if_bridge out (as
part of the normal vnet_if_return()). This can, when it's clearing out
its list of member interfaces, change its link layer address.
That sends an iflladdr_event, but at that point we've already freed the
AF_INET/AF_INET6 if_afdata pointers.
In other words: when the iflladdr_event callbacks fire we can't assume
that ifp->if_afdata[AF_INET] will be set.
Reviewed by:donner@, melifaro@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28860
(cherry picked from commit c139b3c19b52abe3b5ba23a8175e58e70c7a528d)
---
sys/netinet/if_ether.c | 4
sys/netinet6/nd6.c | 2 ++
2 files changed, 6 insertions(+)
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c
index a05001999ca4..538f6abb9855 100644
--- a/sys/netinet/if_ether.c
+++ b/sys/netinet/if_ether.c
@@ -1461,6 +1461,10 @@ arp_handle_ifllchange(struct ifnet *ifp)
static void
arp_iflladdr(void *arg __unused, struct ifnet *ifp)
{
+ /* if_bridge can update its lladdr during if_vmove(), after we've done
+* if_detach_internal()/dom_ifdetach(). */
+ if (ifp->if_afdata[AF_INET] == NULL)
+ return;
lltable_update_ifaddr(LLTABLE(ifp));
diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c
index 50fcc3226f97..d1d4b7c7fa88 100644
--- a/sys/netinet6/nd6.c
+++ b/sys/netinet6/nd6.c
@@ -206,6 +206,8 @@ nd6_lle_event(void *arg __unused, struct llentry *lle, int
evt)
static void
nd6_iflladdr(void *arg __unused, struct ifnet *ifp)
{
+ if (ifp->if_afdata[AF_INET6] == NULL)
+ return;
lltable_update_ifaddr(LLTABLE6(ifp));
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: eaba3fe1483f - stable/13 - bridge/stp: Ensure we enter NET_EPOCH whenever we can send traffic
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=eaba3fe1483fe82baccb6d3930347bbd548c6fcd
commit eaba3fe1483fe82baccb6d3930347bbd548c6fcd
Author: Kristof Provost
AuthorDate: 2021-02-21 20:18:46 +
Commit: Kristof Provost
CommitDate: 2021-03-02 14:50:21 +
bridge/stp: Ensure we enter NET_EPOCH whenever we can send traffic
Reviewed by:donner@
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28858
(cherry picked from commit 89fa9c34d76bbf85cd7cda60c1868f5e3dba4ec7)
---
sys/net/bridgestp.c | 9 +
sys/net/if_bridge.c | 9 -
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c
index c36dc61d1397..82524440c241 100644
--- a/sys/net/bridgestp.c
+++ b/sys/net/bridgestp.c
@@ -154,6 +154,8 @@ static void bstp_reinit(struct bstp_state *);
static void
bstp_transmit(struct bstp_state *bs, struct bstp_port *bp)
{
+ NET_EPOCH_ASSERT();
+
if (bs->bs_running == 0)
return;
@@ -346,6 +348,7 @@ bstp_send_bpdu(struct bstp_state *bs, struct bstp_port *bp,
struct ether_header *eh;
BSTP_LOCK_ASSERT(bs);
+ NET_EPOCH_ASSERT();
ifp = bp->bp_ifp;
@@ -923,6 +926,8 @@ bstp_update_state(struct bstp_state *bs, struct bstp_port
*bp)
static void
bstp_update_roles(struct bstp_state *bs, struct bstp_port *bp)
{
+ NET_EPOCH_ASSERT();
+
switch (bp->bp_role) {
case BSTP_ROLE_DISABLED:
/* Clear any flags if set */
@@ -1862,6 +1867,7 @@ bstp_disable_port(struct bstp_state *bs, struct bstp_port
*bp)
static void
bstp_tick(void *arg)
{
+ struct epoch_tracker et;
struct bstp_state *bs = arg;
struct bstp_port *bp;
@@ -1870,6 +1876,7 @@ bstp_tick(void *arg)
if (bs->bs_running == 0)
return;
+ NET_EPOCH_ENTER(et);
CURVNET_SET(bs->bs_vnet);
/* poll link events on interfaces that do not support linkstate */
@@ -1908,6 +1915,7 @@ bstp_tick(void *arg)
}
CURVNET_RESTORE();
+ NET_EPOCH_EXIT(et);
callout_reset(&bs->bs_bstpcallout, hz, bstp_tick, bs);
}
@@ -2229,6 +2237,7 @@ bstp_enable(struct bstp_port *bp)
struct ifnet *ifp = bp->bp_ifp;
KASSERT(bp->bp_active == 0, ("already a bstp member"));
+ NET_EPOCH_ASSERT(); /* Because bstp_update_roles() causes traffic. */
switch (ifp->if_type) {
case IFT_ETHER: /* These can do spanning tree. */
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 24338267229b..3e6b5ba8e0c2 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1351,6 +1351,7 @@ bridge_ioctl_gifflags(struct bridge_softc *sc, void *arg)
static int
bridge_ioctl_sifflags(struct bridge_softc *sc, void *arg)
{
+ struct epoch_tracker et;
struct ifbreq *req = arg;
struct bridge_iflist *bif;
struct bstp_port *bp;
@@ -1365,11 +1366,15 @@ bridge_ioctl_sifflags(struct bridge_softc *sc, void
*arg)
/* SPAN is readonly */
return (EINVAL);
+ NET_EPOCH_ENTER(et);
+
if (req->ifbr_ifsflags & IFBIF_STP) {
if ((bif->bif_flags & IFBIF_STP) == 0) {
error = bstp_enable(&bif->bif_stp);
- if (error)
+ if (error) {
+ NET_EPOCH_EXIT(et);
return (error);
+ }
}
} else {
if ((bif->bif_flags & IFBIF_STP) != 0)
@@ -1385,6 +1390,8 @@ bridge_ioctl_sifflags(struct bridge_softc *sc, void *arg)
/* Save the bits relating to the bridge */
bif->bif_flags = req->ifbr_ifsflags & IFBIFMASK;
+ NET_EPOCH_EXIT(et);
+
return (0);
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: e11329536494 - stable/12 - bridge tests: Ensure that bridges in different jails get different MAC addresses
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=e1132953649454ed7ae40e156c23de20d6a3827c
commit e1132953649454ed7ae40e156c23de20d6a3827c
Author: Kristof Provost
AuthorDate: 2020-04-19 16:30:49 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:06 +
bridge tests: Ensure that bridges in different jails get different MAC
addresses
We used to have a problem where bridges created in different vnet jails
would end up having the same mac address. This is now fixed by
including the jail name as a seed for the mac address generation, but we
should verify that it doesn't regress.
(cherry picked from commit 2885ae0c3ca3ea93e1f227ecb3003db2e94f4129)
---
tests/sys/net/if_bridge_test.sh | 39 +++
1 file changed, 39 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index cb9c297220b6..111281799e9d 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -271,6 +271,44 @@ delete_with_members_cleanup()
vnet_cleanup
}
+atf_test_case "mac_conflict" "cleanup"
+mac_conflict_head()
+{
+ atf_set descr 'Ensure that bridges in different jails get different mac
addresses'
+ atf_set require.user root
+}
+
+mac_conflict_body()
+{
+ vnet_init
+
+ epair=$(vnet_mkepair)
+
+ # Ensure the bridge module is loaded so jails can use it.
+ tmpbridge=$(vnet_mkbridge)
+
+ vnet_mkjail bridge_mac_conflict_one ${epair}a
+ vnet_mkjail bridge_mac_conflict_two ${epair}b
+
+ jexec bridge_mac_conflict_one ifconfig bridge create
+ jexec bridge_mac_conflict_one ifconfig bridge0 192.0.2.1/24 up \
+ addm ${epair}a
+ jexec bridge_mac_conflict_one ifconfig ${epair}a up
+
+ jexec bridge_mac_conflict_two ifconfig bridge create
+ jexec bridge_mac_conflict_two ifconfig bridge0 192.0.2.2/24 up \
+ addm ${epair}b
+ jexec bridge_mac_conflict_two ifconfig ${epair}b up
+
+ atf_check -s exit:0 -o ignore \
+ jexec bridge_mac_conflict_one ping -c 3 192.0.2.2
+}
+
+mac_conflict_cleanup()
+{
+ vnet_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "bridge_transmit_ipv4_unicast"
@@ -278,4 +316,5 @@ atf_init_test_cases()
atf_add_test_case "static"
atf_add_test_case "span"
atf_add_test_case "delete_with_members"
+ atf_add_test_case "mac_conflict"
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: e180cc2fb9c5 - stable/12 - bridge tests: Test deleting a bridge with members
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=e180cc2fb9c5d7eb2d198470f54f7dbebbf4bf7c
commit e180cc2fb9c5d7eb2d198470f54f7dbebbf4bf7c
Author: Kristof Provost
AuthorDate: 2020-04-17 14:57:15 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:06 +
bridge tests: Test deleting a bridge with members
Reviewed by:philip, emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D24337
(cherry picked from commit 3f359bfd47430183f69b9c03f34458217e7c7970)
---
tests/sys/net/if_bridge_test.sh | 27 +++
1 file changed, 27 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index 7b26b97967ad..cb9c297220b6 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -245,10 +245,37 @@ span_cleanup()
vnet_cleanup
}
+atf_test_case "delete_with_members" "cleanup"
+delete_with_members_head()
+{
+ atf_set descr 'Delete a bridge which still has member interfaces'
+ atf_set require.user root
+}
+
+delete_with_members_body()
+{
+ vnet_init
+
+ bridge=$(vnet_mkbridge)
+ epair=$(vnet_mkepair)
+
+ ifconfig ${bridge} 192.0.2.1/24 up
+ ifconfig ${epair}a up
+ ifconfig ${bridge} addm ${epair}a
+
+ ifconfig ${bridge} destroy
+}
+
+delete_with_members_cleanup()
+{
+ vnet_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "bridge_transmit_ipv4_unicast"
atf_add_test_case "stp"
atf_add_test_case "static"
atf_add_test_case "span"
+ atf_add_test_case "delete_with_members"
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: fd5828b62bdb - stable/12 - bridge tests: Avoid building a switching loop
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=fd5828b62bdb5738143c81edb139365aa4151567
commit fd5828b62bdb5738143c81edb139365aa4151567
Author: Kristof Provost
AuthorDate: 2020-06-01 19:26:16 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:07 +
bridge tests: Avoid building a switching loop
Enable STP before bringing the bridges up. This avoids a switching loop,
which has a tendency to drown out progress in userspace processes,
especially on single-core systems.
Only check that we have indeed shut down one of the looped interfaces
PR: 246448
Reviewed by:melifaro
Differential Revision: https://reviews.freebsd.org/D25084
(cherry picked from commit e07e002e950aa673266e3d4b30c43e1198af65e0)
---
tests/sys/net/if_bridge_test.sh | 17 +++--
1 file changed, 3 insertions(+), 14 deletions(-)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index a20eae49998f..b848a03b273d 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -72,7 +72,6 @@ stp_head()
{
atf_set descr 'Spanning tree test'
atf_set require.user root
- atf_set require.progs jq
}
stp_body()
@@ -87,13 +86,11 @@ stp_body()
vnet_mkjail a ${bridge_a} ${epair_one}a ${epair_two}a
vnet_mkjail b ${bridge_b} ${epair_one}b ${epair_two}b
- jexec a ifconfig ${bridge_a} up
jexec a ifconfig ${epair_one}a up
jexec a ifconfig ${epair_two}a up
jexec a ifconfig ${bridge_a} addm ${epair_one}a
jexec a ifconfig ${bridge_a} addm ${epair_two}a
- jexec b ifconfig ${bridge_b} up
jexec b ifconfig ${epair_one}b up
jexec b ifconfig ${epair_two}b up
jexec b ifconfig ${bridge_b} addm ${epair_one}b
@@ -101,23 +98,15 @@ stp_body()
jexec a ifconfig ${bridge_a} 192.0.2.1/24
- # Give the interfaces some time to come up and pass some traffic
- sleep 5
-
- # Confirm that there's looping traffic
- nbr=$(jexec a netstat -I ${bridge_a} --libxo json \
- | jq ".statistics.interface[0].\"received-packets\"")
- if [ ${nbr} -lt 100 ]
- then
- atf_fail "Expected bridging loop, but found very few packets."
- fi
-
# Enable spanning tree
jexec a ifconfig ${bridge_a} stp ${epair_one}a
jexec a ifconfig ${bridge_a} stp ${epair_two}a
jexec b ifconfig ${bridge_b} stp ${epair_one}b
jexec b ifconfig ${bridge_b} stp ${epair_two}b
+ jexec b ifconfig ${bridge_b} up
+ jexec a ifconfig ${bridge_a} up
+
# Give STP time to do its thing
sleep 5
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 40fc07a85577 - stable/12 - bridge tests: Remove unneeded 'All rights reserved.'
The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=40fc07a85577bb22b923978b1fc9e99ce147d4a1 commit 40fc07a85577bb22b923978b1fc9e99ce147d4a1 Author: Kristof Provost AuthorDate: 2020-02-19 16:44:16 + Commit: Kristof Provost CommitDate: 2021-03-02 13:03:06 + bridge tests: Remove unneeded 'All rights reserved.' The FreeBSD foundation no longer requires this, as per https://lists.freebsd.org/pipermail/svn-src-all/2019-February/177215.html and private communications. Sponsored by: The FreeBSD Foundation (cherry picked from commit e3c73f3d74c77b2c168519b10bdb6910a84287ef) --- tests/sys/net/if_bridge_test.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh index 384857bff589..c51321187018 100755 --- a/tests/sys/net/if_bridge_test.sh +++ b/tests/sys/net/if_bridge_test.sh @@ -3,7 +3,6 @@ # SPDX-License-Identifier: BSD-2-Clause-FreeBSD # # Copyright (c) 2020 The FreeBSD Foundation -# All rights reserved. # # This software was developed by Kristof Provost under sponsorship # from the FreeBSD Foundation. ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 1b73cd3d0a7c - stable/12 - bridge tests: Test for #216510
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1b73cd3d0a7c9fa9b19e28a3bd8e79f405309348
commit 1b73cd3d0a7c9fa9b19e28a3bd8e79f405309348
Author: Kristof Provost
AuthorDate: 2020-04-26 16:27:03 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:07 +
bridge tests: Test for #216510
We used to have an issue with recursive locking with
net.link.bridge.inherit_mac. This causes us to send an ARP request while
we hold the BRIDGE_LOCK, which used to cause us to acquire the
BRIDGE_LOCK again. We can't re-acquire it, so this caused a panic.
Now that we no longer need to acquire the BRIDGE_LOCK for
bridge_transmit() this should no longer panic. Test this.
PR: 216510
Reviewed by:emaste, philip
MFC after: 2 months
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D24251
(cherry picked from commit 5377560783d95b92fce3bea3caac37d2860b1d48)
---
tests/sys/net/if_bridge_test.sh | 28
1 file changed, 28 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index 111281799e9d..a20eae49998f 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -309,12 +309,40 @@ mac_conflict_cleanup()
vnet_cleanup
}
+atf_test_case "inherit_mac" "cleanup"
+inherit_mac_head()
+{
+ atf_set descr 'Bridge inherit_mac test, #216510'
+ atf_set require.user root
+}
+
+inherit_mac_body()
+{
+ vnet_init
+
+ bridge=$(vnet_mkbridge)
+ epair=$(vnet_mkepair)
+ vnet_mkjail one ${bridge} ${epair}a
+
+ jexec one sysctl net.link.bridge.inherit_mac=1
+
+ # Attempt to provoke the panic described in #216510
+ jexec one ifconfig ${bridge} 192.0.0.1/24 up
+ jexec one ifconfig ${bridge} addm ${epair}a
+}
+
+inherit_mac_cleanup()
+{
+ vnet_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "bridge_transmit_ipv4_unicast"
atf_add_test_case "stp"
atf_add_test_case "static"
atf_add_test_case "span"
+ atf_add_test_case "inherit_mac"
atf_add_test_case "delete_with_members"
atf_add_test_case "mac_conflict"
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: c4bf12b43711 - stable/12 - bridge tests: Basic span test
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c4bf12b4371112ea5e875b51befbb4c12b9707db
commit c4bf12b4371112ea5e875b51befbb4c12b9707db
Author: Kristof Provost
AuthorDate: 2020-03-16 08:44:46 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:06 +
bridge tests: Basic span test
Reviewed by:philip, emaste (previous version)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D23961
(cherry picked from commit bb490fcf195450d9cbbac00e6338b352aac32c5c)
---
tests/sys/net/if_bridge_test.sh | 55 +
1 file changed, 55 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index 34b72c33bb36..7b26b97967ad 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -191,9 +191,64 @@ static_cleanup()
vnet_cleanup
}
+atf_test_case "span" "cleanup"
+span_head()
+{
+ atf_set descr 'Bridge span test'
+ atf_set require.user root
+}
+
+span_body()
+{
+ set -x
+ vnet_init
+
+ epair=$(vnet_mkepair)
+ epair_span=$(vnet_mkepair)
+ bridge=$(vnet_mkbridge)
+
+ vnet_mkjail one ${bridge} ${epair}a ${epair_span}a
+
+ ifconfig ${epair}b up
+ ifconfig ${epair_span}b up
+
+ jexec one ifconfig ${bridge} up
+ jexec one ifconfig ${epair}a up
+ jexec one ifconfig ${epair_span}a up
+ jexec one ifconfig ${bridge} addm ${epair}a
+
+ jexec one ifconfig ${bridge} span ${epair_span}a
+ jexec one ifconfig ${bridge} 192.0.2.1/24
+
+ # Send some traffic through the span
+ jexec one ping -c 1 -t 1 192.0.2.2
+
+ # Check that we see the traffic on the span interface
+ atf_check -s exit:0 \
+ $(atf_get_srcdir)/../netpfil/common/pft_ping.py \
+ --sendif ${epair}b \
+ --to 192.0.2.2 \
+ --recvif ${epair_span}b
+
+ jexec one ifconfig ${bridge} -span ${epair_span}a
+
+ # And no more traffic after we remove the span
+ atf_check -s exit:1 \
+ $(atf_get_srcdir)/../netpfil/common/pft_ping.py \
+ --sendif ${epair}b \
+ --to 192.0.2.2 \
+ --recvif ${epair_span}b
+}
+
+span_cleanup()
+{
+ vnet_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "bridge_transmit_ipv4_unicast"
atf_add_test_case "stp"
atf_add_test_case "static"
+ atf_add_test_case "span"
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 81d747ace024 - stable/12 - bridge tests: Test STP on top of VLAN devices
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=81d747ace024ff71746f003f4d108f26b69bfede
commit 81d747ace024ff71746f003f4d108f26b69bfede
Author: Kristof Provost
AuthorDate: 2021-02-20 09:13:33 +
Commit: Kristof Provost
CommitDate: 2021-03-02 13:03:07 +
bridge tests: Test STP on top of VLAN devices
This is basically the same test as the existing STP test, but now on top
of VLAN interfaces instead of directly using the epair devices.
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28861
(cherry picked from commit 26492ba2716f8b839f743bb663ce47405990fdf0)
---
tests/sys/net/if_bridge_test.sh | 66 +
1 file changed, 66 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index b848a03b273d..bc9add68ce25 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -124,6 +124,71 @@ stp_cleanup()
vnet_cleanup
}
+atf_test_case "stp_vlan" "cleanup"
+stp_vlan_head()
+{
+ atf_set descr 'Spanning tree on VLAN test'
+ atf_set require.user root
+}
+
+stp_vlan_body()
+{
+ vnet_init
+
+ epair_one=$(vnet_mkepair)
+ epair_two=$(vnet_mkepair)
+ bridge_a=$(vnet_mkbridge)
+ bridge_b=$(vnet_mkbridge)
+
+ vnet_mkjail a ${bridge_a} ${epair_one}a ${epair_two}a
+ vnet_mkjail b ${bridge_b} ${epair_one}b ${epair_two}b
+
+ jexec a ifconfig ${epair_one}a up
+ jexec a ifconfig ${epair_two}a up
+ vlan_a_one=$(jexec a ifconfig vlan create vlandev ${epair_one}a vlan 42)
+ vlan_a_two=$(jexec a ifconfig vlan create vlandev ${epair_two}a vlan 42)
+ jexec a ifconfig ${vlan_a_one} up
+ jexec a ifconfig ${vlan_a_two} up
+ jexec a ifconfig ${bridge_a} addm ${vlan_a_one}
+ jexec a ifconfig ${bridge_a} addm ${vlan_a_two}
+
+ jexec b ifconfig ${epair_one}b up
+ jexec b ifconfig ${epair_two}b up
+ vlan_b_one=$(jexec b ifconfig vlan create vlandev ${epair_one}b vlan 42)
+ vlan_b_two=$(jexec b ifconfig vlan create vlandev ${epair_two}b vlan 42)
+ jexec b ifconfig ${vlan_b_one} up
+ jexec b ifconfig ${vlan_b_two} up
+ jexec b ifconfig ${bridge_b} addm ${vlan_b_one}
+ jexec b ifconfig ${bridge_b} addm ${vlan_b_two}
+
+ jexec a ifconfig ${bridge_a} 192.0.2.1/24
+
+ # Enable spanning tree
+ jexec a ifconfig ${bridge_a} stp ${vlan_a_one}
+ jexec a ifconfig ${bridge_a} stp ${vlan_a_two}
+ jexec b ifconfig ${bridge_b} stp ${vlan_b_one}
+ jexec b ifconfig ${bridge_b} stp ${vlan_b_two}
+
+ jexec b ifconfig ${bridge_b} up
+ jexec a ifconfig ${bridge_a} up
+
+ # Give STP time to do its thing
+ sleep 5
+
+ a_discard=$(jexec a ifconfig ${bridge_a} | grep discarding)
+ b_discard=$(jexec b ifconfig ${bridge_b} | grep discarding)
+
+ if [ -z "${a_discard}" ] && [ -z "${b_discard}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
+}
+
+stp_vlan_cleanup()
+{
+ vnet_cleanup
+}
+
atf_test_case "static" "cleanup"
static_head()
{
@@ -329,6 +394,7 @@ atf_init_test_cases()
{
atf_add_test_case "bridge_transmit_ipv4_unicast"
atf_add_test_case "stp"
+ atf_add_test_case "stp_vlan"
atf_add_test_case "static"
atf_add_test_case "span"
atf_add_test_case "inherit_mac"
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: e7705585fed8 - stable/12 - bridgestp: Ensure we send STP on VLAN interfaces
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=e7705585fed8ef9612388729a4e3247ceed3f038
commit e7705585fed8ef9612388729a4e3247ceed3f038
Author: Kristof Provost
AuthorDate: 2021-02-24 15:38:53 +
Commit: Kristof Provost
CommitDate: 2021-03-04 09:30:26 +
bridgestp: Ensure we send STP on VLAN interfaces
Reviewed by:donner@
MFC after: 1 week
X-MFC-with: 711ed156b94562c3dcb2ee9c1b3f240f960a75d2
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28916
(cherry picked from commit f5537cd0693c85efdb2180a0a107c51eae15ba39)
---
sys/net/bridgestp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c
index d0259c37bf84..4be8e2f20819 100644
--- a/sys/net/bridgestp.c
+++ b/sys/net/bridgestp.c
@@ -2046,7 +2046,7 @@ bstp_reinit(struct bstp_state *bs)
*/
IFNET_RLOCK_NOSLEEP();
CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) {
- if (ifp->if_type != IFT_ETHER)
+ if (ifp->if_type != IFT_ETHER && ifp->if_type != IFT_L2VLAN)
continue; /* Not Ethernet */
if (ifp->if_bridge != bridgeptr)
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: eb4221b9fb91 - stable/12 - bridge tests: Test that we also forward on some interfaces
The branch stable/12 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=eb4221b9fb91980ea43dcf55e6610c6d044954e7
commit eb4221b9fb91980ea43dcf55e6610c6d044954e7
Author: Kristof Provost
AuthorDate: 2021-02-24 15:40:37 +
Commit: Kristof Provost
CommitDate: 2021-03-04 09:30:26 +
bridge tests: Test that we also forward on some interfaces
Ensure that we not only block on some interfaces, but also forward on
some. Without the previous commit we wound up discarding on all ports,
rather than only on the ports needed to break the loop.
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28917
(cherry picked from commit 7a4dbffa4205fc274b4884a6332d4831c5791320)
---
tests/sys/net/if_bridge_test.sh | 18 ++
1 file changed, 18 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index bc9add68ce25..1f10fe325a2c 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -117,6 +117,15 @@ stp_body()
then
atf_fail "STP failed to detect bridging loop"
fi
+
+ # We must also have at least some forwarding interfaces
+ a_forwarding=$(jexec a ifconfig ${bridge_a} | grep forwarding)
+ b_forwarding=$(jexec b ifconfig ${bridge_b} | grep forwarding)
+
+ if [ -z "${a_forwarding}" ] && [ -z "${b_forwarding}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
}
stp_cleanup()
@@ -182,6 +191,15 @@ stp_vlan_body()
then
atf_fail "STP failed to detect bridging loop"
fi
+
+ # We must also have at least some forwarding interfaces
+ a_forwarding=$(jexec a ifconfig ${bridge_a} | grep forwarding)
+ b_forwarding=$(jexec b ifconfig ${bridge_b} | grep forwarding)
+
+ if [ -z "${a_forwarding}" ] && [ -z "${b_forwarding}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
}
stp_vlan_cleanup()
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 9c744d299243 - stable/13 - bridge tests: Test that we also forward on some interfaces
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9c744d29924323fafa4326d499971edfff55a89c
commit 9c744d29924323fafa4326d499971edfff55a89c
Author: Kristof Provost
AuthorDate: 2021-02-24 15:40:37 +
Commit: Kristof Provost
CommitDate: 2021-03-04 09:30:14 +
bridge tests: Test that we also forward on some interfaces
Ensure that we not only block on some interfaces, but also forward on
some. Without the previous commit we wound up discarding on all ports,
rather than only on the ports needed to break the loop.
MFC after: 1 week
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28917
(cherry picked from commit 7a4dbffa4205fc274b4884a6332d4831c5791320)
---
tests/sys/net/if_bridge_test.sh | 18 ++
1 file changed, 18 insertions(+)
diff --git a/tests/sys/net/if_bridge_test.sh b/tests/sys/net/if_bridge_test.sh
index bc9add68ce25..1f10fe325a2c 100755
--- a/tests/sys/net/if_bridge_test.sh
+++ b/tests/sys/net/if_bridge_test.sh
@@ -117,6 +117,15 @@ stp_body()
then
atf_fail "STP failed to detect bridging loop"
fi
+
+ # We must also have at least some forwarding interfaces
+ a_forwarding=$(jexec a ifconfig ${bridge_a} | grep forwarding)
+ b_forwarding=$(jexec b ifconfig ${bridge_b} | grep forwarding)
+
+ if [ -z "${a_forwarding}" ] && [ -z "${b_forwarding}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
}
stp_cleanup()
@@ -182,6 +191,15 @@ stp_vlan_body()
then
atf_fail "STP failed to detect bridging loop"
fi
+
+ # We must also have at least some forwarding interfaces
+ a_forwarding=$(jexec a ifconfig ${bridge_a} | grep forwarding)
+ b_forwarding=$(jexec b ifconfig ${bridge_b} | grep forwarding)
+
+ if [ -z "${a_forwarding}" ] && [ -z "${b_forwarding}" ]
+ then
+ atf_fail "STP failed to detect bridging loop"
+ fi
}
stp_vlan_cleanup()
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 772b39d6309b - stable/13 - bridgestp: Ensure we send STP on VLAN interfaces
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=772b39d6309b1d62934870869e65f5334f6af79c
commit 772b39d6309b1d62934870869e65f5334f6af79c
Author: Kristof Provost
AuthorDate: 2021-02-24 15:38:53 +
Commit: Kristof Provost
CommitDate: 2021-03-04 09:30:13 +
bridgestp: Ensure we send STP on VLAN interfaces
Reviewed by:donner@
MFC after: 1 week
X-MFC-with: 711ed156b94562c3dcb2ee9c1b3f240f960a75d2
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D28916
(cherry picked from commit f5537cd0693c85efdb2180a0a107c51eae15ba39)
---
sys/net/bridgestp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c
index 82524440c241..9e3a3e14ecda 100644
--- a/sys/net/bridgestp.c
+++ b/sys/net/bridgestp.c
@@ -2052,7 +2052,7 @@ bstp_reinit(struct bstp_state *bs)
*/
NET_EPOCH_ENTER(et);
CK_STAILQ_FOREACH(ifp, &V_ifnet, if_link) {
- if (ifp->if_type != IFT_ETHER)
+ if (ifp->if_type != IFT_ETHER && ifp->if_type != IFT_L2VLAN)
continue; /* Not Ethernet */
if (ifp->if_bridge != bridgeptr)
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: f19323847ca8 - main - pf: Retrieve DSCP value from the IPv6 header
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=f19323847ca894af8a58839f6a2a41691a8e2245
commit f19323847ca894af8a58839f6a2a41691a8e2245
Author: Kristof Provost
AuthorDate: 2021-03-03 20:33:42 +
Commit: Kristof Provost
CommitDate: 2021-03-04 19:56:48 +
pf: Retrieve DSCP value from the IPv6 header
Teach pf to read the DSCP value from the IPv6 header so that we can
match on them.
Reviewed by:donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29048
---
sys/netpfil/pf/pf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 86354e69d11f..f71f89187b58 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6384,7 +6384,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct
mbuf **m0, struct inpcb
pd.sidx = (dir == PF_IN) ? 0 : 1;
pd.didx = (dir == PF_IN) ? 1 : 0;
pd.af = AF_INET6;
- pd.tos = 0;
+ pd.tos = (ntohl(h->ip6_flow) >> 20) & 0xfc;
pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: bb4a7d94b99f - main - net: Introduce IPV6_DSCP(), IPV6_ECN() and IPV6_TRAFFIC_CLASS() macros
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=bb4a7d94b99fbf7f59c8768ded5f6a5b5c3e
commit bb4a7d94b99fbf7f59c8768ded5f6a5b5c3e
Author: Kristof Provost
AuthorDate: 2021-03-04 10:26:40 +
Commit: Kristof Provost
CommitDate: 2021-03-04 19:56:48 +
net: Introduce IPV6_DSCP(), IPV6_ECN() and IPV6_TRAFFIC_CLASS() macros
Introduce convenience macros to retrieve the DSCP, ECN or traffic class
bits from an IPv6 header.
Use them where appropriate.
Reviewed by:ae (previous version), rscheff, tuexen, rgrimes
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29056
---
sys/net/altq/altq_subr.c | 2 +-
sys/net/if_stf.c | 4 ++--
sys/netinet/ip6.h| 4
sys/netinet/tcp_input.c | 2 +-
sys/netinet/tcp_lro.c| 2 +-
sys/netinet/tcp_stacks/rack_bbr_common.c | 2 +-
sys/netinet6/frag6.c | 5 ++---
sys/netinet6/in6_gif.c | 2 +-
sys/netinet6/ip6_output.c| 4 ++--
sys/netinet6/sctp6_usrreq.c | 2 +-
sys/netpfil/pf/pf.c | 2 +-
11 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/sys/net/altq/altq_subr.c b/sys/net/altq/altq_subr.c
index 14d9916011da..39f91c4daf63 100644
--- a/sys/net/altq/altq_subr.c
+++ b/sys/net/altq/altq_subr.c
@@ -1087,7 +1087,7 @@ altq_extractflow(m, af, flow, filt_bmask)
fin6->fi6_family = AF_INET6;
fin6->fi6_proto = ip6->ip6_nxt;
- fin6->fi6_tclass = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
+ fin6->fi6_tclass = IPV6_TRAFFIC_CLASS(ip6);
fin6->fi6_flowlabel = ip6->ip6_flow & htonl(0x000f);
fin6->fi6_src = ip6->ip6_src;
diff --git a/sys/net/if_stf.c b/sys/net/if_stf.c
index c3f26db3f6e6..40f8a6f3a30a 100644
--- a/sys/net/if_stf.c
+++ b/sys/net/if_stf.c
@@ -455,7 +455,7 @@ stf_output(struct ifnet *ifp, struct mbuf *m, const struct
sockaddr *dst,
}
}
ip6 = mtod(m, struct ip6_hdr *);
- tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
+ tos = IPV6_TRAFFIC_CLASS(ip6);
/*
* Pickup the right outer dst addr from the list of candidates.
@@ -665,7 +665,7 @@ in_stf_input(struct mbuf *m, int off, int proto, void *arg)
return (IPPROTO_DONE);
}
- itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
+ itos = IPV6_TRAFFIC_CLASS(ip6);
if ((ifp->if_flags & IFF_LINK1) != 0)
ip_ecn_egress(ECN_ALLOWED, &otos, &itos);
else
diff --git a/sys/netinet/ip6.h b/sys/netinet/ip6.h
index 44c46fd3b71d..1bc79a98e689 100644
--- a/sys/netinet/ip6.h
+++ b/sys/netinet/ip6.h
@@ -106,6 +106,10 @@ struct ip6_hdr {
#endif
#define IPV6_FLOWLABEL_LEN 20
+#defineIPV6_TRAFFIC_CLASS(ip6) ((ntohl((ip6)->ip6_flow) >> 20) & 0xff)
+#defineIPV6_DSCP(ip6) ((ntohl((ip6)->ip6_flow) >> 20) & 0xfc)
+#defineIPV6_ECN(ip6) ((ntohl((ip6)->ip6_flow) >> 20) & 0x03)
+
/*
* Extension Headers
*/
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index eda41d36ab88..89e70df48774 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -688,7 +688,7 @@ tcp_input(struct mbuf **mp, int *offp, int proto)
/* XXX stat */
goto drop;
}
- iptos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
+ iptos = IPV6_TRAFFIC_CLASS(ip6);
}
#endif
#if defined(INET) && defined(INET6)
diff --git a/sys/netinet/tcp_lro.c b/sys/netinet/tcp_lro.c
index b4d64b8a6893..62f6ad57c0f5 100644
--- a/sys/netinet/tcp_lro.c
+++ b/sys/netinet/tcp_lro.c
@@ -1546,7 +1546,7 @@ tcp_lro_rx2(struct lro_ctrl *lc, struct mbuf *m, uint32_t
csum, int use_hash)
return (error);
tcp_data_len = ntohs(ip6->ip6_plen);
#ifdef TCPHPTS
- iptos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
+ iptos = IPV6_TRAFFIC_CLASS(ip6);
#endif
ip_len = sizeof(*ip6) + tcp_data_len;
break;
diff --git a/sys/netinet/tcp_stacks/rack_bbr_common.c
b/sys/netinet/tcp_stacks/rack_bbr_common.c
index e73a3e60fd64..b86a5d85fc76 100644
--- a/sys/netinet/tcp_stacks/rack_bbr_common.c
+++ b/sys/netinet/tcp_stacks/rack_bbr_common.c
@@ -334,7 +334,7 @@ skip_vnet:
m_freem(m);
goto skipped_pkt;
}
- iptos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
+ iptos = IPV6_TRAFFIC_CLASS(ip
git: 448732b8e2d9 - main - altq: Increase maximum number of CBQ and HFSC classes
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=448732b8e2d9bf4e2656a2e5a9e88cc58b88d4f4
commit 448732b8e2d9bf4e2656a2e5a9e88cc58b88d4f4
Author: Kristof Provost
AuthorDate: 2021-03-03 10:06:49 +
Commit: Kristof Provost
CommitDate: 2021-03-04 19:58:22 +
altq: Increase maximum number of CBQ and HFSC classes
In some configurations we need more classes than ALTQ supports by
default. Increase the maximum number of classes we allow.
This will only cost us a comparatively trivial amount of memory, so
there's little reason not to do so.
If ever we find we want even more we may want to consider turning these
defines into a tunable, but for now do the easy thing.
Reviewed by:donner@
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29034
---
sys/net/altq/altq_cbq.h | 2 +-
sys/net/altq/altq_hfsc.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/net/altq/altq_cbq.h b/sys/net/altq/altq_cbq.h
index a319edb72e97..70c07c11d86d 100644
--- a/sys/net/altq/altq_cbq.h
+++ b/sys/net/altq/altq_cbq.h
@@ -119,7 +119,7 @@ typedef struct _cbq_class_stats_ {
#defineCBQ_TIMEOUT 10
#defineCBQ_LS_TIMEOUT (20 * hz / 1000)
-#defineCBQ_MAX_CLASSES 256
+#defineCBQ_MAX_CLASSES 2048
/*
* Define State structures.
diff --git a/sys/net/altq/altq_hfsc.h b/sys/net/altq/altq_hfsc.h
index 9a4f14ae8fdc..6a3f2205c972 100644
--- a/sys/net/altq/altq_hfsc.h
+++ b/sys/net/altq/altq_hfsc.h
@@ -60,7 +60,7 @@ struct service_curve_v1 {
/* special class handles */
#defineHFSC_NULLCLASS_HANDLE 0
-#defineHFSC_MAX_CLASSES64
+#defineHFSC_MAX_CLASSES2048
/* hfsc class flags */
#defineHFCF_RED0x0001 /* use RED */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 29698ed90473 - main - pf: Mark struct pf_pdesc as kernel only
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=29698ed904737ebfd139a21e39e5421cf81badd8
commit 29698ed904737ebfd139a21e39e5421cf81badd8
Author: Kristof Provost
AuthorDate: 2021-03-03 09:28:14 +
Commit: Kristof Provost
CommitDate: 2021-03-05 08:21:06 +
pf: Mark struct pf_pdesc as kernel only
This structure is only used by the kernel module internally. It's not
shared with user space, so hide it behind #ifdef _KERNEL.
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/pfvar.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 9c8c642a6ace..3f2075b8f0e2 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -893,6 +893,7 @@ struct pfi_kkif {
#definePFI_IFLAG_REFS 0x0001 /* has state references */
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
+#ifdef _KERNEL
struct pf_pdesc {
struct {
int done;
@@ -932,6 +933,7 @@ struct pf_pdesc {
u_int8_t sidx; /* key index for source */
u_int8_t didx; /* key index for destination */
};
+#endif
/* flags for RDR options */
#define PF_DPORT_RANGE 0x01/* Dest port uses range */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
Re: git: a079e38b08f2 - main - ossl: Add Poly1305 digest support.
On 4 Mar 2021, at 0:21, John Baldwin wrote: The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=a079e38b08f2f07c50ba915dae66d099559abdcc commit a079e38b08f2f07c50ba915dae66d099559abdcc Author: John Baldwin AuthorDate: 2021-03-03 23:17:29 + Commit: John Baldwin CommitDate: 2021-03-03 23:20:57 + ossl: Add Poly1305 digest support. Reviewed by:cem Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D28754 It looks like this broke the LINT builds: linking kernel ld: error: duplicate symbol: Poly1305_Final >>> defined at ossl_poly1305.c >>>ossl_poly1305.o:(Poly1305_Final) >>> defined at xform_poly1305.c >>>xform_poly1305.o:(.text+0xA0) ld: error: duplicate symbol: Poly1305_Init >>> defined at ossl_poly1305.c >>>ossl_poly1305.o:(Poly1305_Init) >>> defined at xform_poly1305.c >>>xform_poly1305.o:(.text+0x0) ld: error: duplicate symbol: Poly1305_Update >>> defined at ossl_poly1305.c >>>ossl_poly1305.o:(Poly1305_Update) >>> defined at xform_poly1305.c >>>xform_poly1305.o:(.text+0x60) ld: warning: common OPENSSL_ia32cap_P is overridden ld: warning: common OPENSSL_ia32cap_P is overridden ld: warning: common OPENSSL_ia32cap_P is overridden ld: warning: common OPENSSL_ia32cap_P is overridden ld: warning: common OPENSSL_ia32cap_P is overridden *** [kernel] Error code 1 (See also https://ci.freebsd.org/job/FreeBSD-main-aarch64-LINT/6074/console ) Best regards Kristof ___ dev-commits-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
Re: git: c4ba4aa54718 - main - libifconfig: Overhaul ifconfig_media_* interfaces
On 5 Mar 2021, at 20:44, Mark Johnston wrote:
On Fri, Mar 05, 2021 at 02:40:29PM -0500, Ryan Moeller wrote:
On 3/5/21 1:19 PM, Konstantin Belousov wrote:
On Fri, Mar 05, 2021 at 11:23:56AM +, Ryan Moeller wrote:
The branch main has been updated by freqlabs:
URL:
https://cgit.FreeBSD.org/src/commit/?id=c4ba4aa547184ab401204096cdad9def4ab37964
commit c4ba4aa547184ab401204096cdad9def4ab37964
Author: Ryan Moeller
AuthorDate: 2021-03-02 10:29:17 +
Commit: Ryan Moeller
CommitDate: 2021-03-05 09:15:55 +
libifconfig: Overhaul ifconfig_media_* interfaces
Define an ifmedia_t type to use for ifmedia words.
Add ifconfig_media_lookup_* functions to lookup ifmedia words
by name.
Get media options as an array of option names rather than
formatting it
as a comma-delimited list into a buffer.
Sprinkle const on static the static description tables for
peace of
mind.
Don't need to zero memory allocated by calloc.
Reviewed by:kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D29029
---
lib/libifconfig/Makefile| 2 +-
lib/libifconfig/Symbol.map | 9 +-
lib/libifconfig/libifconfig.h | 69 +++-
lib/libifconfig/libifconfig_media.c | 339
share/examples/libifconfig/status.c | 27 ++-
5 files changed, 324 insertions(+), 122 deletions(-)
diff --git a/lib/libifconfig/Makefile b/lib/libifconfig/Makefile
index 73dad36c1dc5..c6f006018427 100644
--- a/lib/libifconfig/Makefile
+++ b/lib/libifconfig/Makefile
@@ -7,7 +7,7 @@ INTERNALLIB=true
LIBADD= m
SHLIBDIR?=/lib
-SHLIB_MAJOR= 1
+SHLIB_MAJOR= 2
VERSION_DEF= ${LIBCSRCDIR}/Versions.def
SYMBOL_MAPS= ${.CURDIR}/Symbol.map
libifconfig is marked as internal, but we provide symbol versioning
for it,
and do it in the normal FreeBSD namespace. On one hand, our policy
is to
not bump symvered libs and to provide binary compat shims as needed,
on the
other, this is internal lib.
What is the purpose of maintaining symbol versions for it?
I have work in progress that changes libifconfig to a private lib.
I'm
not sure why markj@ added the symbol map, but I've been forced to
maintain it for my later changes to work.
I added it because there was some discussion of making it a public
library, and adding a symbol map was a step towards that. If it is
only
going to be a private library, then there's indeed no reason to
maintain
it.
Historically it’s been the aspiration (passive voice, because while
these have been my hopes I’ve not done any of the work) to make this a
public library, so e.g. appliance vendors could have a better way to
configure the system than doing `system(“ifconfig em0
10.0.0.1/24”);`.
Libifconfig is making progress thanks to Ryan’s work, but it’s not
yet ready for that sort of use.
Given that, it makes sense to keep it as an internal library for now,
and breaking the API is fine. I still hope that we’ll get it to the
point where it’ll be ready for public consumption (with stable API).
So I think the symbol map is mostly aspirational right now. If it’s a
maintenance burden I guess we can remove it, and re-add it when the time
comes.
Best regards,
Kristof
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: b4e3f3c2de6e - main - pfctl: Add missing 'va' code point name
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b4e3f3c2de6e6dc614f99615e50d0d87f3367ca0
commit b4e3f3c2de6e6dc614f99615e50d0d87f3367ca0
Author: Kristof Provost
AuthorDate: 2021-03-04 12:50:28 +
Commit: Kristof Provost
CommitDate: 2021-03-06 09:07:55 +
pfctl: Add missing 'va' code point name
Add the 'va' (voice-admit, RFC5865) symbolic name.
Reviewed by:rgrimes, gbe (man page)
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29069
---
sbin/pfctl/parse.y | 3 ++-
share/man/man5/pf.conf.5 | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 1182dde3b079..9db85538feaf 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -6342,7 +6342,8 @@ map_tos(char *s, int *val)
{ "lowdelay", IPTOS_LOWDELAY },
{ "netcontrol", IPTOS_PREC_NETCONTROL },
{ "reliability",IPTOS_RELIABILITY },
- { "throughput", IPTOS_THROUGHPUT }
+ { "throughput", IPTOS_THROUGHPUT },
+ { "va", IPTOS_DSCP_VA }
};
const struct keywords *p;
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 8846199deccb..d31d20e29bea 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -681,6 +681,7 @@ given as one of
.Ar reliability ,
or one of the DiffServ Code Points:
.Ar ef ,
+.Ar va ,
.Ar af11 No ... Ar af43 ,
.Ar cs0 No ... Ar cs7 ;
or as either hex or decimal.
@@ -1737,6 +1738,7 @@ given as one of
.Ar reliability ,
or one of the DiffServ Code Points:
.Ar ef ,
+.Ar va ,
.Ar af11 No ... Ar af43 ,
.Ar cs0 No ... Ar cs7 ;
or as either hex or decimal.
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 9d3b2bcf7610 - main - pf tests: Test tos/dscp matching
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9d3b2bcf761041bbe79da3de25f2e4142d90b46a
commit 9d3b2bcf761041bbe79da3de25f2e4142d90b46a
Author: Kristof Provost
AuthorDate: 2021-03-03 20:15:39 +
Commit: Kristof Provost
CommitDate: 2021-03-06 09:08:44 +
pf tests: Test tos/dscp matching
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29078
---
tests/sys/netpfil/pf/Makefile | 3 +-
tests/sys/netpfil/pf/tos.sh | 95 +++
2 files changed, 97 insertions(+), 1 deletion(-)
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index f00f64d849d2..132b681226dc 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -22,7 +22,8 @@ ATF_TESTS_SH+=altq \
set_tos \
src_track \
synproxy \
- table
+ table \
+ tos
${PACKAGE}FILES+= CVE-2019-5597.py \
CVE-2019-5598.py \
diff --git a/tests/sys/netpfil/pf/tos.sh b/tests/sys/netpfil/pf/tos.sh
new file mode 100644
index ..4e2832ba3317
--- /dev/null
+++ b/tests/sys/netpfil/pf/tos.sh
@@ -0,0 +1,95 @@
+# $FreeBSD$
+#
+# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+#
+# Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#notice, this list of conditions and the following disclaimer in the
+#documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+ atf_set descr 'tos matching test'
+ atf_set require.user root
+}
+
+v4_body()
+{
+ pft_init
+
+ epair=$(vnet_mkepair)
+ ifconfig ${epair}a 192.0.2.1/24 up
+
+ vnet_mkjail alcatraz ${epair}b
+ jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
+ jexec alcatraz pfctl -e
+
+ pft_set_rules alcatraz "pass" \
+ "block in tos va"
+
+ atf_check -s exit:0 -o ignore ping -t 1 -c 1 192.0.2.2
+ atf_check -s exit:2 -o ignore ping -t 1 -c 1 -z 0xb0 192.0.2.2
+}
+
+v4_cleanup()
+{
+ pft_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+ atf_set descr 'IPv6 tos matching test'
+ atf_set require.user root
+}
+
+v6_body()
+{
+ pft_init
+
+ epair=$(vnet_mkepair)
+ ifconfig ${epair}a inet6 2001:db8:42::1/64 up no_dad -ifdisabled
+
+ vnet_mkjail alcatraz ${epair}b
+ jexec alcatraz ifconfig ${epair}b inet6 2001:db8:42::2/64 \
+ up no_dad -ifdisabled
+ jexec alcatraz pfctl -e
+
+ pft_set_rules alcatraz "pass" \
+ "block in tos va"
+
+ atf_check -s exit:0 -o ignore ping6 -t 1 -c 1 2001:db8:42::2
+ atf_check -s exit:2 -o ignore ping6 -t 1 -c 1 -z 176 2001:db8:42::2
+}
+
+v6_cleanup()
+{
+ pft_cleanup
+}
+
+atf_init_test_cases()
+{
+ atf_add_test_case "v4"
+ atf_add_test_case "v6"
+}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 5e9dae8e149a - main - pf: Factor out pf_krule_free()
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5e9dae8e149ae8848f52148b665f3a0d031ca40f
commit 5e9dae8e149ae8848f52148b665f3a0d031ca40f
Author: Kristof Provost
AuthorDate: 2021-03-10 10:10:04 +
Commit: Kristof Provost
CommitDate: 2021-03-11 09:39:43 +
pf: Factor out pf_krule_free()
Reviewed by:melifaro@
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29194
---
sys/net/pfvar.h | 2 ++
sys/netpfil/pf/pf_ioctl.c | 50 ---
2 files changed, 23 insertions(+), 29 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 3f2075b8f0e2..31be6b7a833d 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1641,6 +1641,8 @@ void
pf_remove_if_empty_kruleset(struct pf_kruleset *);
struct pf_kruleset *pf_find_kruleset(const char *);
struct pf_kruleset *pf_find_or_create_kruleset(const char *);
voidpf_rs_initialize(void);
+
+voidpf_krule_free(struct pf_krule *);
#endif
/* The fingerprint functions can be linked into userland programs (tcpdump) */
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index c32a961f5a0b..5f9eb771d0e0 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -466,15 +466,8 @@ pf_free_rule(struct pf_krule *rule)
pfi_kkif_unref(rule->kif);
pf_kanchor_remove(rule);
pf_empty_kpool(&rule->rpool.list);
- counter_u64_free(rule->evaluations);
- for (int i = 0; i < 2; i++) {
- counter_u64_free(rule->packets[i]);
- counter_u64_free(rule->bytes[i]);
- }
- counter_u64_free(rule->states_cur);
- counter_u64_free(rule->states_tot);
- counter_u64_free(rule->src_nodes);
- free(rule, M_PFRULE);
+
+ pf_krule_free(rule);
}
static void
@@ -1435,6 +1428,23 @@ pf_altq_get_nth_active(u_int32_t n)
}
#endif /* ALTQ */
+void
+pf_krule_free(struct pf_krule *rule)
+{
+ if (rule == NULL)
+ return;
+
+ counter_u64_free(rule->evaluations);
+ for (int i = 0; i < 2; i++) {
+ counter_u64_free(rule->packets[i]);
+ counter_u64_free(rule->bytes[i]);
+ }
+ counter_u64_free(rule->states_cur);
+ counter_u64_free(rule->states_tot);
+ counter_u64_free(rule->src_nodes);
+ free(rule, M_PFRULE);
+}
+
static void
pf_kpooladdr_to_pooladdr(const struct pf_kpooladdr *kpool,
struct pf_pooladdr *pool)
@@ -1990,15 +2000,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int
flags, struct thread *td
#undef ERROUT
DIOCADDRULE_error:
PF_RULES_WUNLOCK();
- counter_u64_free(rule->evaluations);
- for (int i = 0; i < 2; i++) {
- counter_u64_free(rule->packets[i]);
- counter_u64_free(rule->bytes[i]);
- }
- counter_u64_free(rule->states_cur);
- counter_u64_free(rule->states_tot);
- counter_u64_free(rule->src_nodes);
- free(rule, M_PFRULE);
+ pf_krule_free(rule);
if (kif)
pf_kkif_free(kif);
break;
@@ -2297,17 +2299,7 @@ DIOCADDRULE_error:
#undef ERROUT
DIOCCHANGERULE_error:
PF_RULES_WUNLOCK();
- if (newrule != NULL) {
- counter_u64_free(newrule->evaluations);
- for (int i = 0; i < 2; i++) {
- counter_u64_free(newrule->packets[i]);
- counter_u64_free(newrule->bytes[i]);
- }
- counter_u64_free(newrule->states_cur);
- counter_u64_free(newrule->states_tot);
- counter_u64_free(newrule->src_nodes);
- free(newrule, M_PFRULE);
- }
+ pf_krule_free(newrule);
if (kif != NULL)
pf_kkif_free(kif);
break;
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 913e7dc3e0eb - main - pf: Remove redundant kif != NULL checks
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=913e7dc3e0eb7df78ec0e7ecc7dd160a316a3ac6
commit 913e7dc3e0eb7df78ec0e7ecc7dd160a316a3ac6
Author: Kristof Provost
AuthorDate: 2021-03-10 14:50:42 +
Commit: Kristof Provost
CommitDate: 2021-03-11 09:39:43 +
pf: Remove redundant kif != NULL checks
pf_kkif_free() already checks for NULL, so we don't have to check before
we call it.
Reviewed by:melifaro@
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29195
---
sys/netpfil/pf/pf_ioctl.c | 9 +++--
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 5f9eb771d0e0..977f0debacaa 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2001,8 +2001,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int
flags, struct thread *td
DIOCADDRULE_error:
PF_RULES_WUNLOCK();
pf_krule_free(rule);
- if (kif)
- pf_kkif_free(kif);
+ pf_kkif_free(kif);
break;
}
@@ -2300,8 +2299,7 @@ DIOCADDRULE_error:
DIOCCHANGERULE_error:
PF_RULES_WUNLOCK();
pf_krule_free(newrule);
- if (kif != NULL)
- pf_kkif_free(kif);
+ pf_kkif_free(kif);
break;
}
@@ -3144,8 +3142,7 @@ DIOCCHANGEADDR_error:
free(newpa, M_PFRULE);
}
PF_RULES_WUNLOCK();
- if (kif != NULL)
- pf_kkif_free(kif);
+ pf_kkif_free(kif);
break;
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: b8f7267d499c - main - uma: allow uma_zfree_pcu(..., NULL)
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b8f7267d499c8ef8e70b021879d3e9e087ecc32d
commit b8f7267d499c8ef8e70b021879d3e9e087ecc32d
Author: Kristof Provost
AuthorDate: 2021-03-10 14:11:59 +
Commit: Kristof Provost
CommitDate: 2021-03-12 11:12:35 +
uma: allow uma_zfree_pcu(..., NULL)
We already allow free(NULL) and uma_zfree(..., NULL). Make
uma_zfree_pcpu(..., NULL) work as well.
This also means that counter_u64_free(NULL) will work.
These make cleanup code simpler.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29189
---
sys/vm/uma_core.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/sys/vm/uma_core.c b/sys/vm/uma_core.c
index 8cbd1216678a..b1762500c147 100644
--- a/sys/vm/uma_core.c
+++ b/sys/vm/uma_core.c
@@ -3171,6 +3171,11 @@ uma_zfree_pcpu_arg(uma_zone_t zone, void *pcpu_item,
void *udata)
#ifdef SMP
MPASS(zone->uz_flags & UMA_ZONE_PCPU);
#endif
+
+/* uma_zfree_pcu_*(..., NULL) does nothing, to match free(9). */
+if (pcpu_item == NULL)
+return;
+
item = zpcpu_offset_to_base(pcpu_item);
uma_zfree_arg(zone, item, udata);
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: cecfaf9bede9 - main - pf: Fully remove interrupt events on vnet cleanup
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=cecfaf9bede9665d6a10f1e575cd5d575450cff7
commit cecfaf9bede9665d6a10f1e575cd5d575450cff7
Author: Kristof Provost
AuthorDate: 2021-03-10 21:56:11 +
Commit: Kristof Provost
CommitDate: 2021-03-12 11:12:43 +
pf: Fully remove interrupt events on vnet cleanup
swi_remove() removes the software interrupt handler but does not remove
the associated interrupt event.
This is visible when creating and remove a vnet jail in `procstat -t
12`.
We can remove it manually with intr_event_destroy().
PR: 254171
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D29211
---
sys/net/pfvar.h| 2 ++
sys/netpfil/pf/if_pfsync.c | 10 --
sys/netpfil/pf/pf.c| 1 +
sys/netpfil/pf/pf_ioctl.c | 8 ++--
4 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 31be6b7a833d..6102d6186cd2 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1390,6 +1390,8 @@ VNET_DECLARE(struct pf_srchash *, pf_srchash);
VNET_DECLARE(void *, pf_swi_cookie);
#define V_pf_swi_cookieVNET(pf_swi_cookie)
+VNET_DECLARE(struct intr_event *, pf_swi_ie);
+#defineV_pf_swi_ie VNET(pf_swi_ie)
VNET_DECLARE(uint64_t, pf_stateid[MAXCPU]);
#defineV_pf_stateidVNET(pf_stateid)
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 059300f6a6a7..cf2ff2ef0926 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -254,6 +254,8 @@ VNET_DEFINE_STATIC(struct pfsync_softc *, pfsyncif) =
NULL;
#defineV_pfsyncif VNET(pfsyncif)
VNET_DEFINE_STATIC(void *, pfsync_swi_cookie) = NULL;
#defineV_pfsync_swi_cookie VNET(pfsync_swi_cookie)
+VNET_DEFINE_STATIC(struct intr_event *, pfsync_swi_ie);
+#defineV_pfsync_swi_ie VNET(pfsync_swi_ie)
VNET_DEFINE_STATIC(struct pfsyncstats, pfsyncstats);
#defineV_pfsyncstats VNET(pfsyncstats)
VNET_DEFINE_STATIC(int, pfsync_carp_adj) = CARP_MAXSKEW;
@@ -2472,7 +2474,7 @@ vnet_pfsync_init(const void *unused __unused)
V_pfsync_cloner = if_clone_simple(pfsyncname,
pfsync_clone_create, pfsync_clone_destroy, 1);
- error = swi_add(NULL, pfsyncname, pfsyncintr, V_pfsyncif,
+ error = swi_add(&V_pfsync_swi_ie, pfsyncname, pfsyncintr, V_pfsyncif,
SWI_NET, INTR_MPSAFE, &V_pfsync_swi_cookie);
if (error) {
if_clone_detach(V_pfsync_cloner);
@@ -2487,11 +2489,15 @@ VNET_SYSINIT(vnet_pfsync_init, SI_SUB_PROTO_FIREWALL,
SI_ORDER_ANY,
static void
vnet_pfsync_uninit(const void *unused __unused)
{
+ int ret;
pfsync_pointers_uninit();
if_clone_detach(V_pfsync_cloner);
- swi_remove(V_pfsync_swi_cookie);
+ ret = swi_remove(V_pfsync_swi_cookie);
+ MPASS(ret == 0);
+ ret = intr_event_destroy(V_pfsync_swi_ie);
+ MPASS(ret == 0);
}
VNET_SYSUNINIT(vnet_pfsync_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_FOURTH,
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index f088f117b8e8..752e8a7eef1a 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -388,6 +388,7 @@ SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount,
CTLFLAG_RWTUN,
&pf_ioctl_maxcount, 0, "Maximum number of tables, addresses, ... in a
single ioctl() call");
VNET_DEFINE(void *, pf_swi_cookie);
+VNET_DEFINE(struct intr_event *, pf_swi_ie);
VNET_DEFINE(uint32_t, pf_hashseed);
#defineV_pf_hashseed VNET(pf_hashseed)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 977f0debacaa..c930a67ecf80 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -331,7 +331,7 @@ pfattach_vnet(void)
for (int i = 0; i < SCNT_MAX; i++)
V_pf_status.scounters[i] = counter_u64_alloc(M_WAITOK);
- if (swi_add(NULL, "pf send", pf_intr, curvnet, SWI_NET,
+ if (swi_add(&V_pf_swi_ie, "pf send", pf_intr, curvnet, SWI_NET,
INTR_MPSAFE, &V_pf_swi_cookie) != 0)
/* XXXGL: leaked all above. */
return;
@@ -4670,6 +4670,7 @@ pf_load(void)
static void
pf_unload_vnet(void)
{
+ int ret;
V_pf_vnet_active = 0;
V_pf_status.running = 0;
@@ -4679,7 +4680,10 @@ pf_unload_vnet(void)
shutdown_pf();
PF_RULES_WUNLOCK();
- swi_remove(V_pf_swi_cookie);
+ ret = swi_remove(V_pf_swi_cookie);
+ MPASS(ret == 0);
+ ret = intr_event_destroy(V_pf_swi_ie);
+ MPASS(ret == 0);
pf_unload_vnet_purge();
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 51dc8e7f6888 - main - Document that uma_zfree_pcpu() allows NULL now
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=51dc8e7f688867e73eb7edc6bc65fdc77c9d5fff
commit 51dc8e7f688867e73eb7edc6bc65fdc77c9d5fff
Author: Kristof Provost
AuthorDate: 2021-03-11 08:32:01 +
Commit: Kristof Provost
CommitDate: 2021-03-12 11:12:35 +
Document that uma_zfree_pcpu() allows NULL now
While here also document that for counter_u64_free().
Reviewed by:rpokala@
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29215
---
share/man/man9/counter.9 | 7 +--
share/man/man9/zone.9| 18 +-
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/share/man/man9/counter.9 b/share/man/man9/counter.9
index 1eb36b571249..04376ba9c994 100644
--- a/share/man/man9/counter.9
+++ b/share/man/man9/counter.9
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 6, 2020
+.Dd March 11, 2021
.Dt COUNTER 9
.Os
.Sh NAME
@@ -98,10 +98,13 @@ or
.Va M_WAITOK .
If
.Va M_NOWAIT
-is specified the operation may fail.
+is specified the operation may fail and return
+.Dv NULL .
.It Fn counter_u64_free c
Free the previously allocated counter
.Fa c .
+It is safe to pass
+.Dv NULL .
.It Fn counter_u64_add c v
Add
.Fa v
diff --git a/share/man/man9/zone.9 b/share/man/man9/zone.9
index 91c965ff69ce..7da40b13469b 100644
--- a/share/man/man9/zone.9
+++ b/share/man/man9/zone.9
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd August 20, 2020
+.Dd March 11, 2021
.Dt UMA 9
.Os
.Sh NAME
@@ -385,6 +385,22 @@ specify an argument for the
and
.Dv dtor
functions of the zone, respectively.
+The variants
+.Fn uma_zalloc_pcpu
+and
+.Fn uma_zfree_pcpu
+allocate and free
+.Va mp_ncpu
+shadow copies as described for
+.Dv UMA_ZONE_PCPU .
+If
+.Fa item
+is
+.Dv NULL ,
+then
+.Fn uma_zfree_pcpu
+does nothing.
+.Pp
The
.Fn uma_zalloc_domain
function allows callers to specify a fixed
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 28dc2c954f50 - main - pf: Simplify cleanup
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=28dc2c954f5096ae594ed5cd7a83d66ce4bf1ded
commit 28dc2c954f5096ae594ed5cd7a83d66ce4bf1ded
Author: Kristof Provost
AuthorDate: 2021-03-10 14:15:16 +
Commit: Kristof Provost
CommitDate: 2021-03-12 11:12:35 +
pf: Simplify cleanup
We can now counter_u64_free(NULL), so remove the checks.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29190
---
sys/netpfil/pf/if_pfsync.c | 6 ++
sys/netpfil/pf/pf.c| 12
sys/netpfil/pf/pf_if.c | 6 ++
3 files changed, 8 insertions(+), 16 deletions(-)
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 1cdb365c98df..059300f6a6a7 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -624,10 +624,8 @@ cleanup:
cleanup_state: /* pf_state_insert() frees the state keys. */
if (st) {
for (int i = 0; i < 2; i++) {
- if (st->packets[i] != NULL)
- counter_u64_free(st->packets[i]);
- if (st->bytes[i] != NULL)
- counter_u64_free(st->bytes[i]);
+ counter_u64_free(st->packets[i]);
+ counter_u64_free(st->bytes[i]);
}
if (st->dst.scrub)
uma_zfree(V_pf_state_scrub_z, st->dst.scrub);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index c131f810b0ec..f088f117b8e8 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -707,10 +707,8 @@ pf_free_src_node(struct pf_ksrc_node *sn)
{
for (int i = 0; i < 2; i++) {
- if (sn->bytes[i])
- counter_u64_free(sn->bytes[i]);
- if (sn->packets[i])
- counter_u64_free(sn->packets[i]);
+ counter_u64_free(sn->bytes[i]);
+ counter_u64_free(sn->packets[i]);
}
uma_zfree(V_pf_sources_z, sn);
}
@@ -1739,10 +1737,8 @@ pf_free_state(struct pf_state *cur)
cur->timeout));
for (int i = 0; i < 2; i++) {
- if (cur->bytes[i] != NULL)
- counter_u64_free(cur->bytes[i]);
- if (cur->packets[i] != NULL)
- counter_u64_free(cur->packets[i]);
+ counter_u64_free(cur->bytes[i]);
+ counter_u64_free(cur->packets[i]);
}
pf_normalize_tcp_cleanup(cur);
diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c
index e941e3a79b91..be290a1e1f2e 100644
--- a/sys/netpfil/pf/pf_if.c
+++ b/sys/netpfil/pf/pf_if.c
@@ -256,10 +256,8 @@ pf_kkif_free(struct pfi_kkif *kif)
for (int i = 0; i < 2; i++) {
for (int j = 0; j < 2; j++) {
for (int k = 0; k < 2; k++) {
- if (kif->pfik_packets[i][j][k])
-
counter_u64_free(kif->pfik_packets[i][j][k]);
- if (kif->pfik_bytes[i][j][k])
-
counter_u64_free(kif->pfik_bytes[i][j][k]);
+ counter_u64_free(kif->pfik_packets[i][j][k]);
+ counter_u64_free(kif->pfik_bytes[i][j][k]);
}
}
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 15b82e00a164 - main - pf: pool/kpool conversion code
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=15b82e00a1640d1b9a1d720c95f65e580be30187
commit 15b82e00a1640d1b9a1d720c95f65e580be30187
Author: Kristof Provost
AuthorDate: 2021-03-11 10:37:05 +
Commit: Kristof Provost
CommitDate: 2021-03-16 09:30:28 +
pf: pool/kpool conversion code
stuct pf_pool and struct pf_kpool are different. We should not simply
bcopy() them.
Happily it turns out that their differences were all pointers, and the
userspace provided pointers were overwritten by the kernel, so this did
actually work correctly, but we should fix it anyway.
Reviewed by:glebius
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29216
---
sys/netpfil/pf/pf_ioctl.c | 39 +--
1 file changed, 37 insertions(+), 2 deletions(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index c930a67ecf80..ce889c8d797e 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1465,6 +1465,39 @@ pf_pooladdr_to_kpooladdr(const struct pf_pooladdr *pool,
strlcpy(kpool->ifname, pool->ifname, sizeof(kpool->ifname));
}
+static void
+pf_kpool_to_pool(const struct pf_kpool *kpool, struct pf_pool *pool)
+{
+ bzero(pool, sizeof(*pool));
+
+ bcopy(&kpool->key, &pool->key, sizeof(pool->key));
+ bcopy(&kpool->counter, &pool->counter, sizeof(pool->counter));
+
+ pool->tblidx = kpool->tblidx;
+ pool->proxy_port[0] = kpool->proxy_port[0];
+ pool->proxy_port[1] = kpool->proxy_port[1];
+ pool->opts = kpool->opts;
+}
+
+static int
+pf_pool_to_kpool(const struct pf_pool *pool, struct pf_kpool *kpool)
+{
+ _Static_assert(sizeof(pool->key) == sizeof(kpool->key), "");
+ _Static_assert(sizeof(pool->counter) == sizeof(kpool->counter), "");
+
+ bzero(kpool, sizeof(*kpool));
+
+ bcopy(&pool->key, &kpool->key, sizeof(kpool->key));
+ bcopy(&pool->counter, &kpool->counter, sizeof(kpool->counter));
+
+ kpool->tblidx = pool->tblidx;
+ kpool->proxy_port[0] = pool->proxy_port[0];
+ kpool->proxy_port[1] = pool->proxy_port[1];
+ kpool->opts = pool->opts;
+
+ return (0);
+}
+
static void
pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
{
@@ -1491,7 +1524,7 @@ pf_krule_to_rule(const struct pf_krule *krule, struct
pf_rule *rule)
strlcpy(rule->overload_tblname, krule->overload_tblname,
sizeof(rule->overload_tblname));
- bcopy(&krule->rpool, &rule->rpool, sizeof(krule->rpool));
+ pf_kpool_to_pool(&krule->rpool, &rule->rpool);
rule->evaluations = counter_u64_fetch(krule->evaluations);
for (int i = 0; i < 2; i++) {
@@ -1628,7 +1661,9 @@ pf_rule_to_krule(const struct pf_rule *rule, struct
pf_krule *krule)
strlcpy(krule->overload_tblname, rule->overload_tblname,
sizeof(rule->overload_tblname));
- bcopy(&rule->rpool, &krule->rpool, sizeof(krule->rpool));
+ ret = pf_pool_to_kpool(&rule->rpool, &krule->rpool);
+ if (ret != 0)
+ return (ret);
/* Don't allow userspace to set evaulations, packets or bytes. */
/* kif, anchor, overload_tbl are not copied over. */
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 9f2e5184173f - main - pfsync: Unconditionally push packets when requesting state updates
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=9f2e5184173f6af70306678b018270df9a9600f2
commit 9f2e5184173f6af70306678b018270df9a9600f2
Author: Thomas Kurschel
AuthorDate: 2021-03-15 13:28:52 +
Commit: Kristof Provost
CommitDate: 2021-03-17 18:18:14 +
pfsync: Unconditionally push packets when requesting state updates
When we request a bulk sync we need to ensure we actually send out that
request, not just buffer it until we have enough data to send a full
packet.
PR: 254236
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D29271
---
sys/netpfil/pf/if_pfsync.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index cf2ff2ef0926..06bad556e885 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -1960,7 +1960,7 @@ pfsync_request_update(u_int32_t creatorid, u_int64_t id)
nlen += sizeof(struct pfsync_subheader);
if (b->b_len + nlen > sc->sc_ifp->if_mtu) {
- pfsync_sendout(1, 0);
+ pfsync_sendout(0, 0);
nlen = sizeof(struct pfsync_subheader) +
sizeof(struct pfsync_upd_req);
@@ -1968,6 +1968,8 @@ pfsync_request_update(u_int32_t creatorid, u_int64_t id)
TAILQ_INSERT_TAIL(&b->b_upd_req_list, item, ur_entry);
b->b_len += nlen;
+
+ pfsync_push(b);
}
static bool
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: 8ad7d25dfc80 - main - pf tests: pfsync bulk update test
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=8ad7d25dfc808ca00300f7553a9b28dfc0e99c18
commit 8ad7d25dfc808ca00300f7553a9b28dfc0e99c18
Author: Kristof Provost
AuthorDate: 2021-03-15 13:10:55 +
Commit: Kristof Provost
CommitDate: 2021-03-17 18:18:14 +
pf tests: pfsync bulk update test
Test that pfsync works as expected with bulk updates. That is, create
some state before setting up the second firewall. Let that firewall
request a bulk update so it can catch up, and check that it got the
state which was created before it enable pfsync.
PR: 254236
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D29272
---
tests/sys/netpfil/pf/pfsync.sh | 68 ++
1 file changed, 68 insertions(+)
diff --git a/tests/sys/netpfil/pf/pfsync.sh b/tests/sys/netpfil/pf/pfsync.sh
index d8cb0a13efb7..a6fc7ec9f7e9 100644
--- a/tests/sys/netpfil/pf/pfsync.sh
+++ b/tests/sys/netpfil/pf/pfsync.sh
@@ -112,8 +112,76 @@ defer_cleanup()
pfsynct_cleanup
}
+atf_test_case "bulk" "cleanup"
+bulk_head()
+{
+ atf_set descr 'Test bulk updates'
+ atf_set require.user root
+}
+
+bulk_body()
+{
+ pfsynct_init
+
+ epair_sync=$(vnet_mkepair)
+ epair_one=$(vnet_mkepair)
+ epair_two=$(vnet_mkepair)
+
+ vnet_mkjail one ${epair_one}a ${epair_sync}a
+ vnet_mkjail two ${epair_two}a ${epair_sync}b
+
+ # pfsync interface
+ jexec one ifconfig ${epair_sync}a 192.0.2.1/24 up
+ jexec one ifconfig ${epair_one}a 198.51.100.1/24 up
+ jexec one ifconfig pfsync0 \
+ syncdev ${epair_sync}a \
+ maxupd 1\
+ up
+ jexec two ifconfig ${epair_two}a 198.51.100.2/24 up
+ jexec two ifconfig ${epair_sync}b 192.0.2.2/24 up
+
+ # Enable pf
+ jexec one pfctl -e
+ pft_set_rules one \
+ "set skip on ${epair_sync}a" \
+ "pass keep state"
+ jexec two pfctl -e
+ pft_set_rules two \
+ "set skip on ${epair_sync}b" \
+ "pass keep state"
+
+ ifconfig ${epair_one}b 198.51.100.254/24 up
+
+ # Create state prior to setting up pfsync
+ ping -c 1 -S 198.51.100.254 198.51.100.1
+
+ # Wait before setting up pfsync on two, so we don't accidentally catch
+ # the update anyway.
+ sleep 1
+
+ # Now set up pfsync in jail two
+ jexec two ifconfig pfsync0 \
+ syncdev ${epair_sync}b \
+ up
+
+ # Give pfsync time to do its thing
+ sleep 2
+
+ jexec two pfctl -s states
+ if ! jexec two pfctl -s states | grep icmp | grep 198.51.100.1 | \
+ grep 198.51.100.2 ; then
+ atf_fail "state not found on synced host"
+ fi
+}
+
+bulk_cleanup()
+{
+ pfsynct_cleanup
+}
+
atf_init_test_cases()
{
atf_add_test_case "basic"
atf_add_test_case "defer"
+ atf_add_test_case "bulk"
}
___
dev-commits-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "dev-commits-src-all-unsubscr...@freebsd.org"
git: aefda9c92da6 - main - pf: ensure 'off' is always set before use
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=aefda9c92da6571d405e1b27c5c68333ad8bbc57
commit aefda9c92da6571d405e1b27c5c68333ad8bbc57
Author: Kristof Provost
AuthorDate: 2023-09-28 07:04:32 +
Commit: Kristof Provost
CommitDate: 2023-09-29 22:10:32 +
pf: ensure 'off' is always set before use
If we bail out early from pf_test(6)() we still need to clean up/finish
SCTP multihome work, which requires the 'off' value to be set. Set it
early enough.
MFC after: 3 days
Sponsored by: Orange Business Services
---
sys/netpfil/pf/pf.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index df4bd47c35d5..baa34b16f487 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7698,6 +7698,9 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct
mbuf **m0,
pd.af = AF_INET;
pd.act.rtableid = -1;
+ h = mtod(m, struct ip *);
+ off = h->ip_hl << 2;
+
if (__predict_false(ip_divert_ptr != NULL) &&
((ipfwtag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL)) != NULL)) {
struct ipfw_rule_ref *rr = (struct ipfw_rule_ref *)(ipfwtag+1);
@@ -8249,6 +8252,9 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct
mbuf **m0, struct inpcb
pd.af = AF_INET6;
pd.act.rtableid = -1;
+ h = mtod(m, struct ip6_hdr *);
+ off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
+
/* We do IP header normalization and packet reassembly here */
if (pf_normalize_ip6(m0, kif, &reason, &pd) != PF_PASS) {
action = PF_DROP;
@@ -8256,6 +8262,7 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct
mbuf **m0, struct inpcb
}
m = *m0;/* pf_normalize messes with m0 */
h = mtod(m, struct ip6_hdr *);
+ off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
/*
* we do not support jumbogram. if we keep going, zero ip6_plen
@@ -8272,7 +8279,6 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct
mbuf **m0, struct inpcb
pd.tos = IPV6_DSCP(h);
pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
- off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
pd.proto = h->ip6_nxt;
do {
switch (pd.proto) {
git: 480f62ccd8d9 - main - pf: only create sctp multihome states if we pass the packet
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=480f62ccd8d998e4db9dc13c354a60f8f5e32a33
commit 480f62ccd8d998e4db9dc13c354a60f8f5e32a33
Author: Kristof Provost
AuthorDate: 2023-09-29 07:23:43 +
Commit: Kristof Provost
CommitDate: 2023-09-29 22:10:32 +
pf: only create sctp multihome states if we pass the packet
If we've decided to drop the packet we shouldn't create additional
states based off it.
MFC after: 3 days
Sponsored by: Orange Business Services
---
sys/netpfil/pf/pf.c | 16 ++--
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index baa34b16f487..3e1c8d32add9 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -310,7 +310,7 @@ static int pf_test_state_icmp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
static void pf_sctp_multihome_delayed(struct pf_pdesc *, int,
- struct pfi_kkif *, struct pf_kstate *);
+ struct pfi_kkif *, struct pf_kstate *, int);
static int pf_test_state_sctp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
@@ -5921,10 +5921,10 @@ pf_test_state_sctp(struct pf_kstate **state, struct
pfi_kkif *kif,
static void
pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off, struct pfi_kkif *kif,
-struct pf_kstate *s)
+struct pf_kstate *s, int action)
{
struct pf_sctp_multihome_job*j, *tmp;
- int action __unused;
+ int ret __unused;;
struct pf_kstate*sm = NULL;
struct pf_krule *ra = NULL;
struct pf_krule *r = &V_pf_default_rule;
@@ -5933,11 +5933,14 @@ pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off,
struct pfi_kkif *kif,
PF_RULES_RLOCK_TRACKER;
TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) {
+ if (s == NULL || action != PF_PASS)
+ goto free;
+
switch (j->op) {
case SCTP_ADD_IP_ADDRESS: {
j->pd.sctp_flags |= PFDESC_SCTP_ADD_IP;
PF_RULES_RLOCK();
- action = pf_test_rule(&r, &sm, kif,
+ ret = pf_test_rule(&r, &sm, kif,
j->m, off, &j->pd, &ra, &rs, NULL);
PF_RULES_RUNLOCK();
SDT_PROBE4(pf, sctp, multihome, test, kif, r, j->m,
action);
@@ -5986,6 +5989,7 @@ pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off,
struct pfi_kkif *kif,
}
}
+free:
free(j, M_PFTEMP);
}
}
@@ -8154,7 +8158,7 @@ done:
PF_STATE_UNLOCK(s);
out:
- pf_sctp_multihome_delayed(&pd, off, kif, s);
+ pf_sctp_multihome_delayed(&pd, off, kif, s, action);
return (action);
}
@@ -8711,7 +8715,7 @@ done:
out:
SDT_PROBE4(pf, ip, test6, done, action, reason, r, s);
- pf_sctp_multihome_delayed(&pd, off, kif, s);
+ pf_sctp_multihome_delayed(&pd, off, kif, s, action);
return (action);
}
git: 0ac8d8d9954f - stable/14 - pf: support SCTP multihoming
The branch stable/14 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=0ac8d8d9954f2d446d4fa7a5f154d55931f3d1f1
commit 0ac8d8d9954f2d446d4fa7a5f154d55931f3d1f1
Author: Kristof Provost
AuthorDate: 2023-08-02 17:05:00 +
Commit: Kristof Provost
CommitDate: 2023-10-02 09:32:14 +
pf: support SCTP multihoming
SCTP may announce additional IP addresses it'll use in the INIT/INIT_ACK
chunks, or in ASCONF chunks at any time during the connection. Parse these
parameters, evaluate the ruleset for the new connection and if allowed
create the corresponding states.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D41637
(cherry picked from commit 10aa9ddb4d45ab0c8f56b0e91c7e8de213030c0f)
---
sys/net/pfvar.h | 22 +-
sys/netpfil/pf/pf.c | 186 ++-
sys/netpfil/pf/pf_norm.c | 34 +++--
3 files changed, 231 insertions(+), 11 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index f9cb45f696d3..ec72c1079c70 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1531,6 +1531,9 @@ struct pfi_kkif {
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
#ifdef _KERNEL
+struct pf_sctp_multihome_job;
+TAILQ_HEAD(pf_sctp_multihome_jobs, pf_sctp_multihome_job);
+
struct pf_pdesc {
struct {
int done;
@@ -1578,10 +1581,22 @@ struct pf_pdesc {
#define PFDESC_SCTP_SHUTDOWN 0x0010
#define PFDESC_SCTP_SHUTDOWN_COMPLETE 0x0020
#define PFDESC_SCTP_DATA 0x0040
-#define PFDESC_SCTP_OTHER 0x0080
+#define PFDESC_SCTP_ASCONF 0x0080
+#define PFDESC_SCTP_OTHER 0x0100
u_int16_tsctp_flags;
u_int32_tsctp_initiate_tag;
+
+ struct pf_sctp_multihome_jobs sctp_multihome_jobs;
+};
+
+struct pf_sctp_multihome_job {
+ TAILQ_ENTRY(pf_sctp_multihome_job) next;
+ struct pf_pdesc pd;
+ struct pf_addr src;
+ struct pf_addr dst;
+ struct mbuf *m;
};
+
#endif
/* flags for RDR options */
@@ -2253,6 +2268,11 @@ void pf_addr_inc(struct pf_addr *, sa_family_t);
intpf_refragment6(struct ifnet *, struct mbuf **, struct m_tag *, bool);
#endif /* INET6 */
+intpf_multihome_scan_init(struct mbuf *, int, int, struct pf_pdesc *,
+ struct pfi_kkif *);
+intpf_multihome_scan_asconf(struct mbuf *, int, int, struct pf_pdesc *,
+ struct pfi_kkif *);
+
u_int32_t pf_new_isn(struct pf_kstate *);
void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
sa_family_t);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 7cee0833072b..69373b720ad9 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -126,6 +126,8 @@ SDT_PROBE_DEFINE4(pf, ip, test6, done, "int", "int",
"struct pf_krule *",
SDT_PROBE_DEFINE5(pf, ip, state, lookup, "struct pfi_kkif *",
"struct pf_state_key_cmp *", "int", "struct pf_pdesc *",
"struct pf_kstate *");
+SDT_PROBE_DEFINE4(pf, sctp, multihome, test, "struct pfi_kkif *",
+"struct pf_krule *", "struct mbuf *", "int");
SDT_PROBE_DEFINE3(pf, eth, test_rule, entry, "int", "struct ifnet *",
"struct mbuf *");
@@ -307,6 +309,8 @@ static int pf_test_state_udp(struct pf_kstate **,
static int pf_test_state_icmp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
+static void pf_sctp_multihome_delayed(struct pf_pdesc *, int,
+ struct pfi_kkif *, struct pf_kstate *);
static int pf_test_state_sctp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
@@ -5911,6 +5915,174 @@ pf_test_state_sctp(struct pf_kstate **state, struct
pfi_kkif *kif,
return (PF_PASS);
}
+static void
+pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off, struct pfi_kkif *kif,
+struct pf_kstate *s)
+{
+ struct pf_sctp_multihome_job*j, *tmp;
+ int action;;
+ struct pf_kstate*sm = NULL;
+ struct pf_krule *ra = NULL;
+ struct pf_krule *r = &V_pf_default_rule;
+ struct pf_kruleset *rs = NULL;
+
+ PF_RULES_RLOCK_TRACKER;
+
+ TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) {
+ PF_RULES_RLOCK();
+ action = pf_test_rule(&r, &sm, kif,
+ j->m, off, &j->pd, &ra, &am
git: 2537ad522d85 - stable/14 - pf tests: basic SCTP multihoming test
The branch stable/14 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=2537ad522d85be44cfe3d61a1fc873bebe0fef28
commit 2537ad522d85be44cfe3d61a1fc873bebe0fef28
Author: Kristof Provost
AuthorDate: 2023-08-02 08:44:52 +
Commit: Kristof Provost
CommitDate: 2023-10-02 09:32:14 +
pf tests: basic SCTP multihoming test
The SCTP server will announce multiple addresses. Block one of them with
pf, connect to the other have the client use the blocked address. pf
is expected to have created state for all of the addresses announced by
the server.
In a separate test case add the secondary (client) IP after the
connection has been established. The intent is to verify the
functionality of the ASCONF chunk parsing.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D41638
(cherry picked from commit 1a28d5fea7edf200c37d14f7ed5865910664ec3d)
---
tests/sys/netpfil/pf/Makefile | 1 +
tests/sys/netpfil/pf/sctp.py | 442 ++
2 files changed, 443 insertions(+)
diff --git a/tests/sys/netpfil/pf/Makefile b/tests/sys/netpfil/pf/Makefile
index 70c0c300d7ad..44fe95680dfb 100644
--- a/tests/sys/netpfil/pf/Makefile
+++ b/tests/sys/netpfil/pf/Makefile
@@ -40,6 +40,7 @@ ATF_TESTS_SH+=altq \
tos
ATF_TESTS_PYTEST+= frag6.py
+ATF_TESTS_PYTEST+= sctp.py
# Tests reuse jail names and so cannot run in parallel.
TEST_METADATA+=is_exclusive=true
diff --git a/tests/sys/netpfil/pf/sctp.py b/tests/sys/netpfil/pf/sctp.py
new file mode 100644
index ..b24d0c414ac8
--- /dev/null
+++ b/tests/sys/netpfil/pf/sctp.py
@@ -0,0 +1,442 @@
+import pytest
+import ctypes
+import socket
+import ipaddress
+import re
+from atf_python.sys.net.tools import ToolsHelper
+from atf_python.sys.net.vnet import VnetTestTemplate
+
+import time
+
+SCTP_UNORDERED = 0x0400
+
+SCTP_NODELAY = 0x0004
+SCTP_SET_PEER_PRIMARY_ADDR = 0x0006
+SCTP_PRIMARY_ADDR= 0x0007
+
+SCTP_BINDX_ADD_ADDR = 0x8001
+SCTP_BINDX_REM_ADDR = 0x8002
+
+class sockaddr_in(ctypes.Structure):
+_fields_ = [
+('sin_len', ctypes.c_uint8),
+('sin_family', ctypes.c_uint8),
+('sin_port', ctypes.c_uint16),
+('sin_addr', ctypes.c_uint32),
+('sin_zero', ctypes.c_int8 * 8)
+]
+
+class sockaddr_in6(ctypes.Structure):
+_fields_ = [
+('sin6_len', ctypes.c_uint8),
+('sin6_family', ctypes.c_uint8),
+('sin6_port', ctypes.c_uint16),
+('sin6_flowinfo', ctypes.c_uint32),
+('sin6_addr', ctypes.c_uint8 * 16),
+('sin6_scope_id', ctypes.c_uint32)
+]
+
+class sockaddr_storage(ctypes.Union):
+_fields_ = [
+("v4",sockaddr_in),
+("v6", sockaddr_in6)
+]
+
+class sctp_sndrcvinfo(ctypes.Structure):
+_fields_ = [
+('sinfo_stream',ctypes.c_uint16),
+('sinfo_ssn', ctypes.c_uint16),
+('sinfo_flags', ctypes.c_uint16),
+('sinfo_ppid', ctypes.c_uint32),
+('sinfo_context', ctypes.c_uint32),
+('sinfo_timetolive',ctypes.c_uint32),
+('sinfo_tsn', ctypes.c_uint32),
+('sinfo_cumtsn',ctypes.c_uint32),
+('sinfo_assoc_id', ctypes.c_uint32),
+]
+
+class sctp_setprim(ctypes.Structure):
+_fields_ = [
+('ssp_addr',sockaddr_storage),
+('ssp_pad', ctypes.c_int8 * (128 - 16)),
+('ssp_assoc_id',ctypes.c_uint32),
+('ssp_padding', ctypes.c_uint32)
+]
+
+def to_sockaddr(ip, port):
+ip = ipaddress.ip_address(ip)
+
+if ip.version == 4:
+addr = sockaddr_in()
+addr.sin_len = ctypes.sizeof(addr)
+addr.sin_family = socket.AF_INET
+addr.sin_port = socket.htons(port)
+addr.sin_addr = socket.htonl(int.from_bytes(ip.packed,
byteorder='big'))
+else:
+assert ip.version == 6
+
+addr = sockaddr_in6()
+addr.sin6_len = ctypes.sizeof(addr)
+addr.sin6_family = socket.AF_INET6
+addr.sin6_port = socket.htons(port)
+for i in range(0, 16):
+addr.sin6_addr[i] = ip.packed[i]
+
+return addr
+
+class SCTPServer:
+def __init__(self, family, port=1234):
+self._libc = ctypes.CDLL("libc.so.7", use_errno=True)
+
+self._listen_fd = self._libc.socket(family, socket.SOCK_STREAM,
socket.IPPROTO_SCTP)
+if self._listen_fd == -1:
+raise Exception("Failed to create sock
git: 41cc99739ee6 - stable/13 - pf: support SCTP multihoming
The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=41cc99739ee635b7a6952ee45e1b7c9d995077aa
commit 41cc99739ee635b7a6952ee45e1b7c9d995077aa
Author: Kristof Provost
AuthorDate: 2023-08-02 17:05:00 +
Commit: Kristof Provost
CommitDate: 2023-10-02 08:51:43 +
pf: support SCTP multihoming
SCTP may announce additional IP addresses it'll use in the INIT/INIT_ACK
chunks, or in ASCONF chunks at any time during the connection. Parse these
parameters, evaluate the ruleset for the new connection and if allowed
create the corresponding states.
MFC after: 3 weeks
Sponsored by: Orange Business Services
Differential Revision: https://reviews.freebsd.org/D41637
(cherry picked from commit 10aa9ddb4d45ab0c8f56b0e91c7e8de213030c0f)
---
sys/net/pfvar.h | 22 ++-
sys/netpfil/pf/pf.c | 347 ---
sys/netpfil/pf/pf_norm.c | 34 +++--
3 files changed, 312 insertions(+), 91 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 4043bb8e0e54..07a4140e450f 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1280,6 +1280,9 @@ struct pfi_kkif {
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
#ifdef _KERNEL
+struct pf_sctp_multihome_job;
+TAILQ_HEAD(pf_sctp_multihome_jobs, pf_sctp_multihome_job);
+
struct pf_pdesc {
struct {
int done;
@@ -1327,10 +1330,22 @@ struct pf_pdesc {
#define PFDESC_SCTP_SHUTDOWN 0x0010
#define PFDESC_SCTP_SHUTDOWN_COMPLETE 0x0020
#define PFDESC_SCTP_DATA 0x0040
-#define PFDESC_SCTP_OTHER 0x0080
+#define PFDESC_SCTP_ASCONF 0x0080
+#define PFDESC_SCTP_OTHER 0x0100
u_int16_tsctp_flags;
u_int32_tsctp_initiate_tag;
+
+ struct pf_sctp_multihome_jobs sctp_multihome_jobs;
+};
+
+struct pf_sctp_multihome_job {
+ TAILQ_ENTRY(pf_sctp_multihome_job) next;
+ struct pf_pdesc pd;
+ struct pf_addr src;
+ struct pf_addr dst;
+ struct mbuf *m;
};
+
#endif
/* flags for RDR options */
@@ -1996,6 +2011,11 @@ void pf_addr_inc(struct pf_addr *, sa_family_t);
intpf_refragment6(struct ifnet *, struct mbuf **, struct m_tag *);
#endif /* INET6 */
+intpf_multihome_scan_init(struct mbuf *, int, int, struct pf_pdesc *,
+ struct pfi_kkif *);
+intpf_multihome_scan_asconf(struct mbuf *, int, int, struct pf_pdesc *,
+ struct pfi_kkif *);
+
u_int32_t pf_new_isn(struct pf_kstate *);
void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
sa_family_t);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 51f81172bad2..cb4ab2da4633 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -118,6 +118,8 @@ SDT_PROBE_DEFINE4(pf, ip, test6, done, "int", "int",
"struct pf_krule *",
SDT_PROBE_DEFINE5(pf, ip, state, lookup, "struct pfi_kkif *",
"struct pf_state_key_cmp *", "int", "struct pf_pdesc *",
"struct pf_kstate *");
+SDT_PROBE_DEFINE4(pf, sctp, multihome, test, "struct pfi_kkif *",
+"struct pf_krule *", "struct mbuf *", "int");
/*
* Global variables
@@ -288,6 +290,8 @@ static int pf_test_state_udp(struct pf_kstate **,
int,
static int pf_test_state_icmp(struct pf_kstate **, int,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
+static void pf_sctp_multihome_delayed(struct pf_pdesc *, int,
+ struct pfi_kkif *, struct pf_kstate *);
static int pf_test_state_sctp(struct pf_kstate **,
struct pfi_kkif *, struct mbuf *, int,
void *, struct pf_pdesc *, u_short *);
@@ -5253,6 +5257,255 @@ pf_test_state_udp(struct pf_kstate **state, int
direction, struct pfi_kkif *kif,
return (PF_PASS);
}
+static int
+pf_test_state_sctp(struct pf_kstate **state, struct pfi_kkif *kif,
+struct mbuf *m, int off, void *h, struct pf_pdesc *pd, u_short *reason)
+{
+ struct pf_state_key_cmp key;
+ struct pf_state_peer*src; //, *dst;
+ struct sctphdr *sh = &pd->hdr.sctp;
+ u_int8_t psrc; //, pdst;
+
+ bzero(&key, sizeof(key));
+ key.af = pd->af;
+ key.proto = IPPROTO_SCTP;
+ if (pd->dir == PF_IN) { /* wire side, straight */
+ PF_ACPY(&key.addr[0], pd->src, key.af);
+ PF_ACPY(&key.addr[1], pd->dst, key.af);
+ key.port[0] = sh->src_port;
+ key.port[1] = sh->dest_port;
+ } els
git: 48172aad8143 - stable/14 - pf: improve SCTP state validation
The branch stable/14 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=48172aad8143d72fa2af363f4b6da0bf1c522789
commit 48172aad8143d72fa2af363f4b6da0bf1c522789
Author: Kristof Provost
AuthorDate: 2023-09-01 11:33:56 +
Commit: Kristof Provost
CommitDate: 2023-10-02 09:32:14 +
pf: improve SCTP state validation
Only create new states for INIT chunks, or when we're creating a
secondary state for a multihomed association.
Store and verify verification tag.
MFC after: 3 weeks
Sponsored by: Orange Business Services
(cherry picked from commit 51a78dd2764beabfd19a58b8a8b04387a547f02e)
---
sys/net/pfvar.h | 8 +++-
sys/netpfil/pf/pf.c | 25 +++--
sys/netpfil/pf/pf_norm.c | 17 +
3 files changed, 39 insertions(+), 11 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index ec72c1079c70..a8567ab74fe3 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -900,7 +900,10 @@ struct pf_state_scrub {
#define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */
u_int8_tpfss_ttl; /* stashed TTL */
u_int8_tpad;
- u_int32_t pfss_ts_mod;/* timestamp modulation */
+ union {
+ u_int32_t pfss_ts_mod;/* timestamp modulation
*/
+ u_int32_t pfss_v_tag; /* SCTP verification tag
*/
+ };
};
struct pf_state_host {
@@ -1583,6 +1586,7 @@ struct pf_pdesc {
#define PFDESC_SCTP_DATA 0x0040
#define PFDESC_SCTP_ASCONF 0x0080
#define PFDESC_SCTP_OTHER 0x0100
+#define PFDESC_SCTP_ADD_IP 0x0200
u_int16_tsctp_flags;
u_int32_tsctp_initiate_tag;
@@ -2301,6 +2305,8 @@ int pf_normalize_tcp_init(struct mbuf *, int,
struct pf_pdesc *,
intpf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *,
u_short *, struct tcphdr *, struct pf_kstate *,
struct pf_state_peer *, struct pf_state_peer *, int *);
+intpf_normalize_sctp_init(struct mbuf *, int, struct pf_pdesc *,
+ struct pf_state_peer *, struct pf_state_peer *);
intpf_normalize_sctp(int, struct pfi_kkif *, struct mbuf *, int,
int, void *, struct pf_pdesc *);
u_int32_t
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 69373b720ad9..8958579b7e63 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -4904,11 +4904,7 @@ pf_create_state(struct pf_krule *r, struct pf_krule *nr,
struct pf_krule *a,
if (s->state_flags & PFSTATE_SCRUB_TCP &&
pf_normalize_tcp_init(m, off, pd, th, &s->src, &s->dst)) {
REASON_SET(&reason, PFRES_MEMORY);
- pf_src_tree_remove_state(s);
- s->timeout = PFTM_UNLINKED;
- STATE_DEC_COUNTERS(s);
- pf_free_state(s);
- return (PF_DROP);
+ goto drop;
}
if (s->state_flags & PFSTATE_SCRUB_TCP && s->src.scrub &&
pf_normalize_tcp_stateful(m, off, pd, &reason, th, s,
@@ -4917,12 +4913,13 @@ pf_create_state(struct pf_krule *r, struct pf_krule
*nr, struct pf_krule *a,
DPFPRINTF(PF_DEBUG_URGENT,
("pf_normalize_tcp_stateful failed on first "
"pkt\n"));
- pf_src_tree_remove_state(s);
- s->timeout = PFTM_UNLINKED;
- STATE_DEC_COUNTERS(s);
- pf_free_state(s);
- return (PF_DROP);
+ goto drop;
}
+ } else if (pd->proto == IPPROTO_SCTP) {
+ if (pf_normalize_sctp_init(m, off, pd, &s->src, &s->dst))
+ goto drop;
+ if (! (pd->sctp_flags & (PFDESC_SCTP_INIT |
PFDESC_SCTP_ADD_IP)))
+ goto drop;
}
s->direction = pd->dir;
@@ -5890,6 +5887,13 @@ pf_test_state_sctp(struct pf_kstate **state, struct
pfi_kkif *kif,
}
}
+ if (src->scrub != NULL) {
+ if (src->scrub->pfss_v_tag == 0) {
+ src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag;
+ } else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag)
+ return (PF_DROP);
+ }
+
(*state)->expire = time_uptime;
/* translate source/destination address, if necessary */
@@ -5930,6 +5934,7 @@ pf_sctp_multihome_delayed(struct pf_pdesc *pd, int off,
struct pfi_kkif *kif,
TAILQ_FOREACH_SAFE(j, &pd->sctp_multihome_jobs, next, tmp) {
PF_RULES_RLO
