git: 326f189d5b0e - stable/13 - pf: PFRULE_REFS should not be user-visible

Kristof Provost kp at FreeBSD.org
Fri May 7 15:25:58 UTC 2021 

The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=326f189d5b0e8d4feaf147a2d5340f0391e90fc9

commit 326f189d5b0e8d4feaf147a2d5340f0391e90fc9
Author:     Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-04-15 11:38:56 +0000
Commit:     Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-05-07 08:15:43 +0000

    pf: PFRULE_REFS should not be user-visible
    
    Split the PFRULE_REFS flag from the rule_flag field. PFRULE_REFS is a
    kernel-internal flag and should not be exposed to or read from
    userspace.
    
    MFC after:      4 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D29778
    
    (cherry picked from commit 4f1f67e88853ac9e3c2d8897cf6dab6cfda8d16e)
---
 sys/net/pfvar.h           |  1 +
 sys/netpfil/pf/pf.c       | 12 ++++++------
 sys/netpfil/pf/pf_ioctl.c |  2 +-
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 0ca46bb8048a..a6510560bb0e 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -377,6 +377,7 @@ struct pf_krule {
 	struct pf_rule_gid	 gid;
 
 	u_int32_t		 rule_flag;
+	uint32_t		 rule_ref;
 	u_int8_t		 action;
 	u_int8_t		 direction;
 	u_int8_t		 log;
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index ca8adeba52c3..20c3d160188f 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -1641,7 +1641,7 @@ pf_purge_expired_src_nodes()
 			pf_unlink_src_node(cur);
 			LIST_INSERT_HEAD(&freelist, cur, entry);
 		} else if (cur->rule.ptr != NULL)
-			cur->rule.ptr->rule_flag |= PFRULE_REFS;
+			cur->rule.ptr->rule_ref |= PFRULE_REFS;
 	    PF_HASHROW_UNLOCK(sh);
 	}
 
@@ -1783,11 +1783,11 @@ relock:
 					    pf_unlink_state(s, PF_ENTER_LOCKED);
 					goto relock;
 				}
-				s->rule.ptr->rule_flag |= PFRULE_REFS;
+				s->rule.ptr->rule_ref |= PFRULE_REFS;
 				if (s->nat_rule.ptr != NULL)
-					s->nat_rule.ptr->rule_flag |= PFRULE_REFS;
+					s->nat_rule.ptr->rule_ref |= PFRULE_REFS;
 				if (s->anchor.ptr != NULL)
-					s->anchor.ptr->rule_flag |= PFRULE_REFS;
+					s->anchor.ptr->rule_ref |= PFRULE_REFS;
 				s->kif->pfik_flags |= PFI_IFLAG_REFS;
 				if (s->rt_kif)
 					s->rt_kif->pfik_flags |= PFI_IFLAG_REFS;
@@ -1839,11 +1839,11 @@ pf_purge_unlinked_rules()
 	TAILQ_INIT(&tmpq);
 	PF_UNLNKDRULES_LOCK();
 	TAILQ_FOREACH_SAFE(r, &V_pf_unlinked_rules, entries, r1) {
-		if (!(r->rule_flag & PFRULE_REFS)) {
+		if (!(r->rule_ref & PFRULE_REFS)) {
 			TAILQ_REMOVE(&V_pf_unlinked_rules, r, entries);
 			TAILQ_INSERT_TAIL(&tmpq, r, entries);
 		} else
-			r->rule_flag &= ~PFRULE_REFS;
+			r->rule_ref &= ~PFRULE_REFS;
 	}
 	PF_UNLNKDRULES_UNLOCK();
 
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index e6ab3ab5e91f..522f6a6a8f54 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -426,7 +426,7 @@ pf_unlink_rule(struct pf_krulequeue *rulequeue, struct pf_krule *rule)
 	TAILQ_REMOVE(rulequeue, rule, entries);
 
 	PF_UNLNKDRULES_LOCK();
-	rule->rule_flag |= PFRULE_REFS;
+	rule->rule_ref |= PFRULE_REFS;
 	TAILQ_INSERT_TAIL(&V_pf_unlinked_rules, rule, entries);
 	PF_UNLNKDRULES_UNLOCK();
 }

More information about the dev-commits-src-all mailing list