svn commit: r197988 - user/eri/pf45/head/sys/contrib/pf/net
Ermal Luçi
eri at FreeBSD.org
Mon Oct 12 16:51:48 UTC 2009
Author: eri
Date: Mon Oct 12 16:51:48 2009
New Revision: 197988
URL: http://svn.freebsd.org/changeset/base/197988
Log:
* First pass at adding virtualization to pf(4).
* The rule of V_ is not followed in an attempt to minimize the diff with upstream(hopefully it works).
* Fix some whitespaces around.
NOTE: The tree might not build now.
Modified:
user/eri/pf45/head/sys/contrib/pf/net/pf.c
user/eri/pf45/head/sys/contrib/pf/net/pf_if.c
user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c
user/eri/pf45/head/sys/contrib/pf/net/pf_lb.c
user/eri/pf45/head/sys/contrib/pf/net/pf_norm.c
user/eri/pf45/head/sys/contrib/pf/net/pf_osfp.c
user/eri/pf45/head/sys/contrib/pf/net/pfvar.h
Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c
==============================================================================
--- user/eri/pf45/head/sys/contrib/pf/net/pf.c Mon Oct 12 16:47:55 2009 (r197987)
+++ user/eri/pf45/head/sys/contrib/pf/net/pf.c Mon Oct 12 16:51:48 2009 (r197988)
@@ -88,20 +88,20 @@ __FBSDID("$FreeBSD$");
#include <sys/socketvar.h>
#include <sys/kernel.h>
#include <sys/time.h>
- #ifdef __FreeBSD__
- #include <sys/random.h>
- #include <sys/sysctl.h>
- #include <sys/endian.h>
- #define betoh64 be64toh
- #else
+#ifdef __FreeBSD__
+#include <sys/random.h>
+#include <sys/sysctl.h>
+#include <sys/endian.h>
+#define betoh64 be64toh
+#else
#include <sys/pool.h>
#endif
#include <sys/proc.h>
- #ifdef __FreeBSD__
- #include <sys/kthread.h>
- #include <sys/lock.h>
- #include <sys/sx.h>
- #else
+#ifdef __FreeBSD__
+#include <sys/kthread.h>
+#include <sys/lock.h>
+#include <sys/sx.h>
+#else
#include <sys/rwlock.h>
#endif
@@ -155,21 +155,21 @@ __FBSDID("$FreeBSD$");
#include <netinet/in_pcb.h>
#include <netinet/icmp6.h>
#include <netinet6/nd6.h>
- #ifdef __FreeBSD__
- #include <netinet6/ip6_var.h>
- #include <netinet6/in6_pcb.h>
- #endif
+#ifdef __FreeBSD__
+#include <netinet6/ip6_var.h>
+#include <netinet6/in6_pcb.h>
+#endif
#endif /* INET6 */
#ifdef __FreeBSD__
- #include <machine/in_cksum.h>
- #include <sys/limits.h>
- #include <sys/ucred.h>
- #include <security/mac/mac_framework.h>
+#include <machine/in_cksum.h>
+#include <sys/limits.h>
+#include <sys/ucred.h>
+#include <security/mac/mac_framework.h>
- extern int ip_optcopy(struct ip *, struct ip *);
- extern int debug_pfugidhack;
- #endif
+extern int ip_optcopy(struct ip *, struct ip *);
+extern int debug_pfugidhack;
+#endif
#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
@@ -178,6 +178,41 @@ __FBSDID("$FreeBSD$");
*/
/* state tables */
+#ifdef __FreeBSD__
+VNET_DEFINE(struct pf_state_tree, pf_statetbl);
+
+VNET_DEFINE(struct pf_altqqueue, pf_altqs[2]);
+VNET_DEFINE(struct pf_palist, pf_pabuf);
+VNET_DEFINE(struct pf_altqqueue, *pf_altqs_active);
+VNET_DEFINE(struct pf_altqqueue, *pf_altqs_inactive);
+VNET_DEFINE(struct pf_status, pf_status);
+
+VNET_DEFINE(u_int32_t, ticket_altqs_active);
+VNET_DEFINE(u_int32_t, ticket_altqs_inactive);
+VNET_DEFINE(int, altqs_inactive_open);
+VNET_DEFINE(u_int32_t, ticket_pabuf);
+
+VNET_DEFINE(MD5_CTX, pf_tcp_secret_ctx);
+VNET_DEFINE(u_char, pf_tcp_secret[16]);
+VNET_DEFINE(int, pf_tcp_secret_init);
+VNET_DEFINE(int, pf_tcp_iss_off);
+
+struct pf_anchor_stackframe {
+ struct pf_ruleset *rs;
+ struct pf_rule *r;
+ struct pf_anchor_node *parent;
+ struct pf_anchor *child;
+};
+VNET_DEFINE(struct pf_anchor_stackframe, pf_anchor_stack[64]);
+
+VNET_DEFINE(uma_zone_t, pf_src_tree_pl);
+VNET_DEFINE(uma_zone_t, pf_rule_pl);
+VNET_DEFINE(uma_zone_t, pf_pooladdr_pl);
+VNET_DEFINE(uma_zone_t, pf_state_pl);
+VNET_DEFINE(uma_zone_t, pf_state_key_pl);
+VNET_DEFINE(uma_zone_t, pf_state_item_pl);
+VNET_DEFINE(uma_zone_t, pf_altq_pl);
+#else
struct pf_state_tree pf_statetbl;
struct pf_altqqueue pf_altqs[2];
@@ -203,11 +238,6 @@ struct pf_anchor_stackframe {
struct pf_anchor *child;
} pf_anchor_stack[64];
- #ifdef __FreeBSD__
- uma_zone_t pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl;
- uma_zone_t pf_state_pl, pf_state_key_pl, pf_state_item_pl;
-uma_zone_t pf_altq_pl;
- #else
struct pool pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl;
struct pool pf_state_pl, pf_state_key_pl, pf_state_item_pl;
struct pool pf_altq_pl;
@@ -323,12 +353,12 @@ int pf_src_connlimit(struct pf_state
int pf_check_congestion(struct ifqueue *);
#ifdef __FreeBSD__
- int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len);
+int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len);
- extern int pf_end_threads;
+VNET_DECLARE(int, pf_end_threads);
- struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];
- #else
+VNET_DEFINE(struct pf_pool_limit, pf_pool_limits[PF_LIMIT_MAX]);
+#else
extern struct pool pfr_ktable_pl;
extern struct pool pfr_kentry_pl;
@@ -405,10 +435,17 @@ static __inline int pf_state_compare_key
static __inline int pf_state_compare_id(struct pf_state *,
struct pf_state *);
+#ifdef __FreeBSD__
+VNET_DEFINE(struct pf_src_tree, tree_src_tracking);
+
+VNET_DEFINE(struct pf_state_tree_id, tree_id);
+VNET_DEFINE(struct pf_state_queue, state_list);
+#else
struct pf_src_tree tree_src_tracking;
struct pf_state_tree_id tree_id;
struct pf_state_queue state_list;
+#endif
RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare);
RB_GENERATE(pf_state_tree, pf_state_key, entry, pf_state_compare_key);
@@ -1233,10 +1270,10 @@ pf_state_expires(const struct pf_state *
return (state->expire + timeout);
}
- #ifdef __FreeBSD__
- int
- pf_purge_expired_src_nodes(int waslocked)
- #else
+#ifdef __FreeBSD__
+int
+pf_purge_expired_src_nodes(int waslocked)
+#else
void
pf_purge_expired_src_nodes(int waslocked)
#endif
@@ -1315,7 +1352,7 @@ pf_src_tree_remove_state(struct pf_state
void
pf_unlink_state(struct pf_state *cur)
{
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
if (cur->local_flags & PFSTATE_EXPIRING)
return;
cur->local_flags |= PFSTATE_EXPIRING;
@@ -1378,10 +1415,10 @@ pf_free_state(struct pf_state *cur)
#endif
return;
#endif
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
KASSERT(cur->timeout == PFTM_UNLINKED,
("pf_free_state: cur->timeout != PFTM_UNLINKED"));
- #else
+#else
KASSERT(cur->timeout == PFTM_UNLINKED);
#endif
if (--cur->rule.ptr->states_cur <= 0 &&
@@ -1404,10 +1441,10 @@ pf_free_state(struct pf_state *cur)
pf_status.states--;
}
- #ifdef __FreeBSD__
- int
- pf_purge_expired_states(u_int32_t maxcheck, int waslocked)
- #else
+#ifdef __FreeBSD__
+int
+pf_purge_expired_states(u_int32_t maxcheck, int waslocked)
+#else
void
pf_purge_expired_states(u_int32_t maxcheck)
#endif
@@ -1947,9 +1984,9 @@ pf_modulate_sack(struct mbuf *m, int off
struct tcphdr *th, struct pf_state_peer *dst)
{
int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen;
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
u_int8_t opts[TCP_MAXOLEN], *opt = opts;
- #else
+#else
u_int8_t opts[MAX_TCPOPTLEN], *opt = opts;
#endif
int copyback = 0, i, olen;
@@ -2004,9 +2041,9 @@ pf_modulate_sack(struct mbuf *m, int off
}
void
- #ifdef __FreeBSD__
- pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af,
- #else
+#ifdef __FreeBSD__
+pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af,
+#else
pf_send_tcp(const struct pf_rule *r, sa_family_t af,
#endif
const struct pf_addr *saddr, const struct pf_addr *daddr,
@@ -2245,40 +2282,40 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty
struct pf_rule *r)
{
struct mbuf *m0;
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
struct ip *ip;
struct pf_mtag *pf_mtag;
- #endif
+#endif
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
m0 = m_copypacket(m, M_DONTWAIT);
if (m0 == NULL)
return;
- #else
+#else
if ((m0 = m_copy(m, 0, M_COPYALL)) == NULL)
return;
#endif
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
if ((pf_mtag = pf_get_mtag(m0)) == NULL)
return;
/* XXX: revisit */
m0->m_flags |= M_SKIP_FIREWALL;
- #else
+#else
m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
#endif
if (r->rtableid >= 0)
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
{
M_SETFIB(m0, r->rtableid);
pf_mtag->rtableid = r->rtableid;
- #else
+#else
m0->m_pkthdr.pf.rtableid = r->rtableid;
- #endif
- #ifdef __FreeBSD__
+#endif
+#ifdef __FreeBSD__
}
- #endif
+#endif
#ifdef ALTQ
if (r->qid) {
@@ -2297,7 +2334,7 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty
switch (af) {
#ifdef INET
case AF_INET:
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
/* icmp_error() expects host byte ordering */
ip = mtod(m0, struct ip *);
NTOHS(ip->ip_len);
@@ -2305,20 +2342,20 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty
PF_UNLOCK();
icmp_error(m0, type, code, 0, 0);
PF_LOCK();
- #else
+#else
icmp_error(m0, type, code, 0, 0);
#endif
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
PF_UNLOCK();
- #endif
+#endif
icmp6_error(m0, type, code, 0);
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
PF_LOCK();
- #endif
+#endif
break;
#endif /* INET6 */
}
@@ -2639,17 +2676,17 @@ pf_addr_inc(struct pf_addr *addr, sa_fam
#endif /* INET6 */
int
- #ifdef __FreeBSD__
- pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg)
- #else
+#ifdef __FreeBSD__
+pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg)
+#else
pf_socket_lookup(int direction, struct pf_pdesc *pd)
#endif
{
struct pf_addr *saddr, *daddr;
u_int16_t sport, dport;
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
struct inpcbinfo *pi;
- #else
+#else
struct inpcbtable *tb;
#endif
struct inpcb *inp;
@@ -2763,11 +2800,11 @@ pf_socket_lookup(int direction, struct p
default:
return (-1);
}
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
pd->lookup.uid = inp->inp_cred->cr_uid;
pd->lookup.gid = inp->inp_cred->cr_groups[0];
INP_INFO_RUNLOCK(pi);
- #else
+#else
pd->lookup.uid = inp->inp_socket->so_euid;
pd->lookup.gid = inp->inp_socket->so_egid;
pd->lookup.pid = inp->inp_socket->so_cpid;
Modified: user/eri/pf45/head/sys/contrib/pf/net/pf_if.c
==============================================================================
--- user/eri/pf45/head/sys/contrib/pf/net/pf_if.c Mon Oct 12 16:47:55 2009 (r197987)
+++ user/eri/pf45/head/sys/contrib/pf/net/pf_if.c Mon Oct 12 16:51:48 2009 (r197988)
@@ -32,37 +32,37 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
- #if defined(__FreeBSD__)
- #include "opt_inet.h"
- #include "opt_inet6.h"
+#if defined(__FreeBSD__)
+#include "opt_inet.h"
+#include "opt_inet6.h"
- #include <sys/cdefs.h>
+#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
- #endif
+#endif
#include <sys/param.h>
#include <sys/systm.h>
- #ifdef __FreeBSD__
- #include <sys/malloc.h>
- #endif
+#ifdef __FreeBSD__
+#include <sys/malloc.h>
+#endif
#include <sys/mbuf.h>
#include <sys/filio.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/kernel.h>
- #ifndef __FreeBSD__
+#ifndef __FreeBSD__
#include <sys/device.h>
#endif
#include <sys/time.h>
- #ifndef __FreeBSD__
+#ifndef __FreeBSD__
#include <sys/pool.h>
#endif
#include <net/if.h>
#include <net/if_types.h>
- #ifdef __FreeBSD__
- #include <net/vnet.h>
- #endif
+#ifdef __FreeBSD__
+#include <net/vnet.h>
+#endif
#include <netinet/in.h>
#include <netinet/in_var.h>
@@ -76,25 +76,36 @@ __FBSDID("$FreeBSD$");
#include <netinet/ip6.h>
#endif /* INET6 */
+#ifdef __FreeBSD__
+VNET_DEFINE(struct pfi_kif, *pfi_all);
+VNET_DEFINE(uma_zone_t, pfi_addr_pl);
+VNET_DEFINE(struct pfi_ifhead, pfi_ifs);
+#define pfi_ifs VNET(pfi_ifs)
+VNET_DEFINE(long, pfi_update);
+#define pfi_update VNET(pfi_update)
+VNET_DEFINE(struct pfr_addr, *pfi_buffer);
+#define pfi_buffer VNET(pfi_buffer)
+VNET_DEFINE(int, pfi_buffer_cnt);
+#define pfi_buffer_cnt VNET(pfi_buffer_cnt)
+VNET_DEFINE(int, pfi_buffer_max);
+#define pfi_buffer_max VNET(pfi_buffer_max)
+#else
struct pfi_kif *pfi_all = NULL;
- #ifdef __FreeBSD__
- uma_zone_t pfi_addr_pl;
- #else
struct pool pfi_addr_pl;
-#endif
struct pfi_ifhead pfi_ifs;
long pfi_update = 1;
struct pfr_addr *pfi_buffer;
int pfi_buffer_cnt;
int pfi_buffer_max;
- #ifdef __FreeBSD__
- eventhandler_tag pfi_attach_cookie = NULL;
- eventhandler_tag pfi_detach_cookie = NULL;
- eventhandler_tag pfi_attach_group_cookie = NULL;
- eventhandler_tag pfi_change_group_cookie = NULL;
- eventhandler_tag pfi_detach_group_cookie = NULL;
- eventhandler_tag pfi_ifaddr_event_cookie = NULL;
- #endif
+#endif
+#ifdef __FreeBSD__
+VNET_DEFINE(eventhandler_tag, pfi_attach_cookie);
+VNET_DEFINE(eventhandler_tag, pfi_detach_cookie);
+VNET_DEFINE(eventhandler_tag, pfi_attach_group_cookie);
+VNET_DEFINE(eventhandler_tag, pfi_change_group_cookie);
+VNET_DEFINE(eventhandler_tag, pfi_detach_group_cookie);
+VNET_DEFINE(eventhandler_tag, pfi_ifaddr_event_cookie);
+#endif
void pfi_kif_update(struct pfi_kif *);
void pfi_dynaddr_update(struct pfi_dynaddr *dyn);
@@ -106,15 +117,15 @@ void pfi_address_add(struct sockaddr *
int pfi_if_compare(struct pfi_kif *, struct pfi_kif *);
int pfi_skip_if(const char *, struct pfi_kif *);
int pfi_unmask(void *);
- #ifdef __FreeBSD__
- void pfi_attach_ifnet_event(void * __unused, struct ifnet *);
- void pfi_detach_ifnet_event(void * __unused, struct ifnet *);
- void pfi_attach_group_event(void * __unused, struct ifg_group *);
- void pfi_change_group_event(void * __unused, char *);
- void pfi_detach_group_event(void * __unused, struct ifg_group *);
- void pfi_ifaddr_event(void * __unused, struct ifnet *);
+#ifdef __FreeBSD__
+void pfi_attach_ifnet_event(void * __unused, struct ifnet *);
+void pfi_detach_ifnet_event(void * __unused, struct ifnet *);
+void pfi_attach_group_event(void * __unused, struct ifg_group *);
+void pfi_change_group_event(void * __unused, char *);
+void pfi_detach_group_event(void * __unused, struct ifg_group *);
+void pfi_ifaddr_event(void * __unused, struct ifnet *);
- #endif
+#endif
RB_PROTOTYPE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
RB_GENERATE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare);
Modified: user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c
==============================================================================
--- user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Mon Oct 12 16:47:55 2009 (r197987)
+++ user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Mon Oct 12 16:51:48 2009 (r197988)
@@ -176,24 +176,41 @@ int pf_addr_setup(struct pf_ruleset *
struct pf_addr_wrap *, sa_family_t);
void pf_addr_copyout(struct pf_addr_wrap *);
-struct pf_rule pf_default_rule;
+#define TAGID_MAX 50000
#ifdef __FreeBSD__
-struct sx pf_consistency_lock;
-SX_SYSINIT(pf_consistency_lock, &pf_consistency_lock, "pf_statetbl_lock");
-#else
-struct rwlock pf_consistency_lock = RWLOCK_INITIALIZER("pfcnslk");
+VNET_DEFINE(struct pf_rule, pf_default_rule);
+#define pf_default_rule VNET(pf_default_rule);
+VNET_DEFINE(struct sx, pf_consistency_lock);
+#define pf_consistency_lock VNET(pf_consistency_lock);
+SX_SYSINIT(pf_consistency_lock, &pf_consistency_lock,
+ "pf_statetbl_lock");
+#ifdef ALTQ
+static VNET_DEFINE(int, pf_altq_running);
+#define pf_altq_running VNET(pf_altq_running)
#endif
+
+TAILQ_HEAD(pf_tags, pf_tagname);
+
+VNET_DEFINE(struct pf_tags, pf_tags);
+#define pf_tags VNET(pf_tags)
+VNET_DEFINE(struct pf_tags, pf_qids);
+#define pf_qids VNET(pf_qids);
+
+#else /* !__FreeBSD__ */
+struct pf_rule pf_default_rule;
+struct rwlock pf_consistency_lock = RWLOCK_INITIALIZER("pfcnslk");
#ifdef ALTQ
-static int pf_altq_running;
+static int pf_altq_running;
#endif
-#define TAGID_MAX 50000
TAILQ_HEAD(pf_tags, pf_tagname) pf_tags = TAILQ_HEAD_INITIALIZER(pf_tags),
pf_qids = TAILQ_HEAD_INITIALIZER(pf_qids);
+#endif /* __FreeBSD__ */
#if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE)
#error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
#endif
+
u_int16_t tagname2tag(struct pf_tags *, char *);
void tag2tagname(struct pf_tags *, u_int16_t, char *);
void tag_unref(struct pf_tags *, u_int16_t);
@@ -204,120 +221,116 @@ void pf_rtlabel_copyout(struct pf_add
#define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x
#ifdef __FreeBSD__
- static struct cdev *pf_dev;
-
- /*
- * XXX - These are new and need to be checked when moveing to a new version
- */
- static void pf_clear_states(void);
- static int pf_clear_tables(void);
- static void pf_clear_srcnodes(void);
- /*
- * XXX - These are new and need to be checked when moveing to a new version
- */
-
- /*
- * Wrapper functions for pfil(9) hooks
- */
- static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp,
- int dir, struct inpcb *inp);
- static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp,
- int dir, struct inpcb *inp);
- #ifdef INET6
- static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp,
- int dir, struct inpcb *inp);
- static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp,
- int dir, struct inpcb *inp);
- #endif
-
- static int hook_pf(void);
- static int dehook_pf(void);
- static int shutdown_pf(void);
- static int pf_load(void);
- static int pf_unload(void);
-
-static struct cdevsw pf_cdevsw = {
- .d_ioctl = pfioctl,
- .d_name = PF_NAME,
- .d_version = D_VERSION,
- };
-
- static volatile int pf_pfil_hooked = 0;
- int pf_end_threads = 0;
- struct mtx pf_task_mtx;
- #ifdef __FreeBSD__
- /* pfsync */
- pfsync_state_import_t *pfsync_state_import_ptr = NULL;
- pfsync_insert_state_t *pfsync_insert_state_ptr = NULL;
- pfsync_update_state_t *pfsync_update_state_ptr = NULL;
- pfsync_delete_state_t *pfsync_delete_state_ptr = NULL;
- pfsync_clear_states_t *pfsync_clear_states_ptr = NULL;
- pfsync_state_in_use_t *pfsync_state_in_use_ptr = NULL;
- pfsync_defer_t *pfsync_defer_ptr = NULL;
- pfsync_up_t *pfsync_up_ptr = NULL;
- /* pflow */
- export_pflow_t *export_pflow_ptr = NULL;
- #if NPFLOG >0
- pflog_packet_t *pflog_packet_ptr = NULL;
- #endif
- #else
- pflog_packet_t *pflog_packet_ptr = NULL;
- #endif
-
- int debug_pfugidhack = 0;
- SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0,
- "Enable/disable pf user/group rules mpsafe hack");
-
- void
- init_pf_mutex(void)
- {
- mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF);
- }
+static VNET_DEFINE(struct cdev, *pf_dev);
- void
- destroy_pf_mutex(void)
- {
- mtx_destroy(&pf_task_mtx);
- }
- void
- init_zone_var(void)
- {
- pf_src_tree_pl = pf_rule_pl = NULL;
- pf_state_pl = pf_state_key_pl = pf_state_item_pl = NULL;
+/*
+ * XXX - These are new and need to be checked when moveing to a new version
+ */
+static void pf_clear_states(void);
+static int pf_clear_tables(void);
+static void pf_clear_srcnodes(void);
+/*
+ * XXX - These are new and need to be checked when moveing to a new version
+ */
+
+/*
+ * Wrapper functions for pfil(9) hooks
+ */
+static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp,
+ int dir, struct inpcb *inp);
+static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp,
+ int dir, struct inpcb *inp);
+#ifdef INET6
+static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp,
+ int dir, struct inpcb *inp);
+static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp,
+ int dir, struct inpcb *inp);
+#endif
+
+static int hook_pf(void);
+static int dehook_pf(void);
+static int shutdown_pf(void);
+static int pf_load(void);
+static int pf_unload(void);
+
+static VNET_DEFINE(struct cdevsw, pf_cdevsw);
+#define pf_cdevsw VNET(pf_cdevsw)
+
+static volatile VNET_DEFINE(int, pf_pfil_hooked);
+#define pf_pfil_hooked VNET(pf_pfil_hooked)
+VNET_DEFINE(int, pf_end_threads);
+#define pf_end_threads VNET(pf_end_threads)
+struct mtx pf_task_mtx;
+
+/* pfsync */
+VNET_DEFINE(pfsync_state_import_t, *pfsync_state_import_ptr);
+VNET_DEFINE(pfsync_insert_state_t, *pfsync_insert_state_ptr);
+VNET_DEFINE(pfsync_update_state_t, *pfsync_update_state_ptr);
+VNET_DEFINE(pfsync_delete_state_t, *pfsync_delete_state_ptr);
+VNET_DEFINE(pfsync_clear_states_t, *pfsync_clear_states_ptr);
+VNET_DEFINE(pfsync_state_in_use_t, *pfsync_state_in_use_ptr);
+VNET_DEFINE(pfsync_defer_t, *pfsync_defer_ptr);
+VNET_DEFINE(pfsync_up_t, *pfsync_up_ptr);
+/* pflow */
+VNET_DEFINE(export_pflow_t, *export_pflow_ptr);
+/* pflog */
+VNET_DEFINE(pflog_packet_t, *pflog_packet_ptr);
+
+VNET_DEFINE(int, debug_pfugidhack);
+SYSCTL_VNET_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW,
+ &debug_pfugidhack, 0,
+ "Enable/disable pf user/group rules mpsafe hack");
+
+void
+init_pf_mutex(void)
+{
+ mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF);
+}
+
+void
+destroy_pf_mutex(void)
+{
+ mtx_destroy(&pf_task_mtx);
+}
+void
+init_zone_var(void)
+{
+ pf_src_tree_pl = pf_rule_pl = NULL;
+ pf_state_pl = pf_state_key_pl = pf_state_item_pl = NULL;
pf_altq_pl = pf_pooladdr_pl = NULL;
- pf_frent_pl = pf_frag_pl = pf_cache_pl = pf_cent_pl = NULL;
- pf_state_scrub_pl = NULL;
- pfr_ktable_pl = pfr_kentry_pl = NULL;
- }
-
- void
- cleanup_pf_zone(void)
- {
- UMA_DESTROY(pf_src_tree_pl);
- UMA_DESTROY(pf_rule_pl);
- UMA_DESTROY(pf_state_pl);
- UMA_DESTROY(pf_state_key_pl);
- UMA_DESTROY(pf_state_item_pl);
- UMA_DESTROY(pf_altq_pl);
- UMA_DESTROY(pf_pooladdr_pl);
- UMA_DESTROY(pf_frent_pl);
- UMA_DESTROY(pf_frag_pl);
- UMA_DESTROY(pf_cache_pl);
- UMA_DESTROY(pf_cent_pl);
- UMA_DESTROY(pfr_ktable_pl);
- UMA_DESTROY(pfr_kentry_pl);
- UMA_DESTROY(pf_state_scrub_pl);
- UMA_DESTROY(pfi_addr_pl);
- }
+ pf_frent_pl = pf_frag_pl = pf_cache_pl = pf_cent_pl = NULL;
+ pf_state_scrub_pl = NULL;
+ pfr_ktable_pl = pfr_kentry_pl = NULL;
+}
+
+void
+cleanup_pf_zone(void)
+{
+ UMA_DESTROY(pf_src_tree_pl);
+ UMA_DESTROY(pf_rule_pl);
+ UMA_DESTROY(pf_state_pl);
+ UMA_DESTROY(pf_state_key_pl);
+ UMA_DESTROY(pf_state_item_pl);
+ UMA_DESTROY(pf_altq_pl);
+ UMA_DESTROY(pf_pooladdr_pl);
+ UMA_DESTROY(pf_frent_pl);
+ UMA_DESTROY(pf_frag_pl);
+ UMA_DESTROY(pf_cache_pl);
+ UMA_DESTROY(pf_cent_pl);
+ UMA_DESTROY(pfr_ktable_pl);
+ UMA_DESTROY(pfr_kentry_pl);
+ UMA_DESTROY(pf_state_scrub_pl);
+ UMA_DESTROY(pfi_addr_pl);
+}
int
- pfattach(void)
- {
- u_int32_t *my_timeout = pf_default_rule.timeout;
- int error = 1;
-
+pfattach(void)
+{
+ u_int32_t *my_timeout = pf_default_rule.timeout;
+ int error = 1;
+
do {
- UMA_CREATE(pf_src_tree_pl,struct pf_src_node, "pfsrctrpl");
+ UMA_CREATE(pf_src_tree_pl,struct pf_src_node, "pfsrctrpl");
UMA_CREATE(pf_rule_pl, struct pf_rule, "pfrulepl");
UMA_CREATE(pf_state_pl, struct pf_state, "pfstatepl");
UMA_CREATE(pf_state_key_pl, struct pf_state, "pfstatekeypl");
@@ -410,9 +423,9 @@ int
if (kproc_create(pf_purge_thread, NULL, NULL, 0, 0, "pfpurge"))
return (ENXIO);
- return (error);
- }
- #else /* !__FreeBSD__ */
+ return (error);
+}
+#else /* !__FreeBSD__ */
void
pfattach(int num)
@@ -3463,7 +3476,7 @@ fail:
return (error);
}
- #ifdef __FreeBSD__
+#ifdef __FreeBSD__
void
pfsync_state_export(struct pfsync_state *sp, struct pf_state *st)
{
@@ -3525,34 +3538,34 @@ pfsync_state_export(struct pfsync_state
}
- /*
- * XXX - Check for version missmatch!!!
- */
- static void
- pf_clear_states(void)
- {
+/*
+ * XXX - Check for version missmatch!!!
+ */
+static void
+pf_clear_states(void)
+{
struct pf_state *state;
RB_FOREACH(state, pf_state_tree_id, &tree_id) {
state->timeout = PFTM_PURGE;
- #if NPFSYNC
+#if NPFSYNC
/* don't send out individual delete messages */
state->sync_state = PFSTATE_NOSYNC;
- #endif
+#endif
pf_unlink_state(state);
}
#if 0 /* NPFSYNC */
- /*
- * XXX This is called on module unload, we do not want to sync that over? */
- */
- pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
- #endif
- }
+/*
+ * XXX This is called on module unload, we do not want to sync that over? */
+ */
+ pfsync_clear_states(pf_status.hostid, psk->psk_ifname);
+#endif
+}
- static int
- pf_clear_tables(void)
- {
+static int
+pf_clear_tables(void)
+{
struct pfioc_table io;
int error;
@@ -3562,11 +3575,11 @@ pfsync_state_export(struct pfsync_state
io.pfrio_flags);
return (error);
- }
+}
- static void
- pf_clear_srcnodes(void)
- {
+static void
+pf_clear_srcnodes(void)
+{
struct pf_src_node *n;
struct pf_state *state;
@@ -3578,17 +3591,17 @@ pfsync_state_export(struct pfsync_state
n->expire = 1;
n->states = 0;
}
- }
- /*
- * XXX - Check for version missmatch!!!
- */
-
- /*
- * Duplicate pfctl -Fa operation to get rid of as much as we can.
- */
- static int
- shutdown_pf(void)
- {
+}
+/*
+ * XXX - Check for version missmatch!!!
+ */
+
+/*
+ * Duplicate pfctl -Fa operation to get rid of as much as we can.
+ */
+static int
+shutdown_pf(void)
+{
int error = 0;
u_int32_t t[5];
char nn = '\0';
@@ -3631,13 +3644,13 @@ pfsync_state_export(struct pfsync_state
if ((error = pf_clear_tables()) != 0)
break;
- #ifdef ALTQ
+#ifdef ALTQ
if ((error = pf_begin_altq(&t[0])) != 0) {
DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n"));
break;
}
pf_commit_altq(t[0]);
- #endif
+#endif
pf_clear_states();
@@ -3648,12 +3661,13 @@ pfsync_state_export(struct pfsync_state
} while(0);
return (error);
- }
+}
- static int
- pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
- struct inpcb *inp)
- {
+#ifdef INET
+static int
+pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
+ struct inpcb *inp)
+{
/*
* XXX Wed Jul 9 22:03:16 2003 UTC
* OpenBSD has changed its byte ordering convention on ip_len/ip_off
@@ -3683,12 +3697,12 @@ pfsync_state_export(struct pfsync_state
NTOHS(h->ip_off);
}
return chk;
- }
+}
- static int
- pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
- struct inpcb *inp)
- {
+static int
+pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
+ struct inpcb *inp)
+{
/*
* XXX Wed Jul 9 22:03:16 2003 UTC
* OpenBSD has changed its byte ordering convention on ip_len/ip_off
@@ -3724,12 +3738,13 @@ pfsync_state_export(struct pfsync_state
}
return chk;
}
+#endif
- #ifdef INET6
- static int
- pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
- struct inpcb *inp)
- {
+#ifdef INET6
+static int
+pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
+ struct inpcb *inp)
+{
/*
* IPv6 is not affected by ip_len/ip_off byte order changes.
@@ -3748,12 +3763,12 @@ pfsync_state_export(struct pfsync_state
*m = NULL;
}
return chk;
- }
+}
- static int
- pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
- struct inpcb *inp)
- {
+static int
+pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
+ struct inpcb *inp)
+{
/*
* IPv6 does not affected ip_len/ip_off byte order changes.
*/
@@ -3770,28 +3785,32 @@ pfsync_state_export(struct pfsync_state
*m = NULL;
}
return chk;
- }
- #endif /* INET6 */
+}
+#endif /* INET6 */
- static int
- hook_pf(void)
- {
+static int
+hook_pf(void)
+{
+#ifdef INET
struct pfil_head *pfh_inet;
- #ifdef INET6
+#endif
+#ifdef INET6
struct pfil_head *pfh_inet6;
- #endif
+#endif
PF_ASSERT(MA_NOTOWNED);
if (pf_pfil_hooked)
return (0);
+#ifdef INET
pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-user
mailing list