cvs commit: src/sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c

Julian Elischer julian at elischer.org
Wed Apr 4 00:17:25 UTC 2007 

this time, with the patch :-)


Max Laier wrote:
> On Tuesday 03 April 2007 10:16, Julian Elischer wrote:
>> julian      2007-04-03 08:16:05 UTC
>>
>>   FreeBSD src repository
>>
>>   Modified files:        (Branch: RELENG_6)
>>     sys/netinet          ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c
>>   Log:
>>   Revert one of the MFCs from Friday as it produces an
>>   unacceptable ABI change. I will re-MFC this when I have tested a
>> version that brings back the desirable changes but leaves the ABI the
>> same.
> 
> Thanks for reverting ... but why did you rush in all these MFCs?  

pressure from work.. 

anyhow one again, this time a bit slower..


As part of a move to getting RELENG_6 and HEAD closer,
here is a small partial re-MFC of ip_fw_pfil.c version 1.21
This is mostly diff-reduction, but is a self contained 'cleanup'
that canbe extracted from the functional change in the major change
in the original diff. it obscures the actual change going on 
so I would like to commit it separatly.

this isthe 'cleanup' part of: 

    ip_fw2.c 1.129
    ip_fw.h 1.105
    ip_fw_pfil.c 1.21
    ip_input.c 1.319

    " Allow ipv6 filtering to be seperately enabled. plus cleanup"


-------------- next part --------------
Index: ip_fw_pfil.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw_pfil.c,v
retrieving revision 1.19.2.3
diff -u -r1.19.2.3 ip_fw_pfil.c
--- ip_fw_pfil.c	3 Apr 2007 08:16:04 -0000	1.19.2.3
+++ ip_fw_pfil.c	4 Apr 2007 00:08:03 -0000
@@ -417,28 +417,13 @@
 ipfw_hook(void)
 {
 	struct pfil_head *pfh_inet;
-#ifdef INET6
-	struct pfil_head *pfh_inet6;
-#endif
-
-	if (ipfw_pfil_hooked)
-		return EEXIST;
 
 	pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
 	if (pfh_inet == NULL)
 		return ENOENT;
-#ifdef INET6
-	pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
-	if (pfh_inet6 == NULL)
-		return ENOENT;
-#endif
 
 	pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
 	pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
-#ifdef INET6
-	pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
-	pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
-#endif
 
 	return 0;
 }
@@ -447,31 +432,48 @@
 ipfw_unhook(void)
 {
 	struct pfil_head *pfh_inet;
-#ifdef INET6
-	struct pfil_head *pfh_inet6;
-#endif
-
-	if (!ipfw_pfil_hooked)
-		return ENOENT;
 
 	pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
 	if (pfh_inet == NULL)
 		return ENOENT;
+
+	pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
+	pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
+
+	return 0;
+}
+
 #ifdef INET6
+static int
+ipfw6_hook(void)
+{
+	struct pfil_head *pfh_inet6;
+
+	pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
+	if (pfh_inet6 == NULL)
+		return ENOENT;
+
+	pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
+	pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
+
+	return 0;
+}
+
+static int
+ipfw6_unhook(void)
+{
+	struct pfil_head *pfh_inet6;
+
 	pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
 	if (pfh_inet6 == NULL)
 		return ENOENT;
-#endif
 
-	pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
-	pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
-#ifdef INET6
 	pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
 	pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
-#endif
 
 	return 0;
 }
+#endif
 
 static int
 ipfw_modevent(module_t mod, int type, void *unused)
@@ -483,28 +485,39 @@
 		if (ipfw_pfil_hooked) {
 			printf("IP firewall already loaded\n");
 			err = EEXIST;
-		} else {
-			if ((err = ipfw_init()) != 0) {
-				printf("ipfw_init() error\n");
-				break;
-			}
-			if ((err = ipfw_hook()) != 0) {
-				printf("ipfw_hook() error\n");
-				break;
-			}
-			ipfw_pfil_hooked = 1;
+			break;
+		} 
+		if ((err = ipfw_init()) != 0) {
+			printf("ipfw_init() error\n");
+			break;
 		}
+		if ((err = ipfw_hook()) != 0) {
+			printf("ipfw_hook() error\n");
+			break;
+		}
+#ifdef INET6
+		if ((err = ipfw6_hook()) != 0) {
+			ipfw_unhook(); /* revert the ipv4 part */
+			printf("ipfw6_hook() error\n");
+			break;
+		}
+#endif
+		ipfw_pfil_hooked = 1;
 		break;
 
 	case MOD_UNLOAD:
-		if (ipfw_pfil_hooked) {
-			if ((err = ipfw_unhook()) > 0)
-				break;
-			ipfw_destroy();
-			ipfw_pfil_hooked = 0;
-		} else {
+		if (!ipfw_pfil_hooked) {
 			printf("IP firewall already unloaded\n");
+			break;
 		}
+		if ((err = ipfw_unhook()) > 0)
+			break;
+#ifdef INET6
+		if ((err = ipfw6_unhook()) > 0)
+			break;
+#endif
+		ipfw_destroy();
+		ipfw_pfil_hooked = 0;
 		break;
 
 	default:

More information about the freebsd-ipfw mailing list