svn commit: r198100 - in user/eri/pf45/head/sys: contrib/pf/net
netinet netinet6 netipsec sys
Ermal Luçi
eri at FreeBSD.org
Wed Oct 14 21:34:53 UTC 2009
Author: eri
Date: Wed Oct 14 21:34:52 2009
New Revision: 198100
URL: http://svn.freebsd.org/changeset/base/198100
Log:
Pf(4) needs a mechanism to be notified that the destination
address changed after pf(4) has seen the packet on input path
and might see it again in the output pathi(state match optimization).
Since this needs to touch many subsystems implement a wrapper
that will call all callbacks for other subsystems that might see
this information useful.
Basically they just place the callback in this wrapper rather than
go through all the sources that this function will be.
Idea and basic template from mlaier at .
NOTE: With this commit pf 4.5 can be considered ported to FreeBSD with
all its features.
Modified:
user/eri/pf45/head/sys/contrib/pf/net/pf.c
user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c
user/eri/pf45/head/sys/netinet/in_gif.c
user/eri/pf45/head/sys/netinet/ip_icmp.c
user/eri/pf45/head/sys/netinet/raw_ip.c
user/eri/pf45/head/sys/netinet6/icmp6.c
user/eri/pf45/head/sys/netinet6/in6_gif.c
user/eri/pf45/head/sys/netipsec/ipsec_input.c
user/eri/pf45/head/sys/netipsec/ipsec_output.c
user/eri/pf45/head/sys/netipsec/xform_ipip.c
user/eri/pf45/head/sys/sys/mbuf.h
Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c
==============================================================================
--- user/eri/pf45/head/sys/contrib/pf/net/pf.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/contrib/pf/net/pf.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -7391,7 +7391,6 @@ pf_check_congestion(struct ifqueue *ifq)
#endif
}
-#ifdef notyet
/*
* must be called whenever any addressing information such as
* address, port, protocol has changed
@@ -7399,6 +7398,12 @@ pf_check_congestion(struct ifqueue *ifq)
void
pf_pkt_addr_changed(struct mbuf *m)
{
+#ifdef __FreeBSD__
+ struct pf_mtag *pf_tag;
+
+ if ((pf_tag = pf_find_mtag(m)) != NULL)
+ pf_tag->statekey = NULL;
+#else
m->m_pkthdr.pf.statekey = NULL;
-}
#endif
+}
Modified: user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c
==============================================================================
--- user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -438,6 +438,9 @@ pfattach(void)
if (kproc_create(pf_purge_thread, NULL, NULL, 0, 0, "pfpurge"))
return (ENXIO);
+#ifdef __FreeBSD__
+ m_addr_chg_pf_p = pf_pkt_addr_changed;
+#endif
return (error);
}
#else /* !__FreeBSD__ */
Modified: user/eri/pf45/head/sys/netinet/in_gif.c
==============================================================================
--- user/eri/pf45/head/sys/netinet/in_gif.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/netinet/in_gif.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -254,6 +254,8 @@ in_gif_output(struct ifnet *ifp, int fam
#endif
}
+ m_addr_changed(m);
+
error = ip_output(m, NULL, &sc->gif_ro, 0, NULL, NULL);
if (!(GIF2IFP(sc)->if_flags & IFF_LINK0) &&
Modified: user/eri/pf45/head/sys/netinet/ip_icmp.c
==============================================================================
--- user/eri/pf45/head/sys/netinet/ip_icmp.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/netinet/ip_icmp.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -689,6 +689,8 @@ icmp_reflect(struct mbuf *m)
goto done; /* Ip_output() will check for broadcast */
}
+ m_addr_changed(m);
+
t = ip->ip_dst;
ip->ip_dst = ip->ip_src;
Modified: user/eri/pf45/head/sys/netinet/raw_ip.c
==============================================================================
--- user/eri/pf45/head/sys/netinet/raw_ip.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/netinet/raw_ip.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -89,6 +89,9 @@ VNET_DEFINE(ip_fw_ctl_ptr_t, ip_fw_ctl_p
int (*ip_dn_ctl_ptr)(struct sockopt *) = NULL;
int (*ip_dn_io_ptr)(struct mbuf **m, int dir, struct ip_fw_args *fwa) = NULL;
+/* Hook for telling pf that the destination address changed */
+void (*m_addr_chg_pf_p)(struct mbuf *m);
+
/*
* Hooks for multicast routing. They all default to NULL, so leave them not
* initialized and rely on BSS being set to 0.
Modified: user/eri/pf45/head/sys/netinet6/icmp6.c
==============================================================================
--- user/eri/pf45/head/sys/netinet6/icmp6.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/netinet6/icmp6.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -1105,6 +1105,8 @@ icmp6_notify_error(struct mbuf **mp, int
ip6cp.ip6c_src = &icmp6src;
ip6cp.ip6c_nxt = nxt;
+ m_addr_changed(m);
+
if (icmp6type == ICMP6_PACKET_TOO_BIG) {
notifymtu = ntohl(icmp6->icmp6_mtu);
ip6cp.ip6c_cmdarg = (void *)¬ifymtu;
@@ -2227,6 +2229,8 @@ icmp6_reflect(struct mbuf *m, size_t off
m->m_flags &= ~(M_BCAST|M_MCAST);
+ m_addr_changed(m);
+
ip6_output(m, NULL, NULL, 0, NULL, &outif, NULL);
if (outif)
icmp6_ifoutstat_inc(outif, type, code);
Modified: user/eri/pf45/head/sys/netinet6/in6_gif.c
==============================================================================
--- user/eri/pf45/head/sys/netinet6/in6_gif.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/netinet6/in6_gif.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -253,6 +253,8 @@ in6_gif_output(struct ifnet *ifp,
#endif
}
+ m_addr_changed(m);
+
#ifdef IPV6_MINMTU
/*
* force fragmentation to minimum MTU, to avoid path MTU discovery.
Modified: user/eri/pf45/head/sys/netipsec/ipsec_input.c
==============================================================================
--- user/eri/pf45/head/sys/netipsec/ipsec_input.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/netipsec/ipsec_input.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -471,6 +471,7 @@ ipsec4_common_input_cb(struct mbuf *m, s
key_sa_recordxfer(sav, m); /* record data transfer */
+ m_addr_changed(m);
#ifdef DEV_ENC
encif->if_ipackets++;
encif->if_ibytes += m->m_pkthdr.len;
Modified: user/eri/pf45/head/sys/netipsec/ipsec_output.c
==============================================================================
--- user/eri/pf45/head/sys/netipsec/ipsec_output.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/netipsec/ipsec_output.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -169,6 +169,8 @@ ipsec_process_done(struct mbuf *m, struc
}
key_sa_recordxfer(sav, m); /* record data transfer */
+ m_addr_changed(m);
+
/*
* We're done with IPsec processing, transmit the packet using the
* appropriate network protocol (IP or IPv6). SPD lookup will be
Modified: user/eri/pf45/head/sys/netipsec/xform_ipip.c
==============================================================================
--- user/eri/pf45/head/sys/netipsec/xform_ipip.c Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/netipsec/xform_ipip.c Wed Oct 14 21:34:52 2009 (r198100)
@@ -392,6 +392,8 @@ _ipip_input(struct mbuf *m, int iphlen,
panic("%s: bogus ip version %u", __func__, v>>4);
}
+ m_addr_changed(m);
+
if (netisr_queue(isr, m)) { /* (0) on success. */
V_ipipstat.ipips_qfull++;
DPRINTF(("%s: packet dropped because of full queue\n",
Modified: user/eri/pf45/head/sys/sys/mbuf.h
==============================================================================
--- user/eri/pf45/head/sys/sys/mbuf.h Wed Oct 14 20:30:27 2009 (r198099)
+++ user/eri/pf45/head/sys/sys/mbuf.h Wed Oct 14 21:34:52 2009 (r198100)
@@ -656,6 +656,14 @@ m_last(struct mbuf *m)
return (m);
}
+extern void (*m_addr_chg_pf_p)(struct mbuf *m);
+
+static __inline void
+m_addr_changed(struct mbuf *m) {
+ if (m_addr_chg_pf_p)
+ m_addr_chg_pf_p(m);
+}
+
/*
* mbuf, cluster, and external object allocation macros (for compatibility
* purposes).
More information about the svn-src-user
mailing list