cvs commit: src/sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c
ip_input.c
Julian Elischer
julian at elischer.org
Wed Apr 4 00:17:25 UTC 2007
this time, with the patch :-)
Max Laier wrote:
> On Tuesday 03 April 2007 10:16, Julian Elischer wrote:
>> julian 2007-04-03 08:16:05 UTC
>>
>> FreeBSD src repository
>>
>> Modified files: (Branch: RELENG_6)
>> sys/netinet ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.c
>> Log:
>> Revert one of the MFCs from Friday as it produces an
>> unacceptable ABI change. I will re-MFC this when I have tested a
>> version that brings back the desirable changes but leaves the ABI the
>> same.
>
> Thanks for reverting ... but why did you rush in all these MFCs?
pressure from work..
anyhow one again, this time a bit slower..
As part of a move to getting RELENG_6 and HEAD closer,
here is a small partial re-MFC of ip_fw_pfil.c version 1.21
This is mostly diff-reduction, but is a self contained 'cleanup'
that canbe extracted from the functional change in the major change
in the original diff. it obscures the actual change going on
so I would like to commit it separatly.
this isthe 'cleanup' part of:
ip_fw2.c 1.129
ip_fw.h 1.105
ip_fw_pfil.c 1.21
ip_input.c 1.319
" Allow ipv6 filtering to be seperately enabled. plus cleanup"
-------------- next part --------------
Index: ip_fw_pfil.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw_pfil.c,v
retrieving revision 1.19.2.3
diff -u -r1.19.2.3 ip_fw_pfil.c
--- ip_fw_pfil.c 3 Apr 2007 08:16:04 -0000 1.19.2.3
+++ ip_fw_pfil.c 4 Apr 2007 00:08:03 -0000
@@ -417,28 +417,13 @@
ipfw_hook(void)
{
struct pfil_head *pfh_inet;
-#ifdef INET6
- struct pfil_head *pfh_inet6;
-#endif
-
- if (ipfw_pfil_hooked)
- return EEXIST;
pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
if (pfh_inet == NULL)
return ENOENT;
-#ifdef INET6
- pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
- if (pfh_inet6 == NULL)
- return ENOENT;
-#endif
pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
-#ifdef INET6
- pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
- pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
-#endif
return 0;
}
@@ -447,31 +432,48 @@
ipfw_unhook(void)
{
struct pfil_head *pfh_inet;
-#ifdef INET6
- struct pfil_head *pfh_inet6;
-#endif
-
- if (!ipfw_pfil_hooked)
- return ENOENT;
pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
if (pfh_inet == NULL)
return ENOENT;
+
+ pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
+ pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
+
+ return 0;
+}
+
#ifdef INET6
+static int
+ipfw6_hook(void)
+{
+ struct pfil_head *pfh_inet6;
+
+ pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
+ if (pfh_inet6 == NULL)
+ return ENOENT;
+
+ pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
+ pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
+
+ return 0;
+}
+
+static int
+ipfw6_unhook(void)
+{
+ struct pfil_head *pfh_inet6;
+
pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
if (pfh_inet6 == NULL)
return ENOENT;
-#endif
- pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
- pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
-#ifdef INET6
pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
-#endif
return 0;
}
+#endif
static int
ipfw_modevent(module_t mod, int type, void *unused)
@@ -483,28 +485,39 @@
if (ipfw_pfil_hooked) {
printf("IP firewall already loaded\n");
err = EEXIST;
- } else {
- if ((err = ipfw_init()) != 0) {
- printf("ipfw_init() error\n");
- break;
- }
- if ((err = ipfw_hook()) != 0) {
- printf("ipfw_hook() error\n");
- break;
- }
- ipfw_pfil_hooked = 1;
+ break;
+ }
+ if ((err = ipfw_init()) != 0) {
+ printf("ipfw_init() error\n");
+ break;
}
+ if ((err = ipfw_hook()) != 0) {
+ printf("ipfw_hook() error\n");
+ break;
+ }
+#ifdef INET6
+ if ((err = ipfw6_hook()) != 0) {
+ ipfw_unhook(); /* revert the ipv4 part */
+ printf("ipfw6_hook() error\n");
+ break;
+ }
+#endif
+ ipfw_pfil_hooked = 1;
break;
case MOD_UNLOAD:
- if (ipfw_pfil_hooked) {
- if ((err = ipfw_unhook()) > 0)
- break;
- ipfw_destroy();
- ipfw_pfil_hooked = 0;
- } else {
+ if (!ipfw_pfil_hooked) {
printf("IP firewall already unloaded\n");
+ break;
}
+ if ((err = ipfw_unhook()) > 0)
+ break;
+#ifdef INET6
+ if ((err = ipfw6_unhook()) > 0)
+ break;
+#endif
+ ipfw_destroy();
+ ipfw_pfil_hooked = 0;
break;
default:
More information about the freebsd-ipfw
mailing list