diff options
| author | Oleg Bulyzhin <oleg@FreeBSD.org> | 2009-06-09 21:27:11 +0000 |
|---|---|---|
| committer | Oleg Bulyzhin <oleg@FreeBSD.org> | 2009-06-09 21:27:11 +0000 |
| commit | dda10d624cfdb4a0a28b065c065b99f160ac0e18 (patch) | |
| tree | 7f52d144f542aa5d755cf5429a93e60617651de6 /sys/netgraph/ng_ipfw.c | |
| parent | 15d13a59a3a28c50db6fd2aca9ef4689d9855088 (diff) | |
| download | src-dda10d624cfdb4a0a28b065c065b99f160ac0e18.tar.gz src-dda10d624cfdb4a0a28b065c065b99f160ac0e18.zip | |
Close long existed race with net.inet.ip.fw.one_pass = 0:
If packet leaves ipfw to other kernel subsystem (dummynet, netgraph, etc)
it carries pointer to matching ipfw rule. If this packet then reinjected back
to ipfw, ruleset processing starts from that rule. If rule was deleted
meanwhile, due to existed race condition panic was possible (as well as
other odd effects like parsing rules in 'reap list').
P.S. this commit changes ABI so userland ipfw related binaries should be
recompiled.
MFC after: 1 month
Tested by: Mikolaj Golub
Notes
Notes:
svn path=/head/; revision=193859
Diffstat (limited to 'sys/netgraph/ng_ipfw.c')
| -rw-r--r-- | sys/netgraph/ng_ipfw.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/netgraph/ng_ipfw.c b/sys/netgraph/ng_ipfw.c index cce623b8254b..46bac8eb9bcf 100644 --- a/sys/netgraph/ng_ipfw.c +++ b/sys/netgraph/ng_ipfw.c @@ -293,6 +293,8 @@ ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) return (ENOMEM); } ngit->rule = fwa->rule; + ngit->rule_id = fwa->rule_id; + ngit->chain_id = fwa->chain_id; ngit->dir = dir; ngit->ifp = fwa->oif; m_tag_prepend(m, &ngit->mt); |