Differential D43617

pfil: PFIL_PASS never frees the mbuf
ClosedPublic
Actions

Authored by kp on Jan 26 2024, 2:45 PM.

Tags

None

Referenced Files

	F115509491: D43617.diff
	Thu, Apr 24, 3:39 PM

	Unknown Object (File)
	Sat, Apr 19, 9:45 PM

	Unknown Object (File)
	Fri, Mar 28, 7:09 AM

	Unknown Object (File)
	Mar 25 2025, 12:18 PM

	Unknown Object (File)
	Mar 3 2025, 4:56 AM

	Unknown Object (File)
	Mar 3 2025, 3:36 AM

	Unknown Object (File)
	Mar 3 2025, 3:07 AM

	Unknown Object (File)
	Mar 2 2025, 9:14 PM

View All 53 Files

Subscribers

Details

Reviewers

cy
tuexen
zlei

Group Reviewers

network
pfsense

Commits

rGffeab76b6855: pfil: PFIL_PASS never frees the mbuf

Summary

pfil hooks (i.e. firewalls) may pass, modify or free the mbuf passed
to them. (E.g. when rejecting a packet, or when gathering up packets
for reassembly).

If the hook returns PFIL_PASS the mbuf must still be present. Assert
this in pfil_mem_common() and ensure that ipfilter follows this
convention. pf and ipfw already did.
Similarly, if the hook returns PFIL_DROPPED or PFIL_CONSUMED the mbuf
must have been freed (or now be owned by the firewall for further
processing, like packet scheduling or reassembly).

This allows us to remove a few extraneous NULL checks.

Suggested by: tuexen
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 55641
Build 52530: arc lint + arc unit

Event Timeline

kp created this revision.Jan 26 2024, 2:45 PM

Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptJan 26 2024, 2:45 PM

kp requested review of this revision.Jan 26 2024, 2:45 PM

Harbormaster completed remote builds in B55641: Diff 133401.Jan 26 2024, 2:45 PM

tuexen accepted this revision.Jan 26 2024, 3:48 PM

This revision is now accepted and ready to land.Jan 26 2024, 3:48 PM

afedorov added a subscriber: afedorov.Jan 26 2024, 4:33 PM

Looks good to me.

Closed by commit rGffeab76b6855: pfil: PFIL_PASS never frees the mbuf (authored by kp). · Explain WhyJan 29 2024, 1:53 PM

This revision was automatically updated to reflect the committed changes.

kp added a commit: rGffeab76b6855: pfil: PFIL_PASS never frees the mbuf.

Revision Contents
Changeset List

Path

Size

sys/

net/

2 lines

7 lines

netinet/

4 lines

netinet6/

2 lines

netpfil/

ipfilter/

netinet/

ip_fil_freebsd.c

4 lines

Diff 133401

sys/net/if_ethersubr.c

Loading...

sys/net/pfil.c

Loading...

sys/netinet/ip_input.c

Loading...

sys/netinet6/ip6_input.c

Loading...

sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c

Loading...