git: caf32b260ad4 - main - pfil: add pfil_mem_{in,out}() and retire pfil_run_hooks()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 14 Feb 2023 18:03:59 UTC
The branch main has been updated by glebius:
URL: https://cgit.FreeBSD.org/src/commit/?id=caf32b260ad46b17a4c1a8ce6383e37ac489f023
commit caf32b260ad46b17a4c1a8ce6383e37ac489f023
Author: Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2023-02-14 18:02:49 +0000
Commit: Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2023-02-14 18:02:49 +0000
pfil: add pfil_mem_{in,out}() and retire pfil_run_hooks()
The 0b70e3e78b0 changed the original design of a single entry point
into pfil(9) chains providing separate functions for the filtering
points that always provide mbufs and know the direction of a flow.
The motivation was to reduce branching. The logical continuation
would be to do the same for the filtering points that always provide
a memory pointer and retire the single entry point.
o Hooks now provide two functions: one for mbufs and optional for
memory pointers.
o pfil_hook_args() has a new member and pfil_add_hook() has a
requirement to zero out uninitialized data. Bump PFIL_VERSION.
o As it was before, a hook function for a memory pointer may realloc
into an mbuf. Such mbuf would be returned via a pointer that must
be provided in argument.
o The only hook that supports memory pointers is ipfw:default-link.
It is rewritten to provide two functions.
o All remaining uses of pfil_run_hooks() are converted to
pfil_mem_in().
o Transparent union of pfil_packet_t and tricks to fix pointer
alignment are retired. Internal pfil_realloc() reduces down to
m_devget() and thus is retired, too.
Reviewed by: mjg, ocochard
Differential revision: https://reviews.freebsd.org/D37977
---
sys/dev/cxgbe/t4_sge.c | 4 +-
sys/dev/mlx5/mlx5_en/mlx5_en_rx.c | 6 +-
sys/net/iflib.c | 5 +-
sys/net/pfil.c | 122 +++++++++---------
sys/net/pfil.h | 51 +++-----
sys/netinet/siftr.c | 26 ++--
sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c | 30 ++---
sys/netpfil/ipfw/ip_fw_pfil.c | 171 ++++++++++++++++----------
sys/netpfil/pf/pf_ioctl.c | 44 ++++---
9 files changed, 233 insertions(+), 226 deletions(-)
diff --git a/sys/dev/cxgbe/t4_sge.c b/sys/dev/cxgbe/t4_sge.c
index 8dbb9e1fe93a..88a7f44cadb7 100644
--- a/sys/dev/cxgbe/t4_sge.c
+++ b/sys/dev/cxgbe/t4_sge.c
@@ -1998,8 +1998,7 @@ eth_rx(struct adapter *sc, struct sge_rxq *rxq, const struct iq_desc *d,
sc->params.sge.fl_pktshift;
frame = sd->cl + fl->rx_offset + sc->params.sge.fl_pktshift;
CURVNET_SET_QUIET(ifp->if_vnet);
- rc = pfil_run_hooks(vi->pfil, frame, ifp,
- slen | PFIL_MEMPTR | PFIL_IN, NULL);
+ rc = pfil_mem_in(vi->pfil, frame, slen, ifp, &m0);
CURVNET_RESTORE();
if (rc == PFIL_DROPPED || rc == PFIL_CONSUMED) {
skip_fl_payload(sc, fl, plen);
@@ -2007,7 +2006,6 @@ eth_rx(struct adapter *sc, struct sge_rxq *rxq, const struct iq_desc *d,
}
if (rc == PFIL_REALLOCED) {
skip_fl_payload(sc, fl, plen);
- m0 = pfil_mem2mbuf(frame);
goto have_mbuf;
}
}
diff --git a/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c b/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c
index f6caddfdf933..4b1fb25e0f82 100644
--- a/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c
+++ b/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c
@@ -536,9 +536,8 @@ mlx5e_poll_rx_cq(struct mlx5e_rq *rq, int budget)
}
if (pfil != NULL && PFIL_HOOKED_IN(pfil)) {
seglen = MIN(byte_cnt, MLX5E_MAX_RX_BYTES);
- rv = pfil_run_hooks(rq->channel->priv->pfil,
- rq->mbuf[wqe_counter].data, rq->ifp,
- seglen | PFIL_MEMPTR | PFIL_IN, NULL);
+ rv = pfil_mem_in(rq->channel->priv->pfil,
+ rq->mbuf[wqe_counter].data, seglen, rq->ifp, &mb);
switch (rv) {
case PFIL_DROPPED:
@@ -556,7 +555,6 @@ mlx5e_poll_rx_cq(struct mlx5e_rq *rq, int budget)
* and receive the new mbuf allocated
* by the Filter
*/
- mb = pfil_mem2mbuf(rq->mbuf[wqe_counter].data);
goto rx_common;
default:
/*
diff --git a/sys/net/iflib.c b/sys/net/iflib.c
index 0a500f8e2810..39f3ccea4317 100644
--- a/sys/net/iflib.c
+++ b/sys/net/iflib.c
@@ -2732,8 +2732,7 @@ rxd_frag_to_sd(iflib_rxq_t rxq, if_rxd_frag_t irf, bool unload, if_rxsd_t sd,
payload = *sd->ifsd_cl;
payload += ri->iri_pad;
len = ri->iri_len - ri->iri_pad;
- *pf_rv = pfil_run_hooks(rxq->pfil, payload, ri->iri_ifp,
- len | PFIL_MEMPTR | PFIL_IN, NULL);
+ *pf_rv = pfil_mem_in(rxq->pfil, payload, len, ri->iri_ifp, &m);
switch (*pf_rv) {
case PFIL_DROPPED:
case PFIL_CONSUMED:
@@ -2746,8 +2745,8 @@ rxd_frag_to_sd(iflib_rxq_t rxq, if_rxd_frag_t irf, bool unload, if_rxsd_t sd,
case PFIL_REALLOCED:
/*
* The filter copied it. Everything is recycled.
+ * 'm' points at new mbuf.
*/
- m = pfil_mem2mbuf(payload);
unload = 0;
break;
case PFIL_PASS:
diff --git a/sys/net/pfil.c b/sys/net/pfil.c
index b68fbe8db5c5..e6f3ff8c1269 100644
--- a/sys/net/pfil.c
+++ b/sys/net/pfil.c
@@ -70,7 +70,8 @@ MTX_SYSINIT(pfil_mtxinit, &pfil_lock, "pfil(9) lock", MTX_DEF);
#define PFIL_LOCK_ASSERT() mtx_assert(&pfil_lock, MA_OWNED)
struct pfil_hook {
- pfil_func_t hook_func;
+ pfil_mbuf_chk_t hook_mbuf_chk;
+ pfil_mem_chk_t hook_mem_chk;
void *hook_ruleset;
int hook_flags;
int hook_links;
@@ -82,7 +83,8 @@ struct pfil_hook {
struct pfil_link {
CK_STAILQ_ENTRY(pfil_link) link_chain;
- pfil_func_t link_func;
+ pfil_mbuf_chk_t link_mbuf_chk;
+ pfil_mem_chk_t link_mem_chk;
void *link_ruleset;
int link_flags;
struct pfil_hook *link_hook;
@@ -114,92 +116,86 @@ VNET_DEFINE_STATIC(struct pfilhookhead, pfil_hook_list) =
static struct pfil_link *pfil_link_remove(pfil_chain_t *, pfil_hook_t );
static void pfil_link_free(epoch_context_t);
-int
-pfil_realloc(pfil_packet_t *p, int flags, struct ifnet *ifp)
-{
- struct mbuf *m;
-
- MPASS(flags & PFIL_MEMPTR);
-
- if ((m = m_devget(p->mem, PFIL_LENGTH(flags), 0, ifp, NULL)) == NULL)
- return (ENOMEM);
- *p = pfil_packet_align(*p);
- *p->m = m;
-
- return (0);
-}
-
+/*
+ * To couple a filtering point that provides memory pointer with a filter that
+ * works on mbufs only.
+ */
static __noinline int
-pfil_fake_mbuf(pfil_func_t func, pfil_packet_t *p, struct ifnet *ifp, int flags,
- void *ruleset, struct inpcb *inp)
+pfil_fake_mbuf(pfil_mbuf_chk_t func, void *mem, u_int len, struct ifnet *ifp,
+ int flags, void *ruleset, struct mbuf **mp)
{
- struct mbuf m, *mp;
+ struct mbuf m;
pfil_return_t rv;
(void)m_init(&m, M_NOWAIT, MT_DATA, M_NOFREE | M_PKTHDR);
- m_extadd(&m, p->mem, PFIL_LENGTH(flags), NULL, NULL, NULL, 0,
- EXT_RXRING);
- m.m_len = m.m_pkthdr.len = PFIL_LENGTH(flags);
- mp = &m;
- flags &= ~(PFIL_MEMPTR | PFIL_LENMASK);
-
- rv = func(&mp, ifp, flags, ruleset, inp);
- if (rv == PFIL_PASS && mp != &m) {
+ m_extadd(&m, mem, len, NULL, NULL, NULL, 0, EXT_RXRING);
+ m.m_len = m.m_pkthdr.len = len;
+ *mp = &m;
+
+ rv = func(mp, ifp, flags, ruleset, NULL);
+ if (rv == PFIL_PASS && *mp != &m) {
/*
* Firewalls that need pfil_fake_mbuf() most likely don't
* know they need return PFIL_REALLOCED.
*/
rv = PFIL_REALLOCED;
- *p = pfil_packet_align(*p);
- *p->m = mp;
}
return (rv);
}
-/*
- * pfil_run_hooks() runs the specified packet filter hook chain.
- */
-int
-pfil_run_hooks(struct pfil_head *head, pfil_packet_t p, struct ifnet *ifp,
- int flags, struct inpcb *inp)
+static __always_inline int
+pfil_mem_common(pfil_chain_t *pch, void *mem, u_int len, int flags,
+ struct ifnet *ifp, struct mbuf **m)
{
- pfil_chain_t *pch;
struct pfil_link *link;
pfil_return_t rv;
bool realloc = false;
NET_EPOCH_ASSERT();
-
- if (PFIL_DIR(flags) == PFIL_IN)
- pch = &head->head_in;
- else if (__predict_true(PFIL_DIR(flags) == PFIL_OUT))
- pch = &head->head_out;
- else
- panic("%s: bogus flags %d", __func__, flags);
+ KASSERT(flags == PFIL_IN || flags == PFIL_OUT,
+ ("%s: unsupported flags %d", __func__, flags));
rv = PFIL_PASS;
CK_STAILQ_FOREACH(link, pch, link_chain) {
- if ((flags & PFIL_MEMPTR) && !(link->link_flags & PFIL_MEMPTR))
- rv = pfil_fake_mbuf(link->link_func, &p, ifp, flags,
- link->link_ruleset, inp);
+ if (__predict_true(link->link_mem_chk != NULL && !realloc))
+ rv = link->link_mem_chk(mem, len, flags, ifp,
+ link->link_ruleset, m);
+ else if (!realloc)
+ rv = pfil_fake_mbuf(link->link_mbuf_chk, mem, len, ifp,
+ flags, link->link_ruleset, m);
else
- rv = (*link->link_func)(p, ifp, flags,
- link->link_ruleset, inp);
+ rv = link->link_mbuf_chk(m, ifp, flags,
+ link->link_ruleset, NULL);
+
if (rv == PFIL_DROPPED || rv == PFIL_CONSUMED)
break;
- else if (rv == PFIL_REALLOCED) {
- flags &= ~(PFIL_MEMPTR | PFIL_LENMASK);
+ else if (rv == PFIL_REALLOCED)
realloc = true;
- }
}
if (realloc && rv == PFIL_PASS)
rv = PFIL_REALLOCED;
return (rv);
}
+int
+pfil_mem_in(struct pfil_head *head, void *mem, u_int len, struct ifnet *ifp,
+ struct mbuf **m)
+{
+
+ return (pfil_mem_common(&head->head_in, mem, len, PFIL_IN, ifp, m));
+}
+
+int
+pfil_mem_out(struct pfil_head *head, void *mem, u_int len, struct ifnet *ifp,
+ struct mbuf **m)
+{
+
+ return (pfil_mem_common(&head->head_out, mem, len, PFIL_OUT, ifp, m));
+}
+
static __always_inline int
-pfil_mbuf_common(pfil_chain_t *pch, pfil_packet_t p, struct ifnet *ifp,
+pfil_mbuf_common(pfil_chain_t *pch, struct mbuf **m, struct ifnet *ifp,
int flags, struct inpcb *inp)
{
struct pfil_link *link;
@@ -211,7 +207,8 @@ pfil_mbuf_common(pfil_chain_t *pch, pfil_packet_t p, struct ifnet *ifp,
rv = PFIL_PASS;
CK_STAILQ_FOREACH(link, pch, link_chain) {
- rv = (*link->link_func)(p, ifp, flags, link->link_ruleset, inp);
+ rv = link->link_mbuf_chk(m, ifp, flags, link->link_ruleset,
+ inp);
if (rv == PFIL_DROPPED || rv == PFIL_CONSUMED)
break;
}
@@ -219,19 +216,19 @@ pfil_mbuf_common(pfil_chain_t *pch, pfil_packet_t p, struct ifnet *ifp,
}
int
-pfil_mbuf_in(struct pfil_head *head, pfil_packet_t p, struct ifnet *ifp,
+pfil_mbuf_in(struct pfil_head *head, struct mbuf **m, struct ifnet *ifp,
struct inpcb *inp)
{
- return (pfil_mbuf_common(&head->head_in, p, ifp, PFIL_IN, inp));
+ return (pfil_mbuf_common(&head->head_in, m, ifp, PFIL_IN, inp));
}
int
-pfil_mbuf_out(struct pfil_head *head, pfil_packet_t p, struct ifnet *ifp,
+pfil_mbuf_out(struct pfil_head *head, struct mbuf **m, struct ifnet *ifp,
struct inpcb *inp)
{
- return (pfil_mbuf_common(&head->head_out, p, ifp, PFIL_OUT, inp));
+ return (pfil_mbuf_common(&head->head_out, m, ifp, PFIL_OUT, inp));
}
/*
@@ -298,7 +295,8 @@ pfil_add_hook(struct pfil_hook_args *pa)
MPASS(pa->pa_version == PFIL_VERSION);
hook = malloc(sizeof(struct pfil_hook), M_PFIL, M_WAITOK | M_ZERO);
- hook->hook_func = pa->pa_func;
+ hook->hook_mbuf_chk = pa->pa_mbuf_chk;
+ hook->hook_mem_chk = pa->pa_mem_chk;
hook->hook_ruleset = pa->pa_ruleset;
hook->hook_flags = pa->pa_flags;
hook->hook_type = pa->pa_type;
@@ -416,7 +414,8 @@ pfil_link(struct pfil_link_args *pa)
if (pa->pa_flags & PFIL_IN) {
in->link_hook = hook;
- in->link_func = hook->hook_func;
+ in->link_mbuf_chk = hook->hook_mbuf_chk;
+ in->link_mem_chk = hook->hook_mem_chk;
in->link_flags = hook->hook_flags;
in->link_ruleset = hook->hook_ruleset;
if (pa->pa_flags & PFIL_APPEND)
@@ -428,7 +427,8 @@ pfil_link(struct pfil_link_args *pa)
}
if (pa->pa_flags & PFIL_OUT) {
out->link_hook = hook;
- out->link_func = hook->hook_func;
+ out->link_mbuf_chk = hook->hook_mbuf_chk;
+ out->link_mem_chk = hook->hook_mem_chk;
out->link_flags = hook->hook_flags;
out->link_ruleset = hook->hook_ruleset;
if (pa->pa_flags & PFIL_APPEND)
diff --git a/sys/net/pfil.h b/sys/net/pfil.h
index d5e9eadd8b8c..b99ec6896266 100644
--- a/sys/net/pfil.h
+++ b/sys/net/pfil.h
@@ -82,41 +82,16 @@ struct pfilioc_link {
#define PFIL_OUT 0x00020000
/* UNUSED 0x00040000 */
#define PFIL_DIR(f) ((f) & (PFIL_IN|PFIL_OUT))
-#define PFIL_MEMPTR 0x00080000
#define PFIL_HEADPTR 0x00100000
#define PFIL_HOOKPTR 0x00200000
#define PFIL_APPEND 0x00400000
#define PFIL_UNLINK 0x00800000
-#define PFIL_LENMASK 0x0000ffff
-#define PFIL_LENGTH(f) ((f) & PFIL_LENMASK)
#ifdef _KERNEL
struct mbuf;
struct ifnet;
struct inpcb;
-typedef union {
- struct mbuf **m;
- void *mem;
- uintptr_t __ui;
-} pfil_packet_t __attribute__((__transparent_union__));
-
-static inline pfil_packet_t
-pfil_packet_align(pfil_packet_t p)
-{
-
- return ((pfil_packet_t ) (((uintptr_t)(p).mem +
- (_Alignof(void *) - 1)) & - _Alignof(void *)));
-}
-
-static inline struct mbuf *
-pfil_mem2mbuf(void *v)
-{
-
- return (*(struct mbuf **) (((uintptr_t)(v) +
- (_Alignof(void *) - 1)) & - _Alignof(void *)));
-}
-
typedef enum {
PFIL_PASS = 0,
PFIL_DROPPED,
@@ -124,8 +99,11 @@ typedef enum {
PFIL_REALLOCED,
} pfil_return_t;
-typedef pfil_return_t (*pfil_func_t)(pfil_packet_t, struct ifnet *, int,
+typedef pfil_return_t (*pfil_mbuf_chk_t)(struct mbuf **, struct ifnet *, int,
void *, struct inpcb *);
+typedef pfil_return_t (*pfil_mem_chk_t)(void *, u_int, int, struct ifnet *,
+ void *, struct mbuf **);
+
/*
* A pfil head is created by a packet intercept point.
*
@@ -142,14 +120,15 @@ typedef struct pfil_head * pfil_head_t;
/*
* Give us a chance to modify pfil_xxx_args structures in future.
*/
-#define PFIL_VERSION 1
+#define PFIL_VERSION 2
/* Argument structure used by packet filters to register themselves. */
struct pfil_hook_args {
int pa_version;
int pa_flags;
enum pfil_types pa_type;
- pfil_func_t pa_func;
+ pfil_mbuf_chk_t pa_mbuf_chk;
+ pfil_mem_chk_t pa_mem_chk;
void *pa_ruleset;
const char *pa_modname;
const char *pa_rulname;
@@ -192,12 +171,15 @@ pfil_head_t pfil_head_register(struct pfil_head_args *);
void pfil_head_unregister(pfil_head_t);
/* Public functions to run the packet inspection by inspection points. */
-int pfil_run_hooks(struct pfil_head *, pfil_packet_t, struct ifnet *, int,
+int pfil_mem_in(struct pfil_head *, void *, u_int, struct ifnet *,
+ struct mbuf **);
+int pfil_mem_out(struct pfil_head *, void *, u_int, struct ifnet *,
+ struct mbuf **);
+int pfil_mbuf_in(struct pfil_head *, struct mbuf **, struct ifnet *,
struct inpcb *inp);
-int pfil_mbuf_in(struct pfil_head *, pfil_packet_t, struct ifnet *,
- struct inpcb *inp);
-int pfil_mbuf_out(struct pfil_head *, pfil_packet_t, struct ifnet *,
+int pfil_mbuf_out(struct pfil_head *, struct mbuf **, struct ifnet *,
struct inpcb *inp);
+
/*
* Minimally exposed structure to avoid function call in case of absence
* of any filters by protocols and macros to do the check.
@@ -209,10 +191,5 @@ struct _pfil_head {
#define PFIL_HOOKED_IN(p) (((struct _pfil_head *)(p))->head_nhooksin > 0)
#define PFIL_HOOKED_OUT(p) (((struct _pfil_head *)(p))->head_nhooksout > 0)
-/*
- * Alloc mbuf to be used instead of memory pointer.
- */
-int pfil_realloc(pfil_packet_t *, int, struct ifnet *);
-
#endif /* _KERNEL */
#endif /* _NET_PFIL_H_ */
diff --git a/sys/netinet/siftr.c b/sys/netinet/siftr.c
index e21d15212979..7861031b724b 100644
--- a/sys/netinet/siftr.c
+++ b/sys/netinet/siftr.c
@@ -1139,18 +1139,16 @@ VNET_DEFINE_STATIC(pfil_hook_t, siftr_inet6_hook);
static int
siftr_pfil(int action)
{
- struct pfil_hook_args pha;
- struct pfil_link_args pla;
-
- pha.pa_version = PFIL_VERSION;
- pha.pa_flags = PFIL_IN | PFIL_OUT;
- pha.pa_modname = "siftr";
- pha.pa_ruleset = NULL;
- pha.pa_rulname = "default";
-
- pla.pa_version = PFIL_VERSION;
- pla.pa_flags = PFIL_IN | PFIL_OUT |
- PFIL_HEADPTR | PFIL_HOOKPTR;
+ struct pfil_hook_args pha = {
+ .pa_version = PFIL_VERSION,
+ .pa_flags = PFIL_IN | PFIL_OUT,
+ .pa_modname = "siftr",
+ .pa_rulname = "default",
+ };
+ struct pfil_link_args pla = {
+ .pa_version = PFIL_VERSION,
+ .pa_flags = PFIL_IN | PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR,
+ };
VNET_ITERATOR_DECL(vnet_iter);
@@ -1159,14 +1157,14 @@ siftr_pfil(int action)
CURVNET_SET(vnet_iter);
if (action == HOOK) {
- pha.pa_func = siftr_chkpkt;
+ pha.pa_mbuf_chk = siftr_chkpkt;
pha.pa_type = PFIL_TYPE_IP4;
V_siftr_inet_hook = pfil_add_hook(&pha);
pla.pa_hook = V_siftr_inet_hook;
pla.pa_head = V_inet_pfil_head;
(void)pfil_link(&pla);
#ifdef SIFTR_IPV6
- pha.pa_func = siftr_chkpkt6;
+ pha.pa_mbuf_chk = siftr_chkpkt6;
pha.pa_type = PFIL_TYPE_IP6;
V_siftr_inet6_hook = pfil_add_hook(&pha);
pla.pa_hook = V_siftr_inet6_hook;
diff --git a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
index 95c8b73e6388..1822d19fbb4c 100644
--- a/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
+++ b/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c
@@ -1311,31 +1311,31 @@ int ipf_pfil_unhook(void) {
}
int ipf_pfil_hook(void) {
- struct pfil_hook_args pha;
- struct pfil_link_args pla;
int error, error6;
- pha.pa_version = PFIL_VERSION;
- pha.pa_flags = PFIL_IN | PFIL_OUT;
- pha.pa_modname = "ipfilter";
- pha.pa_rulname = "default-ip4";
- pha.pa_func = ipf_check_wrapper;
- pha.pa_ruleset = NULL;
- pha.pa_type = PFIL_TYPE_IP4;
+ struct pfil_hook_args pha = {
+ .pa_version = PFIL_VERSION,
+ .pa_flags = PFIL_IN | PFIL_OUT,
+ .pa_modname = "ipfilter",
+ .pa_rulname = "default-ip4",
+ .pa_mbuf_chk = ipf_check_wrapper,
+ .pa_type = PFIL_TYPE_IP4,
+ };
V_ipf_inet_hook = pfil_add_hook(&pha);
#ifdef USE_INET6
pha.pa_rulname = "default-ip6";
- pha.pa_func = ipf_check_wrapper6;
+ pha.pa_mbuf_chk = ipf_check_wrapper6;
pha.pa_type = PFIL_TYPE_IP6;
V_ipf_inet6_hook = pfil_add_hook(&pha);
#endif
- pla.pa_version = PFIL_VERSION;
- pla.pa_flags = PFIL_IN | PFIL_OUT |
- PFIL_HEADPTR | PFIL_HOOKPTR;
- pla.pa_head = V_inet_pfil_head;
- pla.pa_hook = V_ipf_inet_hook;
+ struct pfil_link_args pla = {
+ .pa_version = PFIL_VERSION,
+ .pa_flags = PFIL_IN | PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR,
+ .pa_head = V_inet_pfil_head,
+ .pa_hook = V_ipf_inet_hook,
+ };
error = pfil_link(&pla);
error6 = 0;
diff --git a/sys/netpfil/ipfw/ip_fw_pfil.c b/sys/netpfil/ipfw/ip_fw_pfil.c
index 29ae06ba7713..ec46c077d8bb 100644
--- a/sys/netpfil/ipfw/ip_fw_pfil.c
+++ b/sys/netpfil/ipfw/ip_fw_pfil.c
@@ -327,52 +327,104 @@ again:
}
/*
- * ipfw processing for ethernet packets (in and out).
+ * ipfw processing for ethernet packets (in and out), mbuf version.
*/
static pfil_return_t
-ipfw_check_frame(pfil_packet_t p, struct ifnet *ifp, int flags,
+ipfw_check_frame_mbuf(struct mbuf **m0, struct ifnet *ifp, const int flags,
void *ruleset __unused, struct inpcb *inp)
{
- struct ip_fw_args args;
+ struct ip_fw_args args = {
+ .flags = IPFW_ARGS_ETHER |
+ ((flags & PFIL_IN) ? IPFW_ARGS_IN : IPFW_ARGS_OUT),
+ .ifp = ifp,
+ .inp = inp,
+ };
+ struct m_tag *mtag;
pfil_return_t ret;
- bool mem, realloc;
int ipfw;
- if (flags & PFIL_MEMPTR) {
- mem = true;
- realloc = false;
- args.flags = PFIL_LENGTH(flags) | IPFW_ARGS_ETHER;
- args.mem = p.mem;
- } else {
- mem = realloc = false;
- args.flags = IPFW_ARGS_ETHER;
+again:
+ /*
+ * Fetch start point from rule, if any.
+ * Remove the tag if present.
+ */
+ mtag = m_tag_locate(*m0, MTAG_IPFW_RULE, 0, NULL);
+ if (mtag != NULL) {
+ args.rule = *((struct ipfw_rule_ref *)(mtag+1));
+ m_tag_delete(*m0, mtag);
+ if (args.rule.info & IPFW_ONEPASS)
+ return (PFIL_PASS);
+ args.flags |= IPFW_ARGS_REF;
}
- args.flags |= (flags & PFIL_IN) ? IPFW_ARGS_IN : IPFW_ARGS_OUT;
- args.ifp = ifp;
- args.inp = inp;
+ args.m = *m0,
-again:
- if (!mem) {
- /*
- * Fetch start point from rule, if any.
- * Remove the tag if present.
- */
- struct m_tag *mtag;
-
- mtag = m_tag_locate(*p.m, MTAG_IPFW_RULE, 0, NULL);
- if (mtag != NULL) {
- args.rule = *((struct ipfw_rule_ref *)(mtag+1));
- m_tag_delete(*p.m, mtag);
- if (args.rule.info & IPFW_ONEPASS)
- return (PFIL_PASS);
- args.flags |= IPFW_ARGS_REF;
+ ipfw = ipfw_chk(&args);
+ *m0 = args.m;
+
+ ret = PFIL_PASS;
+ switch (ipfw) {
+ case IP_FW_PASS:
+ break;
+
+ case IP_FW_DENY:
+ ret = PFIL_DROPPED;
+ break;
+
+ case IP_FW_DUMMYNET:
+ if (ip_dn_io_ptr == NULL) {
+ ret = PFIL_DROPPED;
+ break;
}
- args.m = *p.m;
+ MPASS(args.flags & IPFW_ARGS_REF);
+ ip_dn_io_ptr(m0, &args);
+ return (PFIL_CONSUMED);
+
+ case IP_FW_NGTEE:
+ case IP_FW_NETGRAPH:
+ if (ng_ipfw_input_p == NULL) {
+ ret = PFIL_DROPPED;
+ break;
+ }
+ MPASS(args.flags & IPFW_ARGS_REF);
+ (void )ng_ipfw_input_p(m0, &args, ipfw == IP_FW_NGTEE);
+ if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */
+ goto again; /* continue with packet */
+ ret = PFIL_CONSUMED;
+ break;
+
+ default:
+ KASSERT(0, ("%s: unknown retval", __func__));
}
+ if (ret != PFIL_PASS) {
+ if (*m0)
+ FREE_PKT(*m0);
+ *m0 = NULL;
+ }
+
+ return (ret);
+}
+
+/*
+ * ipfw processing for ethernet packets (in and out), memory pointer version,
+ * two in/out accessors.
+ */
+static pfil_return_t
+ipfw_check_frame_mem(void *mem, u_int len, int flags, struct ifnet *ifp,
+ void *ruleset __unused, struct mbuf **m)
+{
+ struct ip_fw_args args = {
+ .flags = len | IPFW_ARGS_ETHER |
+ ((flags & PFIL_IN) ? IPFW_ARGS_IN : IPFW_ARGS_OUT),
+ .ifp = ifp,
+ .mem = mem,
+ };
+ pfil_return_t ret;
+ int ipfw;
+
+ *m = NULL;
+again:
ipfw = ipfw_chk(&args);
- if (!mem)
- *p.m = args.m;
ret = PFIL_PASS;
switch (ipfw) {
@@ -388,16 +440,13 @@ again:
ret = PFIL_DROPPED;
break;
}
- if (mem) {
- if (pfil_realloc(&p, flags, ifp) != 0) {
- ret = PFIL_DROPPED;
- break;
- }
- mem = false;
- realloc = true;
+ *m = m_devget(mem, len, 0, ifp, NULL);
+ if (*m == NULL) {
+ ret = PFIL_DROPPED;
+ break;
}
MPASS(args.flags & IPFW_ARGS_REF);
- ip_dn_io_ptr(p.m, &args);
+ ip_dn_io_ptr(m, &args);
return (PFIL_CONSUMED);
case IP_FW_NGTEE:
@@ -406,16 +455,13 @@ again:
ret = PFIL_DROPPED;
break;
}
- if (mem) {
- if (pfil_realloc(&p, flags, ifp) != 0) {
- ret = PFIL_DROPPED;
- break;
- }
- mem = false;
- realloc = true;
+ *m = m_devget(mem, len, 0, ifp, NULL);
+ if (*m == NULL) {
+ ret = PFIL_DROPPED;
+ break;
}
MPASS(args.flags & IPFW_ARGS_REF);
- (void )ng_ipfw_input_p(p.m, &args, ipfw == IP_FW_NGTEE);
+ (void )ng_ipfw_input_p(m, &args, ipfw == IP_FW_NGTEE);
if (ipfw == IP_FW_NGTEE) /* ignore errors for NGTEE */
goto again; /* continue with packet */
ret = PFIL_CONSUMED;
@@ -425,13 +471,7 @@ again:
KASSERT(0, ("%s: unknown retval", __func__));
}
- if (!mem && ret != PFIL_PASS) {
- if (*p.m)
- FREE_PKT(*p.m);
- *p.m = NULL;
- }
-
- if (realloc && ret == PFIL_PASS)
+ if (*m != NULL && ret == PFIL_PASS)
ret = PFIL_REALLOCED;
return (ret);
@@ -543,34 +583,33 @@ VNET_DEFINE_STATIC(pfil_hook_t, ipfw_link_hook);
static void
ipfw_hook(int pf)
{
- struct pfil_hook_args pha;
+ struct pfil_hook_args pha = {
+ .pa_version = PFIL_VERSION,
+ .pa_flags = PFIL_IN | PFIL_OUT,
+ .pa_modname = "ipfw",
+ };
pfil_hook_t *h;
- pha.pa_version = PFIL_VERSION;
- pha.pa_flags = PFIL_IN | PFIL_OUT;
- pha.pa_modname = "ipfw";
- pha.pa_ruleset = NULL;
-
switch (pf) {
case AF_INET:
- pha.pa_func = ipfw_check_packet;
+ pha.pa_mbuf_chk = ipfw_check_packet;
pha.pa_type = PFIL_TYPE_IP4;
pha.pa_rulname = "default";
h = &V_ipfw_inet_hook;
break;
#ifdef INET6
case AF_INET6:
- pha.pa_func = ipfw_check_packet;
+ pha.pa_mbuf_chk = ipfw_check_packet;
pha.pa_type = PFIL_TYPE_IP6;
pha.pa_rulname = "default6";
h = &V_ipfw_inet6_hook;
break;
#endif
case AF_LINK:
- pha.pa_func = ipfw_check_frame;
+ pha.pa_mbuf_chk = ipfw_check_frame_mbuf;
+ pha.pa_mem_chk = ipfw_check_frame_mem;
pha.pa_type = PFIL_TYPE_ETHERNET;
pha.pa_rulname = "default-link";
- pha.pa_flags |= PFIL_MEMPTR;
h = &V_ipfw_link_hook;
break;
}
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 76742aebf01a..cc1f5a5c2138 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -6532,21 +6532,20 @@ VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_out_hook);
static void
hook_pf_eth(void)
{
- struct pfil_hook_args pha;
- struct pfil_link_args pla;
+ struct pfil_hook_args pha = {
+ .pa_version = PFIL_VERSION,
+ .pa_modname = "pf",
+ .pa_type = PFIL_TYPE_ETHERNET,
+ };
+ struct pfil_link_args pla = {
+ .pa_version = PFIL_VERSION,
+ };
int ret __diagused;
if (atomic_load_bool(&V_pf_pfil_eth_hooked))
return;
- pha.pa_version = PFIL_VERSION;
- pha.pa_modname = "pf";
- pha.pa_ruleset = NULL;
-
- pla.pa_version = PFIL_VERSION;
-
- pha.pa_type = PFIL_TYPE_ETHERNET;
- pha.pa_func = pf_eth_check_in;
+ pha.pa_mbuf_chk = pf_eth_check_in;
pha.pa_flags = PFIL_IN;
pha.pa_rulname = "eth-in";
V_pf_eth_in_hook = pfil_add_hook(&pha);
@@ -6555,7 +6554,7 @@ hook_pf_eth(void)
pla.pa_hook = V_pf_eth_in_hook;
ret = pfil_link(&pla);
MPASS(ret == 0);
- pha.pa_func = pf_eth_check_out;
+ pha.pa_mbuf_chk = pf_eth_check_out;
pha.pa_flags = PFIL_OUT;
pha.pa_rulname = "eth-out";
V_pf_eth_out_hook = pfil_add_hook(&pha);
@@ -6571,22 +6570,21 @@ hook_pf_eth(void)
static void
hook_pf(void)
{
- struct pfil_hook_args pha;
- struct pfil_link_args pla;
+ struct pfil_hook_args pha = {
+ .pa_version = PFIL_VERSION,
+ .pa_modname = "pf",
+ };
+ struct pfil_link_args pla = {
+ .pa_version = PFIL_VERSION,
+ };
int ret __diagused;
if (atomic_load_bool(&V_pf_pfil_hooked))
return;
- pha.pa_version = PFIL_VERSION;
- pha.pa_modname = "pf";
- pha.pa_ruleset = NULL;
-
- pla.pa_version = PFIL_VERSION;
-
#ifdef INET
pha.pa_type = PFIL_TYPE_IP4;
- pha.pa_func = pf_check_in;
+ pha.pa_mbuf_chk = pf_check_in;
pha.pa_flags = PFIL_IN;
pha.pa_rulname = "default-in";
V_pf_ip4_in_hook = pfil_add_hook(&pha);
@@ -6595,7 +6593,7 @@ hook_pf(void)
pla.pa_hook = V_pf_ip4_in_hook;
ret = pfil_link(&pla);
MPASS(ret == 0);
- pha.pa_func = pf_check_out;
+ pha.pa_mbuf_chk = pf_check_out;
pha.pa_flags = PFIL_OUT;
pha.pa_rulname = "default-out";
V_pf_ip4_out_hook = pfil_add_hook(&pha);
@@ -6607,7 +6605,7 @@ hook_pf(void)
#endif
#ifdef INET6
pha.pa_type = PFIL_TYPE_IP6;
- pha.pa_func = pf_check6_in;
+ pha.pa_mbuf_chk = pf_check6_in;
pha.pa_flags = PFIL_IN;
pha.pa_rulname = "default-in6";
V_pf_ip6_in_hook = pfil_add_hook(&pha);
@@ -6616,7 +6614,7 @@ hook_pf(void)
pla.pa_hook = V_pf_ip6_in_hook;
ret = pfil_link(&pla);
MPASS(ret == 0);
- pha.pa_func = pf_check6_out;
+ pha.pa_mbuf_chk = pf_check6_out;
pha.pa_rulname = "default-out6";
pha.pa_flags = PFIL_OUT;
V_pf_ip6_out_hook = pfil_add_hook(&pha);