CVS commit: src/sys/net/npf

Mindaugas Rasiukevicius Tue, 03 Dec 2013 17:39:31 -0800

Module Name:    src
Committed By:   rmind
Date:           Wed Dec  4 01:38:49 UTC 2013


Modified Files:
        src/sys/net/npf: npf_impl.h npf_nat.c npf_ruleset.c npf_session.c

Log Message:
- npf_do_nat: fix a race condition and simplify the logic.
- npf_session_setnat: clear the NAT association on failure.


To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 src/sys/net/npf/npf_impl.h
cvs rdiff -u -r1.21 -r1.22 src/sys/net/npf/npf_nat.c
cvs rdiff -u -r1.29 -r1.30 src/sys/net/npf/npf_ruleset.c
cvs rdiff -u -r1.28 -r1.29 src/sys/net/npf/npf_session.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/npf/npf_impl.h
diff -u src/sys/net/npf/npf_impl.h:1.43 src/sys/net/npf/npf_impl.h:1.44
--- src/sys/net/npf/npf_impl.h:1.43	Sat Nov 23 19:32:20 2013
+++ src/sys/net/npf/npf_impl.h	Wed Dec  4 01:38:49 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_impl.h,v 1.43 2013/11/23 19:32:20 rmind Exp $	*/
+/*	$NetBSD: npf_impl.h,v 1.44 2013/12/04 01:38:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -267,7 +267,7 @@ void		npf_rule_free(npf_rule_t *);
 uint64_t	npf_rule_getid(const npf_rule_t *);
 npf_natpolicy_t *npf_rule_getnat(const npf_rule_t *);
 void		npf_rule_setnat(npf_rule_t *, npf_natpolicy_t *);
-npf_rproc_t *	npf_rule_getrproc(npf_rule_t *);
+npf_rproc_t *	npf_rule_getrproc(const npf_rule_t *);
 
 void		npf_ext_sysinit(void);
 void		npf_ext_sysfini(void);
@@ -329,7 +329,7 @@ void		npf_nat_freealg(npf_natpolicy_t *,
 int		npf_do_nat(npf_cache_t *, npf_session_t *, nbuf_t *, const int);
 int		npf_nat_translate(npf_cache_t *, nbuf_t *, npf_nat_t *,
 		    const bool, const int);
-void		npf_nat_expire(npf_nat_t *);
+void		npf_nat_destroy(npf_nat_t *);
 void		npf_nat_getorig(npf_nat_t *, npf_addr_t **, in_port_t *);
 void		npf_nat_gettrans(npf_nat_t *, npf_addr_t **, in_port_t *);
 void		npf_nat_setalg(npf_nat_t *, npf_alg_t *, uintptr_t);

Index: src/sys/net/npf/npf_nat.c
diff -u src/sys/net/npf/npf_nat.c:1.21 src/sys/net/npf/npf_nat.c:1.22
--- src/sys/net/npf/npf_nat.c:1.21	Tue Oct 29 16:39:10 2013
+++ src/sys/net/npf/npf_nat.c	Wed Dec  4 01:38:49 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_nat.c,v 1.21 2013/10/29 16:39:10 rmind Exp $	*/
+/*	$NetBSD: npf_nat.c,v 1.22 2013/12/04 01:38:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.21 2013/10/29 16:39:10 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_nat.c,v 1.22 2013/12/04 01:38:49 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -246,13 +246,14 @@ npf_nat_freepolicy(npf_natpolicy_t *np)
 	npf_session_t *se;
 	npf_nat_t *nt;
 
-	/* De-associate all entries from the policy. */
+	/*
+	 * Disassociate all entries from the policy.  At this point,
+	 * new entries can no longer be created for this policy.
+	 */
 	mutex_enter(&np->n_lock);
 	LIST_FOREACH(nt, &np->n_nat_list, nt_entry) {
-		se = nt->nt_session; /* XXXSMP */
-		if (se == NULL) {
-			continue;
-		}
+		se = nt->nt_session;
+		KASSERT(se != NULL);
 		npf_session_expire(se);
 	}
 	while (!LIST_EMPTY(&np->n_nat_list)) {
@@ -265,6 +266,7 @@ npf_nat_freepolicy(npf_natpolicy_t *np)
 	while (np->n_refcnt) {
 		kpause("npfgcnat", false, 1, NULL);
 	}
+	KASSERT(LIST_EMPTY(&np->n_nat_list));
 
 	/* Destroy the port map, on last reference. */
 	if (pm && --pm->p_refcnt == 0) {
@@ -449,7 +451,7 @@ npf_nat_inspect(npf_cache_t *npc, nbuf_t
  * npf_nat_create: create a new NAT translation entry.
  */
 static npf_nat_t *
-npf_nat_create(npf_cache_t *npc, npf_natpolicy_t *np)
+npf_nat_create(npf_cache_t *npc, npf_natpolicy_t *np, npf_session_t *se)
 {
 	const int proto = npc->npc_proto;
 	npf_nat_t *nt;
@@ -457,14 +459,14 @@ npf_nat_create(npf_cache_t *npc, npf_nat
 	KASSERT(npf_iscached(npc, NPC_IP46));
 	KASSERT(npf_iscached(npc, NPC_LAYER4));
 
-	/* New NAT association. */
+	/* Construct a new NAT entry and associate it with the session. */
 	nt = pool_cache_get(nat_cache, PR_NOWAIT);
 	if (nt == NULL){
 		return NULL;
 	}
 	npf_stats_inc(NPF_STAT_NAT_CREATE);
 	nt->nt_natpolicy = np;
-	nt->nt_session = NULL;
+	nt->nt_session = se;
 	nt->nt_alg = NULL;
 
 	/* Save the original address which may be rewritten. */
@@ -604,7 +606,7 @@ npf_do_nat(npf_cache_t *npc, npf_session
 	npf_natpolicy_t *np;
 	npf_nat_t *nt;
 	int error;
-	bool forw, new;
+	bool forw;
 
 	/* All relevant IPv4 data should be already cached. */
 	if (!npf_iscached(npc, NPC_IP46) || !npf_iscached(npc, NPC_LAYER4)) {
@@ -619,7 +621,6 @@ npf_do_nat(npf_cache_t *npc, npf_session
 	 */
 	if (se && (nt = npf_session_retnat(se, di, &forw)) != NULL) {
 		np = nt->nt_natpolicy;
-		new = false;
 		goto translate;
 	}
 
@@ -635,22 +636,6 @@ npf_do_nat(npf_cache_t *npc, npf_session
 	forw = true;
 
 	/*
-	 * Create a new NAT entry (not yet associated with any session).
-	 * We will consume the reference on success (release on error).
-	 */
-	nt = npf_nat_create(npc, np);
-	if (nt == NULL) {
-		atomic_dec_uint(&np->n_refcnt);
-		return ENOMEM;
-	}
-	new = true;
-
-	/* Determine whether any ALG matches. */
-	if (npf_alg_match(npc, nbuf, nt, di)) {
-		KASSERT(nt->nt_alg != NULL);
-	}
-
-	/*
 	 * If there is no local session (no "stateful" rule - unusual, but
 	 * possible configuration), establish one before translation.  Note
 	 * that it is not a "pass" session, therefore passing of "backwards"
@@ -659,37 +644,46 @@ npf_do_nat(npf_cache_t *npc, npf_session
 	if (se == NULL) {
 		nse = npf_session_establish(npc, nbuf, di);
 		if (nse == NULL) {
-			error = ENOMEM;
-			goto out;
+			atomic_dec_uint(&np->n_refcnt);
+			return ENOMEM;
 		}
 		se = nse;
 	}
-translate:
-	/* Perform the translation. */
-	error = npf_nat_translate(npc, nbuf, nt, forw, di);
+
+	/*
+	 * Create a new NAT entry and associate with the session.
+	 * We will consume the reference on success (release on error).
+	 */
+	nt = npf_nat_create(npc, np, se);
+	if (nt == NULL) {
+		atomic_dec_uint(&np->n_refcnt);
+		error = ENOMEM;
+		goto out;
+	}
+
+	/* Associate the NAT translation entry with the session. */
+	error = npf_session_setnat(se, nt, np->n_type);
 	if (error) {
+		/* Will release the reference. */
+		npf_nat_destroy(nt);
 		goto out;
 	}
 
-	if (__predict_false(new)) {
-		/*
-		 * Associate NAT translation entry with the session.
-		 * Note: packet now has a translated address in the cache.
-		 */
-		nt->nt_session = se;
-		error = npf_session_setnat(se, nt, np->n_type);
+	/* Determine whether any ALG matches. */
+	if (npf_alg_match(npc, nbuf, nt, di)) {
+		KASSERT(nt->nt_alg != NULL);
+	}
+
+translate:
+	/* Perform the translation. */
+	error = npf_nat_translate(npc, nbuf, nt, forw, di);
 out:
-		if (error) {
-			/* If session was for NAT only - expire it. */
-			if (nse) {
-				npf_session_expire(nse);
-			}
-			/* Will free the structure and return the port. */
-			npf_nat_expire(nt);
-		}
-		if (nse) {
-			npf_session_release(nse);
-		}
+	if (error && nse) {
+		/* It created for NAT - just expire. */
+		npf_session_expire(nse);
+	}
+	if (nse) {
+		npf_session_release(nse);
 	}
 	return error;
 }
@@ -712,7 +706,6 @@ npf_nat_gettrans(npf_nat_t *nt, npf_addr
 void
 npf_nat_getorig(npf_nat_t *nt, npf_addr_t **addr, in_port_t *port)
 {
-
 	*addr = &nt->nt_oaddr;
 	*port = nt->nt_oport;
 }
@@ -723,16 +716,15 @@ npf_nat_getorig(npf_nat_t *nt, npf_addr_
 void
 npf_nat_setalg(npf_nat_t *nt, npf_alg_t *alg, uintptr_t arg)
 {
-
 	nt->nt_alg = alg;
 	nt->nt_alg_arg = arg;
 }
 
 /*
- * npf_nat_expire: free NAT-related data structures on session expiration.
+ * npf_nat_destroy: destroy NAT structure (performed on session expiration).
  */
 void
-npf_nat_expire(npf_nat_t *nt)
+npf_nat_destroy(npf_nat_t *nt)
 {
 	npf_natpolicy_t *np = nt->nt_natpolicy;
 
@@ -741,16 +733,15 @@ npf_nat_expire(npf_nat_t *nt)
 		npf_nat_putport(np, nt->nt_tport);
 	}
 
-	/* Remove NAT entry from the list, notify any waiters if last entry. */
 	mutex_enter(&np->n_lock);
 	LIST_REMOVE(nt, nt_entry);
 	if (LIST_EMPTY(&np->n_nat_list)) {
+		/* Notify any waiters if empty. */
 		cv_broadcast(&np->n_cv);
 	}
 	atomic_dec_uint(&np->n_refcnt);
 	mutex_exit(&np->n_lock);
 
-	/* Free structure, increase the counter. */
 	pool_cache_put(nat_cache, nt);
 	npf_stats_inc(NPF_STAT_NAT_DESTROY);
 }

Index: src/sys/net/npf/npf_ruleset.c
diff -u src/sys/net/npf/npf_ruleset.c:1.29 src/sys/net/npf/npf_ruleset.c:1.30
--- src/sys/net/npf/npf_ruleset.c:1.29	Sat Nov 23 19:32:20 2013
+++ src/sys/net/npf/npf_ruleset.c	Wed Dec  4 01:38:49 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_ruleset.c,v 1.29 2013/11/23 19:32:20 rmind Exp $	*/
+/*	$NetBSD: npf_ruleset.c,v 1.30 2013/12/04 01:38:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.29 2013/11/23 19:32:20 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.30 2013/12/04 01:38:49 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -469,10 +469,8 @@ npf_ruleset_freealg(npf_ruleset_t *rlset
 }
 
 /*
- * npf_ruleset_natreload: minimum reload of NAT policies by maching
+ * npf_ruleset_natreload: minimum reload of NAT policies by matching
  * two (active and new) NAT rulesets.
- *
- * => Active ruleset should be exclusively locked.
  */
 void
 npf_ruleset_natreload(npf_ruleset_t *nrlset, npf_ruleset_t *arlset)
@@ -480,6 +478,8 @@ npf_ruleset_natreload(npf_ruleset_t *nrl
 	npf_natpolicy_t *np, *anp;
 	npf_rule_t *rl, *arl;
 
+	KASSERT(npf_config_locked_p());
+
 	/* Scan a new NAT ruleset against NAT policies in old ruleset. */
 	LIST_FOREACH(rl, &nrlset->rs_all, r_aentry) {
 		np = rl->r_natp;
@@ -629,7 +629,7 @@ npf_rule_getid(const npf_rule_t *rl)
 }
 
 npf_rproc_t *
-npf_rule_getrproc(npf_rule_t *rl)
+npf_rule_getrproc(const npf_rule_t *rl)
 {
 	npf_rproc_t *rp = rl->r_rproc;
 

Index: src/sys/net/npf/npf_session.c
diff -u src/sys/net/npf/npf_session.c:1.28 src/sys/net/npf/npf_session.c:1.29
--- src/sys/net/npf/npf_session.c:1.28	Fri Nov 22 01:24:21 2013
+++ src/sys/net/npf/npf_session.c	Wed Dec  4 01:38:49 2013
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_session.c,v 1.28 2013/11/22 01:24:21 rmind Exp $	*/
+/*	$NetBSD: npf_session.c,v 1.29 2013/12/04 01:38:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2010-2013 The NetBSD Foundation, Inc.
@@ -92,7 +92,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.28 2013/11/22 01:24:21 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_session.c,v 1.29 2013/12/04 01:38:49 rmind Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -701,7 +701,7 @@ npf_session_destroy(npf_session_t *se)
 {
 	if (se->s_nat) {
 		/* Release any NAT related structures. */
-		npf_nat_expire(se->s_nat);
+		npf_nat_destroy(se->s_nat);
 	}
 	if (se->s_rproc) {
 		/* Release rule procedure. */
@@ -788,6 +788,7 @@ npf_session_setnat(npf_session_t *se, np
 		/* Race: mark a removed entry and explicitly expire. */
 		atomic_or_uint(&se->s_flags, SE_REMBACK | SE_EXPIRE);
 		npf_stats_inc(NPF_STAT_RACE_NAT);
+		se->s_nat = NULL;
 	}
 	rw_exit(&sh->sh_lock);
 	return ok ? 0 : EISCONN;
@@ -845,7 +846,7 @@ void
 npf_session_release(npf_session_t *se)
 {
 	KASSERT(se->s_refcnt > 0);
-	if ((se->s_flags & SE_ACTIVE) == 0) {
+	if ((se->s_flags & (SE_ACTIVE | SE_EXPIRE)) == 0) {
 		/* Activate: after this point, session is globally visible. */
 		se->s_flags |= SE_ACTIVE;
 	}

CVS commit: src/sys/net/npf

Reply via email to