Add inpcb pointer to struct ipsec_ctx_data and pass it to the pfil hook

from enc_hhook().

This should solve the problem when pf is used with if_enc(4) interface,
and outbound packet with existing PCB checked by pf, and this leads to
deadlock due to pf does its own PCB lookup and tries to take rlock when
wlock is already held.

Now we pass PCB pointer if it is known to the pfil hook, this helps to
avoid extra PCB lookup and thus rlock acquiring is not needed.
For inbound packets it is safe to pass NULL, because we do not held any
PCB locks yet.

PR:		220217
MFC after:	3 weeks
Sponsored by:	Yandex LLC

2 files changed, 2 insertions, 1 deletions

diff --git a/sys/net/if_enc.c b/sys/net/if_enc.c
index 1f3ef8f67c04..1d86a087fb82 100644
--- a/sys/net/if_enc.c
+++ b/sys/net/if_enc.c
@@ -284,7 +284,7 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, void *udata, void *ctx_data,
 	/* Make a packet looks like it was received on enc(4) */
 	rcvif = (*ctx->mp)->m_pkthdr.rcvif;
 	(*ctx->mp)->m_pkthdr.rcvif = ifp;
-	if (pfil_run_hooks(ph, ctx->mp, ifp, pdir, NULL) != 0 ||
+	if (pfil_run_hooks(ph, ctx->mp, ifp, pdir, ctx->inp) != 0 ||
 	    *ctx->mp == NULL) {
 		*ctx->mp = NULL; /* consumed by filter */
 		return (EACCES);
diff --git a/sys/net/if_enc.h b/sys/net/if_enc.h
index 941ed12a1b69..616c621f2162 100644
--- a/sys/net/if_enc.h
+++ b/sys/net/if_enc.h
@@ -33,6 +33,7 @@
 struct ipsec_ctx_data {
 	struct mbuf	**mp;
 	struct secasvar	*sav;
+	struct inpcb	*inp;
 	uint8_t		af;
 #define	IPSEC_ENC_BEFORE	0x01
 #define	IPSEC_ENC_AFTER		0x02