CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	ae <ae@FreeBSD.org>
	Thu, 24 May 2018 11:02:21 +0000 (11:02 +0000)
committer	ae <ae@FreeBSD.org>
	Thu, 24 May 2018 11:02:21 +0000 (11:02 +0000)
commit	b8e194cd6e177beb1ef94b8004323b0a984f5004
tree	12bc90ebd0948016536789d41da489d09f3fd027	tree \| snapshot
parent	a933e7a326f122cb0beb9fdc960f6ab327bf1908	commit \| diff

MFC r333986:
  Remove check for matching the rulenum, ruleid and rule pointer from
  dyn_lookup_ipv[46]_state_locked(). These checks are remnants of not
  ready to be committed code, and they are there by accident.
  Due to the race these checks can lead to creating of duplicate states
  when concurrent threads in the same time will try to add state for two
  packets of the same flow, but in reverse directions and matched by
  different parent rules.

  Reported by: lev

MFC r334039:
  Restore the ability to keep states after parent rule deletion.

  This feature is disabled by default and was removed when dynamic states
  implementation changed to be lockless. Now it is reimplemented with small
  differences - when dyn_keep_states sysctl variable is enabled,
  dyn_match_ipv[46]_state() function doesn't match child states of deleted
  rule. And thus they are keept alive until expired. ipfw_dyn_lookup_state()
  function does check that state was not orphaned, and if so, it returns
  pointer to default_rule and its position in the rules map. The main visible
  difference is that orphaned states still have the same rule number that
  they have before parent rule deleted, because now a state has many fields
  related to rule and changing them all atomically to point to default_rule
  seems hard enough.

  Reported by: <lantw44 at gmail.com>
Approved by: re (kib)