分页: 1 / 1

Oracle Solaris移植PF中...

发表于 : 2015-04-18 22:26
acheng
根据一条应该是Oracle的网络开发人员发到OpenBSD @tech邮件列表的补丁反馈邮件,Oracle预计在Solaris 11.3中提供PF作为备选防火墙,在12.0版中PF可能就是唯一的防火墙软件了。作为曾经的Solairs用户,很乐于看到这个消息。

http://permalink.gmane.org/gmane.os.openbsd.tech/41510

pfi_kif leaks for PBR rules

Hello,

while testing PBR on Solaris we found out the pfi_kif instances
are not removed from pfi_ifs table. We took a look at crashdump
and have seen pfik_route counter at those object is still
non-zero, while all rules were gone.

looking at sources we can see the 'pfik_route' (PFI_KIF_REF_ROUTE)
reference is being grabbed in pfr_create_kentry():

840 case PFRKE_ROUTE:
841 if (ad->pfra_ifname[0])
842 ke->pfrke_rkif = pfi_kif_get(ad->pfra_ifname);
843 if (ke->pfrke_rkif)
844 pfi_kif_ref(ke->pfrke_rkif, PFI_KIF_REF_ROUTE);
845 break;
846 default:
847 panic("unknown pfrke_type %d", ke->pfrke_type);
848 break;

however we have not found any matching pfi_kif_ref() command, which
would remove the reference created by pfr_create_kentry(). It seems
to us the call to

pfi_kif_unref(ke->pfrke_rkif, PFI_KIF_REF_ROUTE)

is missing at pfr_destroy_kentry(). We created patch against OpenBSD CURRENT.
We have no OpenBSD boxes around, where we could verify our fix.

also for your info: IPF in Solaris is on its death row. PF in 11.3
release will be available as optional firewall. We hope to make PF
default (and only firewall) in Solaris 12. You've made excellent job,
your PF is crystal-clear design.

kind regards
sasha

----------- cut here to get a patch ---------------

Index: pf_table.c
===================================================================
RCS file: /cvs/src/sys/net/pf_table.c,v
retrieving revision 1.106
diff -u -r1.106 pf_table.c
--- pf_table.c 14 Mar 2015 03:38:51 -0000 1.106
+++ pf_table.c 5 Apr 2015 09:59:58 -0000
<at> <at> -877,6 +877,17 <at> <at>
{
if (ke->pfrke_counters)
pool_put(&pfr_kcounters_pl, ke->pfrke_counters);
+
+ switch (ke->pfrke_type) {
+ case PFRKE_COST:
+ /* FALLTHROUGH */
+ case PFRKE_ROUTE:
+ if (ke->pfrke_rkif != NULL) {
+ pfi_kif_unref(ke->pfrke_rkif, PFI_KIF_REF_ROUTE);
+ }
+ break;
+ default:
+ }
pool_put(&pfr_kentry_pl[ke->pfrke_type], ke);
}

Index: pf_table.c
===================================================================
RCS file: /cvs/src/sys/net/pf_table.c,v
retrieving revision 1.106
diff -u -r1.106 pf_table.c
--- pf_table.c 14 Mar 2015 03:38:51 -0000 1.106
+++ pf_table.c 5 Apr 2015 10:00:07 -0000
<at> <at> -877,6 +877,17 <at> <at>
{
if (ke->pfrke_counters)
pool_put(&pfr_kcounters_pl, ke->pfrke_counters);
+
+ switch (ke->pfrke_type) {
+ case PFRKE_COST:
+ /* FALLTHROUGH */
+ case PFRKE_ROUTE:
+ if (ke->pfrke_rkif != NULL) {
+ pfi_kif_unref(ke->pfrke_rkif, PFI_KIF_REF_ROUTE);
+ }
+ break;
+ default:
+ }
pool_put(&pfr_kentry_pl[ke->pfrke_type], ke);
}