libalias: fix subtle racy problem in outside-inside forwarding

sys/netinet/libalias/alias_db.c has internal static function UseLink()
that passes a link to CleanupLink() to verify if the link has ex

libalias: fix subtle racy problem in outside-inside forwarding

sys/netinet/libalias/alias_db.c has internal static function UseLink()
that passes a link to CleanupLink() to verify if the link has expired.
If so, UseLink() may return NULL.

_FindLinkIn()'s usage of UseLink() is not quite correct.

Assume there is "redirect_port udp" configured to forward incoming
traffic for specific port to some internal address.
Such a rule creates partially specified permanent link.

After first such incoming packet libalias creates new fully specifiled
temporary LINK_UDP with default timeout of 60 seconds.
Also, in case of low traffic libalias may assign "timestamp"
for this new temporary link way in the past because
LibAliasTime is updated seldom and can keep old value
for tens of seconds, and it will be used for the temporary link.

It may happen that next incoming packet for redirected port
passed to _FindLinkIn() results in a call to UseLink()
that returns NULL due to detected expiration.
Immediate return of NULL results in broken translation:
either a packet is dropped (deny_incoming mode) or delivered to
original destination address instead of internal one.

Fix it with additional check for NULL to proceed with a search
for original partially specified link. In case of UDP,
it also recreates temporary fully specified link
with a call to ReLink().

Practical examples are "redirect_port udp" rules for unidirectional
SYSLOG protocol (port 514) or some low volume VPN encapsulated in UDP.

Thanks to Peter Much for initial analysis and first version of a patch.

Reported by: Peter Much <[email protected]>
PR: 269770

(cherry picked from commit 8132e959099f0c533f698d8fbc17386f9144432f)
(cherry picked from commit e5b85380836378c9e321a4e6d300591e6faf622a)

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

show more ...

libalias: fix divide by zero causing panic

The packet_limit can fall to 0, leading to a divide by zero abort in
the "packets % packet_limit".

An possible solution would be to apply a lower limit of

libalias: fix divide by zero causing panic

The packet_limit can fall to 0, leading to a divide by zero abort in
the "packets % packet_limit".

An possible solution would be to apply a lower limit of 1 after the
calculation of packet_limit, but since any number modulo 1 gives 0,
the more efficient solution is to skip the modulo operation for
packet_limit <= 1.

Since this is a fix for a panic observed in stable/12, merging this
fix to stable/12 and stable/13 before expiry of the 3 day waiting
period might be justified, if it works for the reporter of the issue.

Reported by: Karl Denninger <[email protected]>
MFC after: 3 days

show more ...

libalias: Remove a stray directive

Removal of a preprocessor line was missed during development.
Do it now and MFC it together with the other patches.

MFC after: 2 days

libalias: Fix API bug on initialization

The kernel part of ipfw(8) does initialize LibAlias uncondistionally
with an zeroized port range (allowed ports from 0 to 0). During
restucturing of libalias

libalias: Fix API bug on initialization

The kernel part of ipfw(8) does initialize LibAlias uncondistionally
with an zeroized port range (allowed ports from 0 to 0). During
restucturing of libalias, port ranges are used everytime and are
therefor initialized with different values than zero. The secondary
initialization from ipfw (and probably others) overrides the new
default values and leave the instance in an unfunctional state. The
obvious solution is to detect such reinitializations and use the new
default value instead.

MFC after: 3 days

show more ...

libalias: Avoid uninitialized expiration

The expiration time of direct address mappings is explicitly
uninitialized. Expire times are always compared during housekeeping.
Despite the uninitialized

libalias: Avoid uninitialized expiration

The expiration time of direct address mappings is explicitly
uninitialized. Expire times are always compared during housekeeping.
Despite the uninitialized value does not harm, it's simpler to just
set it to a reasonable default. This was detected during valgrinding
the test suite.

MFC after: 3 days

show more ...

libalias: Fix compile time warning about unused functions

Compiling libalias results in warnings about unused functions.
Those warnings are caused by clang's heuristic to consider an inline
function

libalias: Fix compile time warning about unused functions

Compiling libalias results in warnings about unused functions.
Those warnings are caused by clang's heuristic to consider an inline
function as in use, iff the declaration is in a *.c file.
Declarations in *.h files do not emit those warnings.

Hence the declarations must be moved to an extra *.h file.

MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D30844

show more ...

libalias: Switch to efficient data structure for incoming traffic

Current data structure is using a hash of unordered lists. Those
unordered lists are quite efficient, because the least recently
in

libalias: Switch to efficient data structure for incoming traffic

Current data structure is using a hash of unordered lists. Those
unordered lists are quite efficient, because the least recently
inserted entries are most likely to be used again. In order to avoid
long search times in other cases, the lists are hashed into many
buckets. Unfortunatly a search for a miss needs an exhaustive
inspection and a careful definition of the hash.

Splay trees offer a similar feature: Almost O(1) for access of the
least recently used entries, and amortized O(ln(n)) for almost all
other cases. Get rid of the hash.

Now the data structure should able to quickly react to external
packets without eating CPU cycles for breakfast, preventing a DoS.

PR: 192888
Discussed with: Dimitry Luhtionov
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30536

show more ...

libalias: Switch to efficient data structure for outgoing traffic

Current data structure is using a hash of unordered lists. Those
unordered lists are quite efficient, because the least recently
in

libalias: Switch to efficient data structure for outgoing traffic

Current data structure is using a hash of unordered lists. Those
unordered lists are quite efficient, because the least recently
inserted entries are most likely to be used again. In order to avoid
long search times in other cases, the lists are hashed into many
buckets. Unfortunatly a search for a miss needs an exhaustive
inspection and a careful definition of the hash.

Splay trees offer a similar feature - almost O(1) for access of the
least recently used entries), and amortized O(ln(n) - for almost all
other cases. Get rid of the hash.

Discussed with: Dimitry Luhtionov
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30516

show more ...

libalias: Restructure - Remove temporary state deleteAllLinks from global struct

The entry deleteAllLinks in the struct libalias is only used to signal
a state between internal calls. It's not used

libalias: Restructure - Remove temporary state deleteAllLinks from global struct

The entry deleteAllLinks in the struct libalias is only used to signal
a state between internal calls. It's not used between API calls.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30604

show more ...

libalias: Restructure - Use AliasRange instead of PORT_BASE

Get rid of PORT_BASE, replace by AliasRange. Simplify code.
Factor out the search for a new port. Improves the perfomance a bit.

Discusse

libalias: Restructure - Use AliasRange instead of PORT_BASE

Get rid of PORT_BASE, replace by AliasRange. Simplify code.
Factor out the search for a new port. Improves the perfomance a bit.

Discussed with: Dimitry Luhtionov
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30581

show more ...

libalias: Restructure - Table for PPTP

Let PPTP use its own data structure.
Regroup and rename other lists, which are not PPTP.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/

libalias: Restructure - Table for PPTP

Let PPTP use its own data structure.
Regroup and rename other lists, which are not PPTP.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30580

show more ...

libalias: Restructure - Group expire handling entries

Reorder the internal structure semantically.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30575

libalias: Restructure - Group incoming links

Reorder incoming links by grouping of common search terms.
Significant performance improvement for incoming (missing) flows.

Remove LSNAT from outgoing

libalias: Restructure - Group incoming links

Reorder incoming links by grouping of common search terms.
Significant performance improvement for incoming (missing) flows.

Remove LSNAT from outgoing search.
Slight speedup due to less comparsions in the loop.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30574

show more ...

libalias: Restructure - Cleanup and Use for links

Factor out a common idiom to return found links.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30573

libalias: Restructure - Outgoing search

Factor out the outgoing search function.
Preparation for a new data structure.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30572

libalias: Restructure - Cleanup _FindLinkIn

Simplify program flow in function _FindLinkIn.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30571

libalias: Restructure - Table for partially links

Separate the partially specified links into a separate data structure.

This would causes a major parformance impact, if there are many of
them. Us

libalias: Restructure - Table for partially links

Separate the partially specified links into a separate data structure.

This would causes a major parformance impact, if there are many of
them. Use a (smaller) hash table to speed up the partially link
access.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30570

show more ...

libalias: Restructure - Separate fully qualified search

Search fully specified links first. Some performance loss due to need
to revisit the db twice, if not found.

MFC after: 1 week
Differential

libalias: Restructure - Separate fully qualified search

Search fully specified links first. Some performance loss due to need
to revisit the db twice, if not found.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30569

show more ...

libalias: Restructure - Common search terms

Factor out the common Out and In filter
Slightly better performance due to eager skip of search loop

MFC after: 1 week
Differential Revision: https://rev

libalias: Restructure - Common search terms

Factor out the common Out and In filter
Slightly better performance due to eager skip of search loop

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30568

show more ...

libalias: Promote per instance global variable timeStamp

Summary:
- Use LibAliasTime as a real global variable for central timekeeping.
- Reduce number of syscalls in user space considerably.
- Dyna

libalias: Promote per instance global variable timeStamp

Summary:
- Use LibAliasTime as a real global variable for central timekeeping.
- Reduce number of syscalls in user space considerably.
- Dynamically adjust the packet counters to match the second resolution.
- Only check the first few packets after a time increase for expiry.

Discussed with: hselasky
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30566

show more ...

libalias: tidy up housekeeping

Replace current expensive, but sparsly called housekeeping
by a single, repetive action.

This is part of a larger restructure of libalias in order to switch to
more e

libalias: tidy up housekeeping

Replace current expensive, but sparsly called housekeeping
by a single, repetive action.

This is part of a larger restructure of libalias in order to switch to
more efficient data structures. The whole restructure process is
split into 15 reviews to ease reviewing. All those steps will be
squashed into a single commit for MFC in order to hide the
intermediate states from production systems.

Reviewed by: hselasky
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30277

show more ...

libalias: Remove LibAliasCheckNewLink

Finally drop the function in 14-CURRENT.

Discussed with: kp
Differential Revision: https://reviews.freebsd.org/D30275

libalias: Remove unused function LibAliasCheckNewLink

The functionality to detect a newly created link after processing a
single packet is decoupled from the packet processing. Every new
packet is

libalias: Remove unused function LibAliasCheckNewLink

The functionality to detect a newly created link after processing a
single packet is decoupled from the packet processing. Every new
packet is processed asynchronously and will reset the indicator, hence
the function is unusable. I made a Google search for third party code,
which uses the function, and failed to find one.

That's why the function should be removed: It unusable and unused.
A much simplified API/ABI will remain in anything below 14.

Discussed with: kp
Reviewed by: manpages (bcr)
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30275

show more ...