svn commit: r302290 - head/sys/netpfil/ipfw

Thu Jun 30 01:33:15 UTC 2016

Author: bz
Date: Thu Jun 30 01:33:14 2016
New Revision: 302290
URL: https://svnweb.freebsd.org/changeset/base/302290

Log:
  Move the ipfw_log_bpf() calls from global module initialisation to
  per-VNET initialisation and virtualise the interface cloning to
  allow a dedicated ipfw log interface per VNET.
  
  Approved by:		re (gjb)
  MFC after:		2 weeks
  Sponsored by:		The FreeBSD Foundation

Modified:
  head/sys/netpfil/ipfw/ip_fw2.c
  head/sys/netpfil/ipfw/ip_fw_log.c

Modified: head/sys/netpfil/ipfw/ip_fw2.c
==============================================================================

--- head/sys/netpfil/ipfw/ip_fw2.c	Thu Jun 30 01:32:12 2016	(r302289)
+++ head/sys/netpfil/ipfw/ip_fw2.c	Thu Jun 30 01:33:14 2016	(r302290)
@@ -2691,7 +2691,6 @@ ipfw_init(void)
 	  default_fw_tables = IPFW_TABLES_MAX;
 
 	ipfw_init_sopt_handler();
-	ipfw_log_bpf(1); /* init */
 	ipfw_iface_init();
 	return (error);
 }
@@ -2704,7 +2703,6 @@ ipfw_destroy(void)
 {
 
 	ipfw_iface_destroy();
-	ipfw_log_bpf(0); /* uninit */
 	ipfw_destroy_sopt_handler();
 	printf("IP firewall unloaded\n");
 }
@@ -2793,6 +2791,7 @@ vnet_ipfw_init(const void *unused)
 	 * is checked on each packet because there are no pfil hooks.
 	 */
 	V_ip_fw_ctl_ptr = ipfw_ctl3;
+	ipfw_log_bpf(1); /* init */
 	error = ipfw_attach_hooks(1);
 	return (error);
 }
@@ -2816,6 +2815,8 @@ vnet_ipfw_uninit(const void *unused)
 	(void)ipfw_attach_hooks(0 /* detach */);
 	V_ip_fw_ctl_ptr = NULL;
 
+	ipfw_log_bpf(0); /* uninit */
+
 	last = IS_DEFAULT_VNET(curvnet) ? 1 : 0;
 
 	IPFW_UH_WLOCK(chain);

Modified: head/sys/netpfil/ipfw/ip_fw_log.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_log.c	Thu Jun 30 01:32:12 2016	(r302289)
+++ head/sys/netpfil/ipfw/ip_fw_log.c	Thu Jun 30 01:33:14 2016	(r302290)
@@ -102,7 +102,8 @@ ipfw_log_bpf(int onoff)
 {
 }
 #else /* !WITHOUT_BPF */
-static struct ifnet *log_if;	/* hook to attach to bpf */
+static VNET_DEFINE(struct ifnet *, log_if);	/* hook to attach to bpf */
+#define	V_log_if		VNET(log_if)
 static struct rwlock log_if_lock;
 #define	LOGIF_LOCK_INIT(x)	rw_init(&log_if_lock, "ipfw log_if lock")
 #define	LOGIF_LOCK_DESTROY(x)	rw_destroy(&log_if_lock)
@@ -182,8 +183,8 @@ ipfw_log_clone_create(struct if_clone *i
 	ifp->if_baudrate = IF_Mbps(10);
 
 	LOGIF_WLOCK();
-	if (log_if == NULL)
-		log_if = ifp;
+	if (V_log_if == NULL)
+		V_log_if = ifp;
 	else {
 		LOGIF_WUNLOCK();
 		if_free(ifp);
@@ -206,8 +207,8 @@ ipfw_log_clone_destroy(struct if_clone *
 		return (0);
 
 	LOGIF_WLOCK();
-	if (log_if != NULL && ifp == log_if)
-		log_if = NULL;
+	if (V_log_if != NULL && ifp == V_log_if)
+		V_log_if = NULL;
 	else {
 		LOGIF_WUNLOCK();
 		return (EINVAL);
@@ -223,20 +224,23 @@ ipfw_log_clone_destroy(struct if_clone *
 	return (0);
 }
 
-static struct if_clone *ipfw_log_cloner;
+static VNET_DEFINE(struct if_clone *, ipfw_log_cloner);
+#define	V_ipfw_log_cloner		VNET(ipfw_log_cloner)
 
 void
 ipfw_log_bpf(int onoff)
 {
 
 	if (onoff) {
-		LOGIF_LOCK_INIT();
-		ipfw_log_cloner = if_clone_advanced(ipfwname, 0,
+		if (IS_DEFAULT_VNET(curvnet))
+			LOGIF_LOCK_INIT();
+		V_ipfw_log_cloner = if_clone_advanced(ipfwname, 0,
 		    ipfw_log_clone_match, ipfw_log_clone_create,
 		    ipfw_log_clone_destroy);
 	} else {
-		if_clone_detach(ipfw_log_cloner);
-		LOGIF_LOCK_DESTROY();
+		if_clone_detach(V_ipfw_log_cloner);
+		if (IS_DEFAULT_VNET(curvnet))
+			LOGIF_LOCK_DESTROY();
 	}
 }
 #endif /* !WITHOUT_BPF */
@@ -258,24 +262,24 @@ ipfw_log(struct ip_fw_chain *chain, stru
 	if (V_fw_verbose == 0) {
 #ifndef WITHOUT_BPF
 		LOGIF_RLOCK();
-		if (log_if == NULL || log_if->if_bpf == NULL) {
+		if (V_log_if == NULL || V_log_if->if_bpf == NULL) {
 			LOGIF_RUNLOCK();
 			return;
 		}
 
 		if (args->eh) /* layer2, use orig hdr */
-			BPF_MTAP2(log_if, args->eh, ETHER_HDR_LEN, m);
+			BPF_MTAP2(V_log_if, args->eh, ETHER_HDR_LEN, m);
 		else {
 			/* Add fake header. Later we will store
 			 * more info in the header.
 			 */
 			if (ip->ip_v == 4)
-				BPF_MTAP2(log_if, "DDDDDDSSSSSS\x08\x00", ETHER_HDR_LEN, m);
+				BPF_MTAP2(V_log_if, "DDDDDDSSSSSS\x08\x00", ETHER_HDR_LEN, m);
 			else if  (ip->ip_v == 6)
-				BPF_MTAP2(log_if, "DDDDDDSSSSSS\x86\xdd", ETHER_HDR_LEN, m);
+				BPF_MTAP2(V_log_if, "DDDDDDSSSSSS\x86\xdd", ETHER_HDR_LEN, m);
 			else
 				/* Obviously bogus EtherType. */
-				BPF_MTAP2(log_if, "DDDDDDSSSSSS\xff\xff", ETHER_HDR_LEN, m);
+				BPF_MTAP2(V_log_if, "DDDDDDSSSSSS\xff\xff", ETHER_HDR_LEN, m);
 		}
 		LOGIF_RUNLOCK();
 #endif /* !WITHOUT_BPF */
