Page MenuHomeFreeBSD
Differential D49551

pf: don't use state keys after pf_state_insert()
ClosedPublic
Actions

Authored by kp on Mar 28 2025, 2:47 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Apr 30, 6:31 AM
Unknown Object (File)
Mon, Apr 21, 9:25 PM
Unknown Object (File)
Mon, Apr 21, 1:45 PM
Unknown Object (File)
Thu, Apr 17, 2:47 AM
Unknown Object (File)
Tue, Apr 15, 3:46 AM
Unknown Object (File)
Mon, Apr 14, 12:32 PM
Unknown Object (File)
Sun, Apr 13, 4:08 AM
Unknown Object (File)
Wed, Apr 9, 12:10 PM
View All 15 Files
Subscribers
ae
farrokhi
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
glebius
markj
Group Reviewers
network
Commits
rG8b9d1dc82ac4: pf: don't use state keys after pf_state_insert()
rG7161339bb5e9: pf: don't use state keys after pf_state_insert()
rGbdea9cbcf2de: pf: don't use state keys after pf_state_insert()
Summary

pf_state_insert() may free the state keys, it's not safe to access these
pointers after the call.

Introduce osrc/odst (similar to osport/odport) to store the original source and
destination addresses. This allows us to undo NAT transformations without having
to access the state keys.

MFC after: 3 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Mar 28 2025, 2:47 PM
Herald added subscribers: vegeta_tuxpowered.net, melifaro, farrokhi and 2 others. · View Herald TranscriptMar 28 2025, 2:47 PM
kp requested review of this revision.Mar 28 2025, 2:47 PM
Harbormaster completed remote builds in B63175: Diff 152790.Mar 28 2025, 2:47 PM
kp added a parent revision: D49550: pf: improve pf_state_key_attach() error handling.Mar 28 2025, 2:47 PM
kp added a child revision: D49552: pf: simplify action resolution in pf_test_rule().
glebius accepted this revision as: glebius.Mar 28 2025, 8:08 PM

The pf_pdesc is always on the stack, is it?

This revision is now accepted and ready to land.Mar 28 2025, 8:08 PM
markj accepted this revision as: markj.Mar 29 2025, 8:18 AM
markj added inline comments.
sys/netpfil/pf/pf.c
6265

Maybe it'd be nice to deduplicate this with the identical code in pf_return().

9926

This turns into a function call where we switch on af, even though we know its value here. It'd be nicer to have pf_addrcpy() be inlined, at least when the value of af is known at compile-time. Or have pf_addrcpy_inet()/pf_addrcpy_inet6().

kp added a comment.Mar 29 2025, 9:44 AM
In D49551#1129918, @glebius wrote:

The pf_pdesc is always on the stack, is it?

Yes. In pf_test().
There's another instance in pf_icmp_state_lookup(), for the embedded packet in ICMP errors. That's on the stack too.

kp added inline comments.Mar 29 2025, 9:53 AM
sys/netpfil/pf/pf.c
6265

I'll propose a separate commit for that.

9926

I'm tempted to move pf_addrcpy() into pfvar.h so we can leave that to the compiler.
We basically always 'PF_ACPY()' to copy addresses, and I'd like to not have to think about why we sometimes do and sometimes don't.

markj added inline comments.Mar 29 2025, 12:49 PM
sys/netpfil/pf/pf.c
9926

That makes sense to me. I'd maybe also hardcode the value of af here, i.e., PF_ACPY(..., AF_INET6), just in case.

Closed by commit rGbdea9cbcf2de: pf: don't use state keys after pf_state_insert() (authored by kp). · Explain WhyMar 31 2025, 2:58 PM
This revision was automatically updated to reflect the committed changes.
kp added a commit: rGbdea9cbcf2de: pf: don't use state keys after pf_state_insert().
kp added a commit: rG7161339bb5e9: pf: don't use state keys after pf_state_insert().Mon, Apr 21, 9:15 PM
kp added a commit: rG8b9d1dc82ac4: pf: don't use state keys after pf_state_insert().

Revision Contents
Changeset List

PathSize
sys/
net/
2 lines
netpfil/
pf/
30 lines

Diff 152905

View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...