svn commit: r306684 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf
Kristof Provost
kp at FreeBSD.org
Tue Oct 4 19:35:17 UTC 2016
Author: kp
Date: Tue Oct 4 19:35:14 2016
New Revision: 306684
URL: https://svnweb.freebsd.org/changeset/base/306684
Log:
pf: remove fastroute tag
The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code
allows to skip the in pfil hooks and completely removes the out pfil invoke,
albeit looking up a route that the IP stack will likely find on its own.
The code between IPv4 and IPv6 is also inconsistent and marked as "XXX"
for years.
Submitted by: Franco Fichtner <franco at opnsense.org>
Differential Revision: https://reviews.freebsd.org/D8058
Modified:
head/sbin/pfctl/parse.y
head/sbin/pfctl/pfctl_parser.c
head/share/man/man5/pf.conf.5
head/sys/netpfil/pf/pf.c
head/sys/netpfil/pf/pf_ioctl.c
Modified: head/sbin/pfctl/parse.y
==============================================================================
--- head/sbin/pfctl/parse.y Tue Oct 4 18:07:33 2016 (r306683)
+++ head/sbin/pfctl/parse.y Tue Oct 4 19:35:14 2016 (r306684)
@@ -2330,7 +2330,7 @@ pfrule : action dir logquick interface
memcpy(&r.rpool.key, $5.key,
sizeof(struct pf_poolhashkey));
}
- if (r.rt && r.rt != PF_FASTROUTE) {
+ if (r.rt) {
decide_address_family($5.host, &r.af);
remove_invalid_hosts(&$5.host, &r.af);
if ($5.host == NULL) {
@@ -4416,8 +4416,9 @@ route : /* empty */ {
$$.pool_opts = 0;
}
| FASTROUTE {
+ /* backwards-compat */
$$.host = NULL;
- $$.rt = PF_FASTROUTE;
+ $$.rt = 0;
$$.pool_opts = 0;
}
| ROUTETO routespec pool_opts {
Modified: head/sbin/pfctl/pfctl_parser.c
==============================================================================
--- head/sbin/pfctl/pfctl_parser.c Tue Oct 4 18:07:33 2016 (r306683)
+++ head/sbin/pfctl/pfctl_parser.c Tue Oct 4 19:35:14 2016 (r306684)
@@ -778,12 +778,8 @@ print_rule(struct pf_rule *r, const char
printf(" reply-to");
else if (r->rt == PF_DUPTO)
printf(" dup-to");
- else if (r->rt == PF_FASTROUTE)
- printf(" fastroute");
- if (r->rt != PF_FASTROUTE) {
- printf(" ");
- print_pool(&r->rpool, 0, 0, r->af, PF_PASS);
- }
+ printf(" ");
+ print_pool(&r->rpool, 0, 0, r->af, PF_PASS);
}
if (r->af) {
if (r->af == AF_INET)
Modified: head/share/man/man5/pf.conf.5
==============================================================================
--- head/share/man/man5/pf.conf.5 Tue Oct 4 18:07:33 2016 (r306683)
+++ head/share/man/man5/pf.conf.5 Tue Oct 4 19:35:14 2016 (r306684)
@@ -28,7 +28,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd June 9, 2016
+.Dd September 28, 2016
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -1874,10 +1874,6 @@ route the packet according to the type o
When such a rule creates state, the route option is also applied to all
packets matching the same connection.
.Bl -tag -width xxxx
-.It Ar fastroute
-The
-.Ar fastroute
-option does a normal route lookup to find the next hop for the packet.
.It Ar route-to
The
.Ar route-to
@@ -2839,7 +2835,7 @@ option = "set" ( [ "timeout" ( t
pf-rule = action [ ( "in" | "out" ) ]
[ "log" [ "(" logopts ")"] ] [ "quick" ]
- [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ]
+ [ "on" ifspec ] [ route ] [ af ] [ protospec ]
hosts [ filteropt-list ]
logopts = logopt [ "," logopts ]
Modified: head/sys/netpfil/pf/pf.c
==============================================================================
--- head/sys/netpfil/pf/pf.c Tue Oct 4 18:07:33 2016 (r306683)
+++ head/sys/netpfil/pf/pf.c Tue Oct 4 19:35:14 2016 (r306684)
@@ -3632,7 +3632,7 @@ pf_create_state(struct pf_rule *r, struc
s->timeout = PFTM_OTHER_FIRST_PACKET;
}
- if (r->rt && r->rt != PF_FASTROUTE) {
+ if (r->rt) {
if (pf_map_addr(pd->af, r, pd->src, &s->rt_addr, NULL, &sn)) {
REASON_SET(&reason, PFRES_MAPFAILED);
pf_src_tree_remove_state(s);
@@ -5439,41 +5439,24 @@ pf_route(struct mbuf **m, struct pf_rule
dst.sin_len = sizeof(dst);
dst.sin_addr = ip->ip_dst;
- if (r->rt == PF_FASTROUTE) {
- struct nhop4_basic nh4;
-
- if (s)
- PF_STATE_UNLOCK(s);
-
- if (fib4_lookup_nh_basic(M_GETFIB(m0), ip->ip_dst, 0,
- m0->m_pkthdr.flowid, &nh4) != 0) {
- KMOD_IPSTAT_INC(ips_noroute);
- error = EHOSTUNREACH;
- goto bad;
- }
-
- ifp = nh4.nh_ifp;
- dst.sin_addr = nh4.nh_addr;
+ if (TAILQ_EMPTY(&r->rpool.list)) {
+ DPFPRINTF(PF_DEBUG_URGENT,
+ ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));
+ goto bad_locked;
+ }
+ if (s == NULL) {
+ pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
+ &naddr, NULL, &sn);
+ if (!PF_AZERO(&naddr, AF_INET))
+ dst.sin_addr.s_addr = naddr.v4.s_addr;
+ ifp = r->rpool.cur->kif ?
+ r->rpool.cur->kif->pfik_ifp : NULL;
} else {
- if (TAILQ_EMPTY(&r->rpool.list)) {
- DPFPRINTF(PF_DEBUG_URGENT,
- ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));
- goto bad_locked;
- }
- if (s == NULL) {
- pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
- &naddr, NULL, &sn);
- if (!PF_AZERO(&naddr, AF_INET))
- dst.sin_addr.s_addr = naddr.v4.s_addr;
- ifp = r->rpool.cur->kif ?
- r->rpool.cur->kif->pfik_ifp : NULL;
- } else {
- if (!PF_AZERO(&s->rt_addr, AF_INET))
- dst.sin_addr.s_addr =
- s->rt_addr.v4.s_addr;
- ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
- PF_STATE_UNLOCK(s);
- }
+ if (!PF_AZERO(&s->rt_addr, AF_INET))
+ dst.sin_addr.s_addr =
+ s->rt_addr.v4.s_addr;
+ ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
+ PF_STATE_UNLOCK(s);
}
if (ifp == NULL)
goto bad;
@@ -5615,16 +5598,6 @@ pf_route6(struct mbuf **m, struct pf_rul
dst.sin6_len = sizeof(dst);
dst.sin6_addr = ip6->ip6_dst;
- /* Cheat. XXX why only in the v6 case??? */
- if (r->rt == PF_FASTROUTE) {
- if (s)
- PF_STATE_UNLOCK(s);
- m0->m_flags |= M_SKIP_FIREWALL;
- ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
- *m = NULL;
- return;
- }
-
if (TAILQ_EMPTY(&r->rpool.list)) {
DPFPRINTF(PF_DEBUG_URGENT,
("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));
Modified: head/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- head/sys/netpfil/pf/pf_ioctl.c Tue Oct 4 18:07:33 2016 (r306683)
+++ head/sys/netpfil/pf/pf_ioctl.c Tue Oct 4 19:35:14 2016 (r306684)
@@ -1267,7 +1267,7 @@ pfioctl(struct cdev *dev, u_long cmd, ca
pf_mv_pool(&V_pf_pabuf, &rule->rpool.list);
if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
(rule->action == PF_BINAT)) && rule->anchor == NULL) ||
- (rule->rt > PF_FASTROUTE)) &&
+ (rule->rt > PF_NOPFROUTE)) &&
(TAILQ_FIRST(&rule->rpool.list) == NULL))
error = EINVAL;
@@ -1527,7 +1527,7 @@ DIOCADDRULE_error:
if (((((newrule->action == PF_NAT) ||
(newrule->action == PF_RDR) ||
(newrule->action == PF_BINAT) ||
- (newrule->rt > PF_FASTROUTE)) &&
+ (newrule->rt > PF_NOPFROUTE)) &&
!newrule->anchor)) &&
(TAILQ_FIRST(&newrule->rpool.list) == NULL))
error = EINVAL;
More information about the svn-src-head
mailing list