Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extra functionality added when killing states #11

Open
wants to merge 1 commit into
base: RELENG_2_4
Choose a base branch
from

Conversation

brownowski
Copy link

to be used in Bug #8555

Adds two new options into pfctl:
-M
which will attempt to find and kill a matching state in the opposite direction if it exits
-k gateway -k
which will find states set to route through a specific gateway and kill these states.

Also, gateway will be shown in state information when printing states with extra verbosity.

When used in conjunction with each other it should allow you to kill states routing out a specific gateway when it goes offline along with all matching NAT states. Only works for policy based routing rules, not where default gateway is set. Can also be used with a interface flush states to kill LAN states when a WAN goes offline.

See Bug #8555 for corresponding patches which trigger a selective state kill on gateway failover.

Code has not been used outside of limited test environment. Posting for review.

@rbgarga
Copy link
Member

rbgarga commented Oct 23, 2018

I don't like the idea of keeping more patches on src when it could be submitted to upstream but I believe the best person to decide it is @loos-br

@rbgarga rbgarga requested a review from loos-br October 23, 2018 10:45
@jim-p
Copy link
Contributor

jim-p commented Oct 23, 2018

We used to have a switch like this to kill states for a gateway (-G) several years ago but there was some reason we removed it. It may have been to get closer to FreeBSD but I also seem to recall it not working as expected in various ways. I can't find the specific commit that removed the old FreeBSD pfctl patch, however, even in the old tools repo, only when we removed it from the pfSense code base (pfsense/pfsense@ff3da5d)

@brownowski
Copy link
Author

Maybe this one is relevant? https://redmine.pfsense.org/issues/3181 (pfsense/pfsense@36fa13a)

The main problem I seemed to find when looking through some of these older tickets (there are quite a few related to this issue) was that only half the connection states are killed off. Flushing the whole state table was the solution that was selected in most cases. As it stands, policy based routing breaks UDP and ICMP during a failed primary gateway event unless all states are killed. Without killing states TCP can usually recover by timing out the connection and reconnecting from a different source port, however UDP and ICMP usually do not. When using the option to kill states, this includes killing states on all active WANs, and also any internal VLAN to VLAN traffic as well. If you happen to be in the poor situation that one of your WANs (such as your emergency third tier backup 4G connection) goes up and down sometimes, you end up killing the entire network states for a WAN failure that potentially wasn't carrying any relevant states anyway. Killing all states just wasn't an option in our scenario.

The aim of this patch is to make it so states can be killed selectively by gateway or interface but also can kill both inbound and outbound states for the connections selected.

The killing by gateway does only work for rules that have a specific gateway set, so mainly policy based routing rules. I think in rules/states using the default gateway the route-to address is blank/set to 0. With this patch, flushing states by interface will also work along with switch to kill matching inbound/outbound states to achieve a similar function.

At the very least I believe the ability to kill both inbound and outbound states when selecting states to kill makes sense and I don't really know why there would be no option to do this.

The other alternative method to patching the kernel that I looked into was to only kill UDP and ICMP states instead of flushing the entire state table, given that TCP states will generally timeout and create new connections but UDP/ICMP states will generally continue to use the same src/dst ports keeping old states alive and never fail over to the new gateway. At the time I was looking into this, killing via udp or icmp protocol was broken in the code (https://redmine.pfsense.org/issues/8636) but this should have been fixed now and might be a practical alternative to these patches to the kernel. You do need to stop the UDP ports from randomizing during NAT for this method to work best.

netgate-git-updates pushed a commit that referenced this pull request Sep 6, 2019
Add cdceem(4) driver, for virtual ethernet devices compliant
with Communication Device Class Ethernet Emulation Model (CDC EEM).
The driver supports both the device, and host side operation; there
is a new USB template (#11) for the former.

This enables communication with virtual USB NIC provided by iLO 5,
as found in new HPE Proliant servers.

Reviewed by:	hselasky
Relnotes:	yes
Sponsored by:	Hewlett Packard Enterprise
netgate-git-updates pushed a commit that referenced this pull request Oct 31, 2020
Merge commit 1ce07cd614be from llvm git (by me):

  Instantiate Error in Target::GetEntryPointAddress() only when
  necessary

  When Target::GetEntryPointAddress() calls
  exe_module->GetObjectFile()->GetEntryPointAddress(), and the returned
  entry_addr is valid, it can immediately be returned.

  However, just before that, an llvm::Error value has been setup, but
  in this case it is not consumed before returning, like is done
  further below in the function.

  In https://bugs.freebsd.org/248745 we got a bug report for this,
  where a very simple test case aborts and dumps core:

  * thread #1, name = 'testcase', stop reason = breakpoint 1.1
      frame #0: 0x00000000002018d4 testcase`main(argc=1, argv=0x00007fffffffea18) at testcase.c:3:5
     1    int main(int argc, char *argv[])
     2    {
  -> 3        return 0;
     4    }
  (lldb) p argc
  Program aborted due to an unhandled Error:
  Error value was Success. (Note: Success values must still be checked prior to being destroyed).

  Thread 1 received signal SIGABRT, Aborted.
  thr_kill () at thr_kill.S:3
  3       thr_kill.S: No such file or directory.
  (gdb) bt
  #0  thr_kill () at thr_kill.S:3
  #1  0x00000008049a0004 in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:52
  #2  0x0000000804916229 in abort () at /usr/src/lib/libc/stdlib/abort.c:67
  #3  0x000000000451b5f5 in fatalUncheckedError () at /usr/src/contrib/llvm-project/llvm/lib/Support/Error.cpp:112
  #4  0x00000000019cf008 in GetEntryPointAddress () at /usr/src/contrib/llvm-project/llvm/include/llvm/Support/Error.h:267
  #5  0x0000000001bccbd8 in ConstructorSetup () at /usr/src/contrib/llvm-project/lldb/source/Target/ThreadPlanCallFunction.cpp:67
  #6  0x0000000001bcd2c0 in ThreadPlanCallFunction () at /usr/src/contrib/llvm-project/lldb/source/Target/ThreadPlanCallFunction.cpp:114
  #7  0x00000000020076d4 in InferiorCallMmap () at /usr/src/contrib/llvm-project/lldb/source/Plugins/Process/Utility/InferiorCallPOSIX.cpp:97
  #8  0x0000000001f4be33 in DoAllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Plugins/Process/FreeBSD/ProcessFreeBSD.cpp:604
  #9  0x0000000001fe51b9 in AllocatePage () at /usr/src/contrib/llvm-project/lldb/source/Target/Memory.cpp:347
  #10 0x0000000001fe5385 in AllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Target/Memory.cpp:383
  #11 0x0000000001974da2 in AllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Target/Process.cpp:2301
  #12 CanJIT () at /usr/src/contrib/llvm-project/lldb/source/Target/Process.cpp:2331
  #13 0x0000000001a1bf3d in Evaluate () at /usr/src/contrib/llvm-project/lldb/source/Expression/UserExpression.cpp:190
  #14 0x00000000019ce7a2 in EvaluateExpression () at /usr/src/contrib/llvm-project/lldb/source/Target/Target.cpp:2372
  #15 0x0000000001ad784c in EvaluateExpression () at /usr/src/contrib/llvm-project/lldb/source/Commands/CommandObjectExpression.cpp:414
  #16 0x0000000001ad86ae in DoExecute () at /usr/src/contrib/llvm-project/lldb/source/Commands/CommandObjectExpression.cpp:646
  #17 0x0000000001a5e3ed in Execute () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandObject.cpp:1003
  #18 0x0000000001a6c4a3 in HandleCommand () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:1762
  #19 0x0000000001a6f98c in IOHandlerInputComplete () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:2760
  #20 0x0000000001a90b08 in Run () at /usr/src/contrib/llvm-project/lldb/source/Core/IOHandler.cpp:548
  #21 0x00000000019a6c6a in ExecuteIOHandlers () at /usr/src/contrib/llvm-project/lldb/source/Core/Debugger.cpp:903
  #22 0x0000000001a70337 in RunCommandInterpreter () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:2946
  #23 0x0000000001d9d812 in RunCommandInterpreter () at /usr/src/contrib/llvm-project/lldb/source/API/SBDebugger.cpp:1169
  #24 0x0000000001918be8 in MainLoop () at /usr/src/contrib/llvm-project/lldb/tools/driver/Driver.cpp:675
  #25 0x000000000191a114 in main () at /usr/src/contrib/llvm-project/lldb/tools/driver/Driver.cpp:890

  Fix the incorrect error catch by only instantiating an Error object
  if it is necessary.

  Reviewed By: JDevlieghere

  Differential Revision: https://reviews.llvm.org/D86355

This should fix lldb aborting as described in the scenario above.

Reported by:	dmgk
PR:		248745
netgate-git-updates pushed a commit that referenced this pull request Oct 31, 2020
Merge commit 1ce07cd614be from llvm git (by me):

  Instantiate Error in Target::GetEntryPointAddress() only when
  necessary

  When Target::GetEntryPointAddress() calls
  exe_module->GetObjectFile()->GetEntryPointAddress(), and the returned
  entry_addr is valid, it can immediately be returned.

  However, just before that, an llvm::Error value has been setup, but
  in this case it is not consumed before returning, like is done
  further below in the function.

  In https://bugs.freebsd.org/248745 we got a bug report for this,
  where a very simple test case aborts and dumps core:

  * thread #1, name = 'testcase', stop reason = breakpoint 1.1
      frame #0: 0x00000000002018d4 testcase`main(argc=1, argv=0x00007fffffffea18) at testcase.c:3:5
     1    int main(int argc, char *argv[])
     2    {
  -> 3        return 0;
     4    }
  (lldb) p argc
  Program aborted due to an unhandled Error:
  Error value was Success. (Note: Success values must still be checked prior to being destroyed).

  Thread 1 received signal SIGABRT, Aborted.
  thr_kill () at thr_kill.S:3
  3       thr_kill.S: No such file or directory.
  (gdb) bt
  #0  thr_kill () at thr_kill.S:3
  #1  0x00000008049a0004 in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:52
  #2  0x0000000804916229 in abort () at /usr/src/lib/libc/stdlib/abort.c:67
  #3  0x000000000451b5f5 in fatalUncheckedError () at /usr/src/contrib/llvm-project/llvm/lib/Support/Error.cpp:112
  #4  0x00000000019cf008 in GetEntryPointAddress () at /usr/src/contrib/llvm-project/llvm/include/llvm/Support/Error.h:267
  #5  0x0000000001bccbd8 in ConstructorSetup () at /usr/src/contrib/llvm-project/lldb/source/Target/ThreadPlanCallFunction.cpp:67
  #6  0x0000000001bcd2c0 in ThreadPlanCallFunction () at /usr/src/contrib/llvm-project/lldb/source/Target/ThreadPlanCallFunction.cpp:114
  #7  0x00000000020076d4 in InferiorCallMmap () at /usr/src/contrib/llvm-project/lldb/source/Plugins/Process/Utility/InferiorCallPOSIX.cpp:97
  #8  0x0000000001f4be33 in DoAllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Plugins/Process/FreeBSD/ProcessFreeBSD.cpp:604
  #9  0x0000000001fe51b9 in AllocatePage () at /usr/src/contrib/llvm-project/lldb/source/Target/Memory.cpp:347
  #10 0x0000000001fe5385 in AllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Target/Memory.cpp:383
  #11 0x0000000001974da2 in AllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Target/Process.cpp:2301
  #12 CanJIT () at /usr/src/contrib/llvm-project/lldb/source/Target/Process.cpp:2331
  #13 0x0000000001a1bf3d in Evaluate () at /usr/src/contrib/llvm-project/lldb/source/Expression/UserExpression.cpp:190
  #14 0x00000000019ce7a2 in EvaluateExpression () at /usr/src/contrib/llvm-project/lldb/source/Target/Target.cpp:2372
  #15 0x0000000001ad784c in EvaluateExpression () at /usr/src/contrib/llvm-project/lldb/source/Commands/CommandObjectExpression.cpp:414
  #16 0x0000000001ad86ae in DoExecute () at /usr/src/contrib/llvm-project/lldb/source/Commands/CommandObjectExpression.cpp:646
  #17 0x0000000001a5e3ed in Execute () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandObject.cpp:1003
  #18 0x0000000001a6c4a3 in HandleCommand () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:1762
  #19 0x0000000001a6f98c in IOHandlerInputComplete () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:2760
  #20 0x0000000001a90b08 in Run () at /usr/src/contrib/llvm-project/lldb/source/Core/IOHandler.cpp:548
  #21 0x00000000019a6c6a in ExecuteIOHandlers () at /usr/src/contrib/llvm-project/lldb/source/Core/Debugger.cpp:903
  #22 0x0000000001a70337 in RunCommandInterpreter () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:2946
  #23 0x0000000001d9d812 in RunCommandInterpreter () at /usr/src/contrib/llvm-project/lldb/source/API/SBDebugger.cpp:1169
  #24 0x0000000001918be8 in MainLoop () at /usr/src/contrib/llvm-project/lldb/tools/driver/Driver.cpp:675
  #25 0x000000000191a114 in main () at /usr/src/contrib/llvm-project/lldb/tools/driver/Driver.cpp:890

  Fix the incorrect error catch by only instantiating an Error object
  if it is necessary.

  Reviewed By: JDevlieghere

  Differential Revision: https://reviews.llvm.org/D86355

This should fix lldb aborting as described in the scenario above.

Reported by:	dmgk
PR:		248745
netgate-git-updates pushed a commit that referenced this pull request Dec 23, 2020
Merge commit 1ce07cd614be from llvm git (by me):

  Instantiate Error in Target::GetEntryPointAddress() only when
  necessary

  When Target::GetEntryPointAddress() calls
  exe_module->GetObjectFile()->GetEntryPointAddress(), and the returned
  entry_addr is valid, it can immediately be returned.

  However, just before that, an llvm::Error value has been setup, but
  in this case it is not consumed before returning, like is done
  further below in the function.

  In https://bugs.freebsd.org/248745 we got a bug report for this,
  where a very simple test case aborts and dumps core:

  * thread #1, name = 'testcase', stop reason = breakpoint 1.1
      frame #0: 0x00000000002018d4 testcase`main(argc=1, argv=0x00007fffffffea18) at testcase.c:3:5
     1    int main(int argc, char *argv[])
     2    {
  -> 3        return 0;
     4    }
  (lldb) p argc
  Program aborted due to an unhandled Error:
  Error value was Success. (Note: Success values must still be checked prior to being destroyed).

  Thread 1 received signal SIGABRT, Aborted.
  thr_kill () at thr_kill.S:3
  3       thr_kill.S: No such file or directory.
  (gdb) bt
  #0  thr_kill () at thr_kill.S:3
  #1  0x00000008049a0004 in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:52
  #2  0x0000000804916229 in abort () at /usr/src/lib/libc/stdlib/abort.c:67
  #3  0x000000000451b5f5 in fatalUncheckedError () at /usr/src/contrib/llvm-project/llvm/lib/Support/Error.cpp:112
  #4  0x00000000019cf008 in GetEntryPointAddress () at /usr/src/contrib/llvm-project/llvm/include/llvm/Support/Error.h:267
  #5  0x0000000001bccbd8 in ConstructorSetup () at /usr/src/contrib/llvm-project/lldb/source/Target/ThreadPlanCallFunction.cpp:67
  #6  0x0000000001bcd2c0 in ThreadPlanCallFunction () at /usr/src/contrib/llvm-project/lldb/source/Target/ThreadPlanCallFunction.cpp:114
  #7  0x00000000020076d4 in InferiorCallMmap () at /usr/src/contrib/llvm-project/lldb/source/Plugins/Process/Utility/InferiorCallPOSIX.cpp:97
  #8  0x0000000001f4be33 in DoAllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Plugins/Process/FreeBSD/ProcessFreeBSD.cpp:604
  #9  0x0000000001fe51b9 in AllocatePage () at /usr/src/contrib/llvm-project/lldb/source/Target/Memory.cpp:347
  #10 0x0000000001fe5385 in AllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Target/Memory.cpp:383
  #11 0x0000000001974da2 in AllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Target/Process.cpp:2301
  #12 CanJIT () at /usr/src/contrib/llvm-project/lldb/source/Target/Process.cpp:2331
  #13 0x0000000001a1bf3d in Evaluate () at /usr/src/contrib/llvm-project/lldb/source/Expression/UserExpression.cpp:190
  #14 0x00000000019ce7a2 in EvaluateExpression () at /usr/src/contrib/llvm-project/lldb/source/Target/Target.cpp:2372
  #15 0x0000000001ad784c in EvaluateExpression () at /usr/src/contrib/llvm-project/lldb/source/Commands/CommandObjectExpression.cpp:414
  #16 0x0000000001ad86ae in DoExecute () at /usr/src/contrib/llvm-project/lldb/source/Commands/CommandObjectExpression.cpp:646
  #17 0x0000000001a5e3ed in Execute () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandObject.cpp:1003
  #18 0x0000000001a6c4a3 in HandleCommand () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:1762
  #19 0x0000000001a6f98c in IOHandlerInputComplete () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:2760
  #20 0x0000000001a90b08 in Run () at /usr/src/contrib/llvm-project/lldb/source/Core/IOHandler.cpp:548
  #21 0x00000000019a6c6a in ExecuteIOHandlers () at /usr/src/contrib/llvm-project/lldb/source/Core/Debugger.cpp:903
  #22 0x0000000001a70337 in RunCommandInterpreter () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:2946
  #23 0x0000000001d9d812 in RunCommandInterpreter () at /usr/src/contrib/llvm-project/lldb/source/API/SBDebugger.cpp:1169
  #24 0x0000000001918be8 in MainLoop () at /usr/src/contrib/llvm-project/lldb/tools/driver/Driver.cpp:675
  #25 0x000000000191a114 in main () at /usr/src/contrib/llvm-project/lldb/tools/driver/Driver.cpp:890

  Fix the incorrect error catch by only instantiating an Error object
  if it is necessary.

  Reviewed By: JDevlieghere

  Differential Revision: https://reviews.llvm.org/D86355

This should fix lldb aborting as described in the scenario above.

Reported by:	dmgk
PR:		248745
@kprovost
Copy link
Contributor

I've been pointed at this patch, and mostly like it.
I've pulled it apart into three changes:

  • print gateway
  • kill by gateway
  • kill matching states

The first two are part of the review series I've posted, starting here: https://reviews.freebsd.org/D30051 and all the way to D30059

(Please do let me know how you wish to be credited.)

The last one is problematic. It's managed to encounter the most complex part of pf's locking protocol. Each hash row has its own lock. The two states that define a connection may be in different or in the same hash row. As a result we need to be extremely careful about the order of locking. This is documented in pf_state_key_attach().
The current patch will usually work, but is vulnerable to deadlocks if two kill operations are run at the same time, and in the (unlikely) case of two states being in the same hash row it's going to double lock and deadlock against itself.
It's distinctly non-trivial to make the locking work correctly for this part of the patch. My current thinking is to put that part aside until a hypothetical locking rework at some point in the future, but I reserve the right to change my mind about that.

@brownowski
Copy link
Author

Thanks for taking a look at the patch. I don't really mind how my code is credited. Whatever would be the standard way is fine. I'm mainly happy to see that there is some interest in bringing some of the functions into the upstream code. When I posted this it was mainly as a proof of concept that I was hoping someone else more experienced in kernel coding might be able to pick up and work from.

The patch submitted here has never been used outside of a limited test environment. I remember setting up the build environment was such a pain. I never even managed to get a proper full build image that would install. I could only manage to grab the binary files for the kernel and updated pfctl utilities and manually copy them over the top of an already installed pfsense build to test them.

I do hope that the killing of matching states on inbound/outbound interfaces will eventually find its way through as well, as it was the main driver behind the patch. Initially we implemented a userspace workaround to the issue which runs in php, which we still actually use on some of our production systems where we require this functionality, despite being much clunkier and having several severe limitations. The kernel patch was created in the hope to have something better which would scale properly that could be included upstream so we didn't have to continue to maintain our own patches to test and apply during upgrades.

@kprovost
Copy link
Contributor

kprovost commented May 1, 2021

The usual approach for crediting is to either add a 'Submitted by: ...' tag, or - new in the git world - set the committer field to your name and e-mail address.
Given that I've done some work to change your patch (mostly to ensure we don't break the ABI) I'd go with a 'Submitted by:' tag, but I'd like to know the name (and optionally e-mail adres) you'd like me to use.

@brownowski
Copy link
Author

No problem. You can use 'Steven Brown' as the name.

@kprovost
Copy link
Contributor

kprovost commented May 3, 2021

It turned out that we could actually avoid the locking issue by being slightly careful about when we search for and delete the matching state: https://reviews.freebsd.org/D30092 (and test https://reviews.freebsd.org/D30093).

freebsd-git pushed a commit to freebsd/freebsd-src that referenced this pull request May 7, 2021
This allows us to kill states created from a rule with route-to/reply-to
set.  This is particularly useful in multi-wan setups, where one of the
WAN links goes down.

Submitted by:	Steven Brown
Obtained from:	pfsense/FreeBSD-src#11
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30058
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this pull request May 7, 2021
Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.

See also https://redmine.pfsense.org/issues/8555

Submitted by:	Steven Brown
Reviewed by:	bcr (man page)
Obtained from:	pfsense/FreeBSD-src#11
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30092
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this pull request May 14, 2021
This allows us to kill states created from a rule with route-to/reply-to
set.  This is particularly useful in multi-wan setups, where one of the
WAN links goes down.

Submitted by:	Steven Brown
Obtained from:	pfsense/FreeBSD-src#11
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30058

(cherry picked from commit abbcba9)
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this pull request May 14, 2021
Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.

See also https://redmine.pfsense.org/issues/8555

Submitted by:	Steven Brown
Reviewed by:	bcr (man page)
Obtained from:	pfsense/FreeBSD-src#11
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30092

(cherry picked from commit 93abcf1)
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this pull request May 14, 2021
This allows us to kill states created from a rule with route-to/reply-to
set.  This is particularly useful in multi-wan setups, where one of the
WAN links goes down.

Submitted by:	Steven Brown
Obtained from:	pfsense/FreeBSD-src#11
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30058

(cherry picked from commit abbcba9)
freebsd-git pushed a commit to freebsd/freebsd-src that referenced this pull request May 14, 2021
Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.

See also https://redmine.pfsense.org/issues/8555

Submitted by:	Steven Brown
Reviewed by:	bcr (man page)
Obtained from:	pfsense/FreeBSD-src#11
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30092

(cherry picked from commit 93abcf1)
bsdjhb pushed a commit to bsdjhb/cheribsd that referenced this pull request Dec 1, 2021
This allows us to kill states created from a rule with route-to/reply-to
set.  This is particularly useful in multi-wan setups, where one of the
WAN links goes down.

Submitted by:	Steven Brown
Obtained from:	pfsense/FreeBSD-src#11
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30058
bsdjhb pushed a commit to bsdjhb/cheribsd that referenced this pull request Dec 1, 2021
Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.

See also https://redmine.pfsense.org/issues/8555

Submitted by:	Steven Brown
Reviewed by:	bcr (man page)
Obtained from:	pfsense/FreeBSD-src#11
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30092
netgate-git-updates pushed a commit that referenced this pull request Jun 22, 2022
Don't change the mbuf chain layout. We've encountered alignment issues
in the tcp syncookie code on armv7, which appear to result from the
m_pullup() here.

eg:
	Kernel page fault with the following non-sleepable locks held:
	exclusive sleep mutex tcp_sc_head (tcp_sc_head) r = 0 (0xdbfc4058) locked @ /usr/src/sys/netinet/tcp_syncache.c:534
	exclusive rw tcpinp (tcpinp) r = 0 (0xded8ee28) locked @ /usr/src/sys/netinet/in_pcb.c:2436
	stack backtrace:
	#0 0xc0421480 at witness_debugger+0x6c
	#1 0xc0422514 at witness_warn+0x430
	#2 0xc07d8830 at abort_handler+0x1d8
	#3 0xc07bb1cc at exception_exit+0
	#4 0xc06320bc at syncookie_lookup+0x4c
	#5 0xc0630cb0 at syncache_expand+0xc4
	#6 0xc061be00 at tcp_input+0x11b0
	#7 0xc058f8b4 at ip_input+0x264
	#8 0xc04f5ca8 at netisr_dispatch_src+0xec
	#9 0xc04d39e8 at ether_demux+0x204
	#10 0xc04d5088 at ether_nh_input+0x3e8
	#11 0xc04f5ca8 at netisr_dispatch_src+0xec
	#12 0xc04d3f10 at ether_input+0xfc
	#13 0xc07fa750 at mvneta_rxtxth_intr+0x2b4
	#14 0xc037f784 at ithread_loop+0x1cc
	#15 0xc037c4c8 at fork_exit+0xa0
	#16 0xc07bb15c at swi_exit+0
	Fatal kernel mode data abort: 'Alignment Fault' on read
	trapframe: 0xc7d28980
	FSR=00000001, FAR=dbf7886e, spsr=60000013
	r0 =00000025, r1 =00000001, r2 =c7d2894c, r3 =60000013
	r4 =c7d28a58, r5 =c7d28bc8, r6 =dbf7886a, r7 =dbfc4058
	r8 =dbfc4058, r9 =c7d28b98, r10=c7d28bfc, r11=c7d28a30
	r12=20000000, ssp=c7d28a10, slr=c06320bc, pc =c06320bc

Redmine:	8287
VuDn5 pushed a commit to VuDn5/FreeBSD-src that referenced this pull request Dec 8, 2024
Avoid calling _callout_stop_safe with a non-sleepable lock held when
detaching by initializing callout_init_rw() with CALLOUT_SHAREDLOCK.

It avoids the following WITNESS warning when stopping the service:

    # service ipfilter stop
    calling _callout_stop_safe with the following non-sleepable locks held:
    shared rw ipf filter load/unload mutex (ipf filter load/unload mutex) r = 0 (0xffff0000417c7530) locked @ /usr/src/sys/netpfil/ipfilter/netinet/fil.c:7926
    stack backtrace:
    #0 0xffff00000052d394 at witness_debugger+0x60
    pfsense#1 0xffff00000052e620 at witness_warn+0x404
    pfsense#2 0xffff0000004d4ffc at _callout_stop_safe+0x8c
    pfsense#3 0xffff0000f7236674 at ipfdetach+0x3c
    pfsense#4 0xffff0000f723fa4c at ipf_ipf_ioctl+0x788
    pfsense#5 0xffff0000f72367e0 at ipfioctl+0x144
    pfsense#6 0xffff00000034abd8 at devfs_ioctl+0x100
    pfsense#7 0xffff0000005c66a0 at vn_ioctl+0xbc
    pfsense#8 0xffff00000034b2cc at devfs_ioctl_f+0x24
    pfsense#9 0xffff0000005331ec at kern_ioctl+0x2e0
    pfsense#10 0xffff000000532eb4 at sys_ioctl+0x140
    pfsense#11 0xffff000000880480 at do_el0_sync+0x604
    pfsense#12 0xffff0000008579ac at handle_el0_sync+0x4c

PR:		282478
Suggested by:	markj
Reviewed by:	cy
Approved by:	emaste (mentor)
MFC after:	1 week
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants