svn commit: r201011 - in user/luigi/ipfw3-head/sys: net netgraph
netinet netinet/ipfw
Luigi Rizzo
luigi at FreeBSD.org
Sat Dec 26 02:36:49 UTC 2009
Author: luigi
Date: Sat Dec 26 02:36:48 2009
New Revision: 201011
URL: http://svn.freebsd.org/changeset/base/201011
Log:
Preparation work to simplify the code used for reinject and ipfilter:
- move most of ng_ipfw.h into ip_fw_private.h, as this code is
ipfw-specific. This removes a dependency on ng_ipfw.h from some files.
- move many equivalent definitions of direction (IN, OUT) for
reinjected packets into ip_fw_private.h
- document the structure of the packet tags used for dummynet
and netgraph;
Modified:
user/luigi/ipfw3-head/sys/net/if_bridge.c
user/luigi/ipfw3-head/sys/net/if_ethersubr.c
user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.c
user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.h
user/luigi/ipfw3-head/sys/netinet/ip_dummynet.h
user/luigi/ipfw3-head/sys/netinet/ipfw/ip_dummynet.c
user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c
user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h
user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_sockopt.c
Modified: user/luigi/ipfw3-head/sys/net/if_bridge.c
==============================================================================
--- user/luigi/ipfw3-head/sys/net/if_bridge.c Sat Dec 26 00:46:05 2009 (r201010)
+++ user/luigi/ipfw3-head/sys/net/if_bridge.c Sat Dec 26 02:36:48 2009 (r201011)
@@ -3085,7 +3085,7 @@ bridge_pfil(struct mbuf **mp, struct ifn
* packet will return to us via bridge_dummynet().
*/
args.oif = ifp;
- ip_dn_io_ptr(mp, DN_TO_IFB_FWD, &args);
+ ip_dn_io_ptr(mp, DIR_FWD | PROTO_IFB, &args);
return (error);
}
Modified: user/luigi/ipfw3-head/sys/net/if_ethersubr.c
==============================================================================
--- user/luigi/ipfw3-head/sys/net/if_ethersubr.c Sat Dec 26 00:46:05 2009 (r201010)
+++ user/luigi/ipfw3-head/sys/net/if_ethersubr.c Sat Dec 26 02:36:48 2009 (r201011)
@@ -535,6 +535,7 @@ ether_ipfw_chk(struct mbuf **m0, struct
return 1;
if (ip_dn_io_ptr && (i == IP_FW_DUMMYNET)) {
+ int dir;
/*
* Pass the pkt to dummynet, which consumes it.
* If shared, make a copy and keep the original.
@@ -550,7 +551,8 @@ ether_ipfw_chk(struct mbuf **m0, struct
*/
*m0 = NULL ;
}
- ip_dn_io_ptr(&m, dst ? DN_TO_ETH_OUT: DN_TO_ETH_DEMUX, &args);
+ dir = PROTO_LAYER2 | (dst ? DIR_OUT : DIR_IN);
+ ip_dn_io_ptr(&m, dir, &args);
return 0;
}
/*
Modified: user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.c
==============================================================================
--- user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.c Sat Dec 26 00:46:05 2009 (r201010)
+++ user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.c Sat Dec 26 02:36:48 2009 (r201011)
@@ -234,7 +234,7 @@ ng_ipfw_rcvdata(hook_p hook, item_p item
};
switch (ngit->dir) {
- case NG_IPFW_OUT:
+ case DIR_OUT:
{
struct ip *ip;
@@ -249,7 +249,7 @@ ng_ipfw_rcvdata(hook_p hook, item_p item
return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
}
- case NG_IPFW_IN:
+ case DIR_IN:
ip_input(m);
return (0);
default:
@@ -298,7 +298,7 @@ ng_ipfw_input(struct mbuf **m0, int dir,
ngit->rule_id = fwa->rule_id;
ngit->chain_id = fwa->chain_id;
ngit->dir = dir;
- ngit->ifp = fwa->oif;
+// ngit->ifp = fwa->oif; /* XXX do we use it ? */
m_tag_prepend(m, &ngit->mt);
} else
Modified: user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.h
==============================================================================
--- user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.h Sat Dec 26 00:46:05 2009 (r201010)
+++ user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.h Sat Dec 26 02:36:48 2009 (r201011)
@@ -26,27 +26,7 @@
* $FreeBSD$
*/
+#ifndef _NG_IPFW_H
+#define _NG_IPFW_H
#define NG_IPFW_NODE_TYPE "ipfw"
-#define NGM_IPFW_COOKIE 1105988990
-
-#ifdef _KERNEL
-
-typedef int ng_ipfw_input_t(struct mbuf **, int, struct ip_fw_args *, int);
-extern ng_ipfw_input_t *ng_ipfw_input_p;
-#define NG_IPFW_LOADED (ng_ipfw_input_p != NULL)
-
-struct ng_ipfw_tag {
- struct m_tag mt; /* tag header */
- uint32_t slot; /* slot for next rule */
- uint32_t rulenum; /* matching rule number */
- uint32_t rule_id; /* matching rule id */
- uint32_t chain_id; /* ruleset id */
- struct ifnet *ifp; /* interface, for ip_output */
- int dir;
-#define NG_IPFW_OUT 0
-#define NG_IPFW_IN 1
-};
-
-#define TAGSIZ (sizeof(struct ng_ipfw_tag) - sizeof(struct m_tag))
-
-#endif /* _KERNEL */
+#endif /* _NG_IPFW_H */
Modified: user/luigi/ipfw3-head/sys/netinet/ip_dummynet.h
==============================================================================
--- user/luigi/ipfw3-head/sys/netinet/ip_dummynet.h Sat Dec 26 00:46:05 2009 (r201010)
+++ user/luigi/ipfw3-head/sys/netinet/ip_dummynet.h Sat Dec 26 02:36:48 2009 (r201011)
@@ -110,21 +110,19 @@ struct dn_heap {
* them that carries their dummynet state. This is used within
* the dummynet code as well as outside when checking for special
* processing requirements.
+ * Note that the first part is the reinject info and is common to
+ * other forms of packet reinjection.
*/
struct dn_pkt_tag {
+ /* first part, reinject info */
uint32_t slot; /* slot of next rule to use */
uint32_t rulenum; /* matching rule number */
uint32_t rule_id; /* matching rule id */
uint32_t chain_id; /* ruleset id */
+
+ /* second part, dummynet specific */
int dn_dir; /* action when packet comes out. */
-#define DN_TO_IP_OUT 1
-#define DN_TO_IP_IN 2
-/* Obsolete: #define DN_TO_BDG_FWD 3 */
-#define DN_TO_ETH_DEMUX 4
-#define DN_TO_ETH_OUT 5
-#define DN_TO_IP6_IN 6
-#define DN_TO_IP6_OUT 7
-#define DN_TO_IFB_FWD 8
+ /* see ip_fw_private.h */
dn_key output_time; /* when the pkt is due for delivery */
struct ifnet *ifp; /* interface, for ip_output */
Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_dummynet.c
==============================================================================
--- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_dummynet.c Sat Dec 26 00:46:05 2009 (r201010)
+++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_dummynet.c Sat Dec 26 02:36:48 2009 (r201011)
@@ -986,10 +986,10 @@ dummynet_send(struct mbuf *m)
}
switch (dst) {
- case DN_TO_IP_OUT:
+ case DIR_OUT:
ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL);
break ;
- case DN_TO_IP_IN :
+ case DIR_IN :
ip = mtod(m, struct ip *);
#ifndef HAVE_NET_IPLEN
ip->ip_len = htons(ip->ip_len);
@@ -998,22 +998,22 @@ dummynet_send(struct mbuf *m)
netisr_dispatch(NETISR_IP, m);
break;
#ifdef INET6
- case DN_TO_IP6_IN:
+ case DIR_IN | PROTO_IPV6:
netisr_dispatch(NETISR_IPV6, m);
break;
- case DN_TO_IP6_OUT:
+ case DIR_OUT | PROTO_IPV6:
ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL);
break;
#endif
- case DN_TO_IFB_FWD:
+ case DIR_FWD | PROTO_IFB: /* DN_TO_IFB_FWD: */
if (bridge_dn_p != NULL)
((*bridge_dn_p)(m, pkt->ifp));
else
printf("dummynet: if_bridge not loaded\n");
break;
- case DN_TO_ETH_DEMUX:
+ case DIR_IN | PROTO_LAYER2: /* DN_TO_ETH_DEMUX: */
/*
* The Ethernet code assumes the Ethernet header is
* contiguous in the first mbuf header.
@@ -1027,7 +1027,7 @@ dummynet_send(struct mbuf *m)
}
ether_demux(m->m_pkthdr.rcvif, m);
break;
- case DN_TO_ETH_OUT:
+ case DIR_OUT | PROTO_LAYER2: /* N_TO_ETH_OUT: */
ether_output_frame(pkt->ifp, m);
break;
@@ -1550,8 +1550,8 @@ dummynet_io(struct mbuf **m0, int dir, s
}
}
done:
- if (head == m && dir != DN_TO_IFB_FWD && dir != DN_TO_ETH_DEMUX &&
- dir != DN_TO_ETH_OUT) { /* Fast io. */
+ if (head == m && (dir & PROTO_LAYER2) == 0 ) {
+ /* Fast io. */
io_pkt_fast++;
if (m->m_nextpkt != NULL)
printf("dummynet: fast io: pkt chain detected!\n");
Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c
==============================================================================
--- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c Sat Dec 26 00:46:05 2009 (r201010)
+++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c Sat Dec 26 02:36:48 2009 (r201011)
@@ -64,8 +64,6 @@ __FBSDID("$FreeBSD$");
#include <netinet/ip_divert.h>
#include <netinet/ip_dummynet.h>
-#include <netgraph/ng_ipfw.h>
-
#include <machine/in_cksum.h>
static VNET_DEFINE(int, fw_enable) = 1;
@@ -86,8 +84,6 @@ ng_ipfw_input_t *ng_ipfw_input_p = NULL;
/* Forward declarations. */
static int ipfw_divert(struct mbuf **, int, int);
-#define DIV_DIR_IN 1
-#define DIV_DIR_OUT 0
#ifdef SYSCTL_NODE
SYSCTL_DECL(_net_inet_ip_fw);
@@ -123,7 +119,7 @@ ipfw_check_in(void *arg, struct mbuf **m
ng_tag = (struct ng_ipfw_tag *)m_tag_locate(*m0, NGM_IPFW_COOKIE, 0,
NULL);
if (ng_tag != NULL) {
- KASSERT(ng_tag->dir == NG_IPFW_IN,
+ KASSERT(ng_tag->dir == DIR_IN,
("ng_ipfw tag with wrong direction"));
args.slot = ng_tag->slot;
args.rulenum = ng_tag->rulenum;
@@ -185,9 +181,9 @@ again:
if (ip_dn_io_ptr == NULL)
goto drop;
if (mtod(*m0, struct ip *)->ip_v == 4)
- ip_dn_io_ptr(m0, DN_TO_IP_IN, &args);
+ ip_dn_io_ptr(m0, DIR_IN, &args);
else if (mtod(*m0, struct ip *)->ip_v == 6)
- ip_dn_io_ptr(m0, DN_TO_IP6_IN, &args);
+ ip_dn_io_ptr(m0, DIR_IN | PROTO_IPV6, &args);
if (*m0 != NULL)
goto again;
return 0; /* packet consumed */
@@ -197,7 +193,7 @@ again:
/* fall through */
case IP_FW_DIVERT:
- divert = ipfw_divert(m0, DIV_DIR_IN, tee);
+ divert = ipfw_divert(m0, DIR_IN, tee);
if (divert) {
*m0 = NULL;
return 0; /* packet consumed */
@@ -209,13 +205,13 @@ again:
case IP_FW_NGTEE:
if (!NG_IPFW_LOADED)
goto drop;
- (void)ng_ipfw_input_p(m0, NG_IPFW_IN, &args, 1);
+ (void)ng_ipfw_input_p(m0, DIR_IN, &args, 1);
goto again; /* continue with packet */
case IP_FW_NETGRAPH:
if (!NG_IPFW_LOADED)
goto drop;
- return ng_ipfw_input_p(m0, NG_IPFW_IN, &args, 0);
+ return ng_ipfw_input_p(m0, DIR_IN, &args, 0);
case IP_FW_NAT:
goto again; /* continue with packet */
@@ -257,7 +253,7 @@ ipfw_check_out(void *arg, struct mbuf **
ng_tag = (struct ng_ipfw_tag *)m_tag_locate(*m0, NGM_IPFW_COOKIE, 0,
NULL);
if (ng_tag != NULL) {
- KASSERT(ng_tag->dir == NG_IPFW_OUT,
+ KASSERT(ng_tag->dir == DIR_OUT,
("ng_ipfw tag with wrong direction"));
args.slot = ng_tag->slot;
args.rulenum = ng_tag->rulenum;
@@ -324,9 +320,9 @@ again:
if (ip_dn_io_ptr == NULL)
break;
if (mtod(*m0, struct ip *)->ip_v == 4)
- ip_dn_io_ptr(m0, DN_TO_IP_OUT, &args);
+ ip_dn_io_ptr(m0, DIR_OUT, &args);
else if (mtod(*m0, struct ip *)->ip_v == 6)
- ip_dn_io_ptr(m0, DN_TO_IP6_OUT, &args);
+ ip_dn_io_ptr(m0, DIR_OUT | PROTO_IPV6, &args);
if (*m0 != NULL)
goto again;
return 0; /* packet consumed */
@@ -338,7 +334,7 @@ again:
/* fall through */
case IP_FW_DIVERT:
- divert = ipfw_divert(m0, DIV_DIR_OUT, tee);
+ divert = ipfw_divert(m0, DIR_OUT, tee);
if (divert) {
*m0 = NULL;
return 0; /* packet consumed */
@@ -350,13 +346,13 @@ again:
case IP_FW_NGTEE:
if (!NG_IPFW_LOADED)
goto drop;
- (void)ng_ipfw_input_p(m0, NG_IPFW_OUT, &args, 1);
+ (void)ng_ipfw_input_p(m0, DIR_OUT, &args, 1);
goto again; /* continue with packet */
case IP_FW_NETGRAPH:
if (!NG_IPFW_LOADED)
goto drop;
- return ng_ipfw_input_p(m0, NG_IPFW_OUT, &args, 0);
+ return ng_ipfw_input_p(m0, DIR_OUT, &args, 0);
case IP_FW_NAT:
goto again; /* continue with packet */
@@ -584,20 +580,14 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
return (0);
if (arg1 == &VNET_NAME(fw_enable)) {
- if (enable)
- error = ipfw_hook();
- else
- error = ipfw_unhook();
+ error = (enable) ? ipfw_hook() : ipfw_unhook();
if (error)
return (error);
V_fw_enable = enable;
}
#ifdef INET6
else if (arg1 == &VNET_NAME(fw6_enable)) {
- if (enable)
- error = ipfw6_hook();
- else
- error = ipfw6_unhook();
+ error = (enable) ? ipfw6_hook() : ipfw6_unhook();
if (error)
return (error);
V_fw6_enable = enable;
Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h
==============================================================================
--- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h Sat Dec 26 00:46:05 2009 (r201010)
+++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h Sat Dec 26 02:36:48 2009 (r201011)
@@ -101,11 +101,32 @@ struct ip_fw_args {
MALLOC_DECLARE(M_IPFW);
/*
+ * Hooks sometime need to know the direction of the packet
+ * (divert, dummynet, netgraph, ...)
+ * We use a generic definition here, with bit0-1 indicating the
+ * direction, bit 2 indicating layer2 or 3, bit 3-4 indicating the
+ * specific protocol
+ * indicating the protocol (if necessary)
+ */
+enum {
+ DIR_MASK = 0x3,
+ DIR_OUT = 0,
+ DIR_IN = 1,
+ DIR_FWD = 2,
+ DIR_DROP = 3,
+ PROTO_LAYER2 = 0x4, /* set for layer 2 */
+ /* PROTO_DEFAULT = 0, */
+ PROTO_IPV4 = 0x08,
+ PROTO_IPV6 = 0x10,
+ PROTO_IFB = 0x0c, /* layer2 + ifbridge */
+ /* PROTO_OLDBDG = 0x14, unused, old bridge */
+};
+
+/*
* Function definitions.
*/
/* Firewall hooks */
-
int ipfw_check_in(void *, struct mbuf **, struct ifnet *,
int, struct inpcb *inp);
int ipfw_check_out(void *, struct mbuf **, struct ifnet *,
@@ -257,5 +278,27 @@ extern ipfw_nat_cfg_t *ipfw_nat_del_ptr;
extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
+/* netgraph prototypes */
+#define NGM_IPFW_COOKIE 1105988990
+
+typedef int ng_ipfw_input_t(struct mbuf **, int, struct ip_fw_args *, int);
+extern ng_ipfw_input_t *ng_ipfw_input_p;
+#define NG_IPFW_LOADED (ng_ipfw_input_p != NULL)
+
+struct ng_ipfw_tag {
+ struct m_tag mt; /* tag header */
+ /* reinject info */
+ uint32_t slot; /* slot for next rule */
+ uint32_t rulenum; /* matching rule number */
+ uint32_t rule_id; /* matching rule id */
+ uint32_t chain_id; /* ruleset id */
+ int dir;
+
+// struct ifnet *ifp; /* interface, for ip_output */
+};
+
+#define TAGSIZ (sizeof(struct ng_ipfw_tag) - sizeof(struct m_tag))
+
+
#endif /* _KERNEL */
#endif /* _IPFW2_PRIVATE_H */
Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_sockopt.c
==============================================================================
--- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_sockopt.c Sat Dec 26 00:46:05 2009 (r201010)
+++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_sockopt.c Sat Dec 26 02:36:48 2009 (r201011)
@@ -67,8 +67,6 @@ __FBSDID("$FreeBSD$");
#include <netinet/ipfw/ip_fw_private.h>
#include <netinet/ip_divert.h>
-#include <netgraph/ng_ipfw.h>
-
#ifdef MAC
#include <security/mac/mac_framework.h>
#endif
More information about the svn-src-user
mailing list