From owner-svn-src-all@FreeBSD.ORG Mon Apr 7 19:32:57 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6FBE69C8; Mon, 7 Apr 2014 19:32:57 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5B460A59; Mon, 7 Apr 2014 19:32:57 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s37JWv6g009905; Mon, 7 Apr 2014 19:32:57 GMT (envelope-from cy@svn.freebsd.org) Received: (from cy@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s37JWuIl009900; Mon, 7 Apr 2014 19:32:56 GMT (envelope-from cy@svn.freebsd.org) Message-Id: <201404071932.s37JWuIl009900@svn.freebsd.org> From: Cy Schubert Date: Mon, 7 Apr 2014 19:32:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r264235 - head/sys/contrib/ipfilter/netinet X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 19:32:57 -0000 Author: cy Date: Mon Apr 7 19:32:56 2014 New Revision: 264235 URL: http://svnweb.freebsd.org/changeset/base/264235 Log: Implement the final missing sysctls by moving ipf_auth_softc_t from ip_auth.c to ip_auth.h. ip_frag_soft_t moves from ip_frag.c to ip_frag.h. mlfk_ipl.c creates sysctl MIBs that reference control blocks that are dynamically created when IP Filter is loaded. This necessitated creating them on-the-fly rather than statically at compile time. Approved by: glebius (mentor) Modified: head/sys/contrib/ipfilter/netinet/ip_auth.c head/sys/contrib/ipfilter/netinet/ip_auth.h head/sys/contrib/ipfilter/netinet/ip_frag.c head/sys/contrib/ipfilter/netinet/ip_frag.h head/sys/contrib/ipfilter/netinet/mlfk_ipl.c Modified: head/sys/contrib/ipfilter/netinet/ip_auth.c ============================================================================== --- head/sys/contrib/ipfilter/netinet/ip_auth.c Mon Apr 7 19:02:47 2014 (r264234) +++ head/sys/contrib/ipfilter/netinet/ip_auth.c Mon Apr 7 19:32:56 2014 (r264235) @@ -131,33 +131,6 @@ static const char rcsid[] = "@(#)$FreeBS #endif - -typedef struct ipf_auth_softc_s { -#if SOLARIS && defined(_KERNEL) - kcondvar_t ipf_auth_wait; -#endif /* SOLARIS */ -#if defined(linux) && defined(_KERNEL) - wait_queue_head_t ipf_auth_next_linux; -#endif - ipfrwlock_t ipf_authlk; - ipfmutex_t ipf_auth_mx; - int ipf_auth_size; - int ipf_auth_used; - int ipf_auth_replies; - int ipf_auth_defaultage; - int ipf_auth_lock; - ipf_authstat_t ipf_auth_stats; - frauth_t *ipf_auth; - mb_t **ipf_auth_pkts; - int ipf_auth_start; - int ipf_auth_end; - int ipf_auth_next; - frauthent_t *ipf_auth_entries; - frentry_t *ipf_auth_ip; - frentry_t *ipf_auth_rules; -} ipf_auth_softc_t; - - static void ipf_auth_deref __P((frauthent_t **)); static void ipf_auth_deref_unlocked __P((ipf_auth_softc_t *, frauthent_t **)); static int ipf_auth_geniter __P((ipf_main_softc_t *, ipftoken_t *, Modified: head/sys/contrib/ipfilter/netinet/ip_auth.h ============================================================================== --- head/sys/contrib/ipfilter/netinet/ip_auth.h Mon Apr 7 19:02:47 2014 (r264234) +++ head/sys/contrib/ipfilter/netinet/ip_auth.h Mon Apr 7 19:32:56 2014 (r264235) @@ -49,6 +49,24 @@ typedef struct ipf_authstat { frauthent_t *fas_faelist; } ipf_authstat_t; +typedef struct ipf_auth_softc_s { + ipfrwlock_t ipf_authlk; + ipfmutex_t ipf_auth_mx; + int ipf_auth_size; + int ipf_auth_used; + int ipf_auth_replies; + int ipf_auth_defaultage; + int ipf_auth_lock; + ipf_authstat_t ipf_auth_stats; + frauth_t *ipf_auth; + mb_t **ipf_auth_pkts; + int ipf_auth_start; + int ipf_auth_end; + int ipf_auth_next; + frauthent_t *ipf_auth_entries; + frentry_t *ipf_auth_ip; + frentry_t *ipf_auth_rules; +} ipf_auth_softc_t; extern frentry_t *ipf_auth_check __P((fr_info_t *, u_32_t *)); extern void ipf_auth_expire __P((ipf_main_softc_t *)); Modified: head/sys/contrib/ipfilter/netinet/ip_frag.c ============================================================================== --- head/sys/contrib/ipfilter/netinet/ip_frag.c Mon Apr 7 19:02:47 2014 (r264234) +++ head/sys/contrib/ipfilter/netinet/ip_frag.c Mon Apr 7 19:32:56 2014 (r264235) @@ -91,27 +91,6 @@ static const char rcsid[] = "@(#)$FreeBS #endif -typedef struct ipf_frag_softc_s { - ipfrwlock_t ipfr_ipidfrag; - ipfrwlock_t ipfr_frag; - ipfrwlock_t ipfr_natfrag; - int ipfr_size; - int ipfr_ttl; - int ipfr_lock; - int ipfr_inited; - ipfr_t *ipfr_list; - ipfr_t **ipfr_tail; - ipfr_t *ipfr_natlist; - ipfr_t **ipfr_nattail; - ipfr_t *ipfr_ipidlist; - ipfr_t **ipfr_ipidtail; - ipfr_t **ipfr_heads; - ipfr_t **ipfr_nattab; - ipfr_t **ipfr_ipidtab; - ipfrstat_t ipfr_stats; -} ipf_frag_softc_t; - - #ifdef USE_MUTEXES static ipfr_t *ipfr_frag_new __P((ipf_main_softc_t *, ipf_frag_softc_t *, fr_info_t *, u_32_t, ipfr_t **, Modified: head/sys/contrib/ipfilter/netinet/ip_frag.h ============================================================================== --- head/sys/contrib/ipfilter/netinet/ip_frag.h Mon Apr 7 19:02:47 2014 (r264234) +++ head/sys/contrib/ipfilter/netinet/ip_frag.h Mon Apr 7 19:32:56 2014 (r264235) @@ -70,6 +70,26 @@ typedef struct ipfrstat { struct ipfr **ifs_nattab; } ipfrstat_t; +typedef struct ipf_frag_softc_s { + ipfrwlock_t ipfr_ipidfrag; + ipfrwlock_t ipfr_frag; + ipfrwlock_t ipfr_natfrag; + int ipfr_size; + int ipfr_ttl; + int ipfr_lock; + int ipfr_inited; + ipfr_t *ipfr_list; + ipfr_t **ipfr_tail; + ipfr_t *ipfr_natlist; + ipfr_t **ipfr_nattail; + ipfr_t *ipfr_ipidlist; + ipfr_t **ipfr_ipidtail; + ipfr_t **ipfr_heads; + ipfr_t **ipfr_nattab; + ipfr_t **ipfr_ipidtab; + ipfrstat_t ipfr_stats; +} ipf_frag_softc_t; + #define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_pass) - \ offsetof(ipfr_t, ipfr_ifp)) Modified: head/sys/contrib/ipfilter/netinet/mlfk_ipl.c ============================================================================== --- head/sys/contrib/ipfilter/netinet/mlfk_ipl.c Mon Apr 7 19:02:47 2014 (r264234) +++ head/sys/contrib/ipfilter/netinet/mlfk_ipl.c Mon Apr 7 19:32:56 2014 (r264235) @@ -44,6 +44,8 @@ static dev_t ipf_devs[IPL_LOGSIZE]; static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS ); static int ipf_modload(void); static int ipf_modunload(void); +static int ipf_fbsd_sysctl_create(ipf_main_softc_t*); +static int ipf_fbsd_sysctl_destroy(ipf_main_softc_t*); #if (__FreeBSD_version >= 500024) # if (__FreeBSD_version >= 502116) @@ -70,59 +72,36 @@ SYSCTL_DECL(_net_inet); #define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \ SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \ ptr, val, sysctl_ipf_int, "I", descr); +#define SYSCTL_DYN_IPF(parent, nbr, name, access,ptr, val, descr) \ + SYSCTL_ADD_OID(&ipf_clist, SYSCTL_STATIC_CHILDREN(parent), nbr, name, \ + CTLFLAG_DYN|CTLTYPE_INT|access, ptr, val, sysctl_ipf_int, "I", descr) +static struct sysctl_ctx_list ipf_clist; #define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */ #define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF) SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF"); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipfmain.ipf_flags, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipfmain.ipf_pass, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipfmain.ipf_active, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipfmain.ipf_flags, 0, "IPF flags"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipfmain.ipf_pass, 0, "default pass/block"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipfmain.ipf_active, 0, "IPF is active"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO, - &ipfmain.ipf_tcpidletimeout, 0, ""); + &ipfmain.ipf_tcpidletimeout, 0, "TCP idle timeout in seconds"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO, - &ipfmain.ipf_tcphalfclosed, 0, ""); + &ipfmain.ipf_tcphalfclosed, 0, "timeout for half closed TCP sessions"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO, - &ipfmain.ipf_tcpclosewait, 0, ""); + &ipfmain.ipf_tcpclosewait, 0, "timeout for TCP sessions in closewait status"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO, - &ipfmain.ipf_tcplastack, 0, ""); + &ipfmain.ipf_tcplastack, 0, "timeout for TCP sessions in last ack status"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO, &ipfmain.ipf_tcptimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO, &ipfmain.ipf_tcpclosed, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO, - &ipfmain.ipf_udptimeout, 0, ""); + &ipfmain.ipf_udptimeout, 0, "UDP timeout"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO, &ipfmain.ipf_udpacktimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO, - &ipfmain.ipf_icmptimeout, 0, ""); -#if 0 -/* this needs to be resolved at compile time */ -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO, - &((ipf_nat_softc_t *)ipfmain.ipf_nat_soft)->ipf_nat_defage, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, - &ipf_ipfrttl, 0, ""); -#endif -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_running, CTLFLAG_RD, - &ipfmain.ipf_running, 0, ""); -#if 0 -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO, - &ipfmain.ipf_state_soft)->ipf_state_size, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO, - &(ipfmain.ipf_state_soft)->ipf_state_max, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_nattable_sz, CTLFLAG_RWO, - &(ipfmain.ipf_nat_soft)->ipf_nat_table_sz, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_natrules_sz, CTLFLAG_RWO, - &(ipfmain.ipf_nat_soft)->ipf_nat_maprules_sz, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_rdrrules_sz, CTLFLAG_RWO, - &(ipfmain.ipf_nat_soft)->ipf_nat_rdrrules_sz, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_hostmap_sz, CTLFLAG_RWO, - &(ipfmain.ipf_nat_soft)->ipf_nat_hostmap_sz, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO, - &ipf_auth_size, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, - &ipf_auth_used, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, - &ipf_auth_defaultage, 0, ""); -#endif + &ipfmain.ipf_icmptimeout, 0, "ICMP timeout"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, + &ipfmain.ipf_running, 0, "IPF is running"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &ipfmain.ipf_chksrc, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &ipfmain.ipf_minttl, 0, ""); @@ -177,7 +156,6 @@ static struct cdevsw ipf_cdevsw = { static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME, IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL }; - static int ipfilter_modevent(module_t mod, int type, void *unused) { @@ -212,6 +190,9 @@ ipf_modload() if (ipf_create_all(&ipfmain) == NULL) return EIO; + if (ipf_fbsd_sysctl_create(&ipfmain) != 0) + return EIO; + error = ipfattach(&ipfmain); if (error) return error; @@ -268,6 +249,9 @@ ipf_modunload() if (ipfmain.ipf_refcnt) return EBUSY; + if (ipf_fbsd_sysctl_destroy(&ipfmain) != 0) + return EIO; + error = ipf_pfil_unhook(); if (error != 0) return error; @@ -277,6 +261,7 @@ ipf_modunload() if (error != 0) return error; + ipf_fbsd_sysctl_destroy(&ipfmain); ipf_destroy_all(&ipfmain); ipf_unload_all(); } else @@ -526,3 +511,58 @@ static int ipfwrite(dev, uio) return ipf_sync_write(&ipfmain, uio); return ENXIO; } + +static int +ipf_fbsd_sysctl_create(main_softc) + ipf_main_softc_t *main_softc; +{ + ipf_nat_softc_t *nat_softc; + ipf_state_softc_t *state_softc; + ipf_auth_softc_t *auth_softc; + ipf_frag_softc_t *frag_softc; + + nat_softc = main_softc->ipf_nat_soft; + state_softc = main_softc->ipf_state_soft; + auth_softc = main_softc->ipf_auth_soft; + frag_softc = main_softc->ipf_frag_soft; + + sysctl_ctx_init(&ipf_clist); + + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_defnatage", CTLFLAG_RWO, + &nat_softc->ipf_nat_defage, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_statesize", CTLFLAG_RWO, + &state_softc->ipf_state_size, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_statemax", CTLFLAG_RWO, + &state_softc->ipf_state_max, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_nattable_max", CTLFLAG_RWO, + &nat_softc->ipf_nat_table_max, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_nattable_sz", CTLFLAG_RWO, + &nat_softc->ipf_nat_table_sz, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_natrules_sz", CTLFLAG_RWO, + &nat_softc->ipf_nat_maprules_sz, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_rdrrules_sz", CTLFLAG_RWO, + &nat_softc->ipf_nat_rdrrules_sz, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_hostmap_sz", CTLFLAG_RWO, + &nat_softc->ipf_nat_hostmap_sz, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_authsize", CTLFLAG_RWO, + &auth_softc->ipf_auth_size, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_authused", CTLFLAG_RD, + &auth_softc->ipf_auth_used, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_defaultauthage", CTLFLAG_RW, + &auth_softc->ipf_auth_defaultage, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_ipfrttl", CTLFLAG_RW, + &frag_softc->ipfr_ttl, 0, ""); + return 0; +} + +static int +ipf_fbsd_sysctl_destroy(main_softc) + ipf_main_softc_t *main_softc; +{ + if (sysctl_ctx_free(&ipf_clist)) { + printf("sysctl_ctx_free failed"); + return(ENOTEMPTY); + } + return 0; +} +