Date: Tue, 4 Oct 2016 19:35:14 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r306684 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf Message-ID: <201610041935.u94JZEdP020631@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Tue Oct 4 19:35:14 2016 New Revision: 306684 URL: https://svnweb.freebsd.org/changeset/base/306684 Log: pf: remove fastroute tag The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code allows to skip the in pfil hooks and completely removes the out pfil invoke, albeit looking up a route that the IP stack will likely find on its own. The code between IPv4 and IPv6 is also inconsistent and marked as "XXX" for years. Submitted by: Franco Fichtner <franco@opnsense.org> Differential Revision: https://reviews.freebsd.org/D8058 Modified: head/sbin/pfctl/parse.y head/sbin/pfctl/pfctl_parser.c head/share/man/man5/pf.conf.5 head/sys/netpfil/pf/pf.c head/sys/netpfil/pf/pf_ioctl.c Modified: head/sbin/pfctl/parse.y ============================================================================== --- head/sbin/pfctl/parse.y Tue Oct 4 18:07:33 2016 (r306683) +++ head/sbin/pfctl/parse.y Tue Oct 4 19:35:14 2016 (r306684) @@ -2330,7 +2330,7 @@ pfrule : action dir logquick interface memcpy(&r.rpool.key, $5.key, sizeof(struct pf_poolhashkey)); } - if (r.rt && r.rt != PF_FASTROUTE) { + if (r.rt) { decide_address_family($5.host, &r.af); remove_invalid_hosts(&$5.host, &r.af); if ($5.host == NULL) { @@ -4416,8 +4416,9 @@ route : /* empty */ { $$.pool_opts = 0; } | FASTROUTE { + /* backwards-compat */ $$.host = NULL; - $$.rt = PF_FASTROUTE; + $$.rt = 0; $$.pool_opts = 0; } | ROUTETO routespec pool_opts { Modified: head/sbin/pfctl/pfctl_parser.c ============================================================================== --- head/sbin/pfctl/pfctl_parser.c Tue Oct 4 18:07:33 2016 (r306683) +++ head/sbin/pfctl/pfctl_parser.c Tue Oct 4 19:35:14 2016 (r306684) @@ -778,12 +778,8 @@ print_rule(struct pf_rule *r, const char printf(" reply-to"); else if (r->rt == PF_DUPTO) printf(" dup-to"); - else if (r->rt == PF_FASTROUTE) - printf(" fastroute"); - if (r->rt != PF_FASTROUTE) { - printf(" "); - print_pool(&r->rpool, 0, 0, r->af, PF_PASS); - } + printf(" "); + print_pool(&r->rpool, 0, 0, r->af, PF_PASS); } if (r->af) { if (r->af == AF_INET) Modified: head/share/man/man5/pf.conf.5 ============================================================================== --- head/share/man/man5/pf.conf.5 Tue Oct 4 18:07:33 2016 (r306683) +++ head/share/man/man5/pf.conf.5 Tue Oct 4 19:35:14 2016 (r306684) @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 9, 2016 +.Dd September 28, 2016 .Dt PF.CONF 5 .Os .Sh NAME @@ -1874,10 +1874,6 @@ route the packet according to the type o When such a rule creates state, the route option is also applied to all packets matching the same connection. .Bl -tag -width xxxx -.It Ar fastroute -The -.Ar fastroute -option does a normal route lookup to find the next hop for the packet. .It Ar route-to The .Ar route-to @@ -2839,7 +2835,7 @@ option = "set" ( [ "timeout" ( t pf-rule = action [ ( "in" | "out" ) ] [ "log" [ "(" logopts ")"] ] [ "quick" ] - [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ] + [ "on" ifspec ] [ route ] [ af ] [ protospec ] hosts [ filteropt-list ] logopts = logopt [ "," logopts ] Modified: head/sys/netpfil/pf/pf.c ============================================================================== --- head/sys/netpfil/pf/pf.c Tue Oct 4 18:07:33 2016 (r306683) +++ head/sys/netpfil/pf/pf.c Tue Oct 4 19:35:14 2016 (r306684) @@ -3632,7 +3632,7 @@ pf_create_state(struct pf_rule *r, struc s->timeout = PFTM_OTHER_FIRST_PACKET; } - if (r->rt && r->rt != PF_FASTROUTE) { + if (r->rt) { if (pf_map_addr(pd->af, r, pd->src, &s->rt_addr, NULL, &sn)) { REASON_SET(&reason, PFRES_MAPFAILED); pf_src_tree_remove_state(s); @@ -5439,41 +5439,24 @@ pf_route(struct mbuf **m, struct pf_rule dst.sin_len = sizeof(dst); dst.sin_addr = ip->ip_dst; - if (r->rt == PF_FASTROUTE) { - struct nhop4_basic nh4; - - if (s) - PF_STATE_UNLOCK(s); - - if (fib4_lookup_nh_basic(M_GETFIB(m0), ip->ip_dst, 0, - m0->m_pkthdr.flowid, &nh4) != 0) { - KMOD_IPSTAT_INC(ips_noroute); - error = EHOSTUNREACH; - goto bad; - } - - ifp = nh4.nh_ifp; - dst.sin_addr = nh4.nh_addr; + if (TAILQ_EMPTY(&r->rpool.list)) { + DPFPRINTF(PF_DEBUG_URGENT, + ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__)); + goto bad_locked; + } + if (s == NULL) { + pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, + &naddr, NULL, &sn); + if (!PF_AZERO(&naddr, AF_INET)) + dst.sin_addr.s_addr = naddr.v4.s_addr; + ifp = r->rpool.cur->kif ? + r->rpool.cur->kif->pfik_ifp : NULL; } else { - if (TAILQ_EMPTY(&r->rpool.list)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__)); - goto bad_locked; - } - if (s == NULL) { - pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, - &naddr, NULL, &sn); - if (!PF_AZERO(&naddr, AF_INET)) - dst.sin_addr.s_addr = naddr.v4.s_addr; - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; - } else { - if (!PF_AZERO(&s->rt_addr, AF_INET)) - dst.sin_addr.s_addr = - s->rt_addr.v4.s_addr; - ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; - PF_STATE_UNLOCK(s); - } + if (!PF_AZERO(&s->rt_addr, AF_INET)) + dst.sin_addr.s_addr = + s->rt_addr.v4.s_addr; + ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; + PF_STATE_UNLOCK(s); } if (ifp == NULL) goto bad; @@ -5615,16 +5598,6 @@ pf_route6(struct mbuf **m, struct pf_rul dst.sin6_len = sizeof(dst); dst.sin6_addr = ip6->ip6_dst; - /* Cheat. XXX why only in the v6 case??? */ - if (r->rt == PF_FASTROUTE) { - if (s) - PF_STATE_UNLOCK(s); - m0->m_flags |= M_SKIP_FIREWALL; - ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); - *m = NULL; - return; - } - if (TAILQ_EMPTY(&r->rpool.list)) { DPFPRINTF(PF_DEBUG_URGENT, ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__)); Modified: head/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- head/sys/netpfil/pf/pf_ioctl.c Tue Oct 4 18:07:33 2016 (r306683) +++ head/sys/netpfil/pf/pf_ioctl.c Tue Oct 4 19:35:14 2016 (r306684) @@ -1267,7 +1267,7 @@ pfioctl(struct cdev *dev, u_long cmd, ca pf_mv_pool(&V_pf_pabuf, &rule->rpool.list); if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) || (rule->action == PF_BINAT)) && rule->anchor == NULL) || - (rule->rt > PF_FASTROUTE)) && + (rule->rt > PF_NOPFROUTE)) && (TAILQ_FIRST(&rule->rpool.list) == NULL)) error = EINVAL; @@ -1527,7 +1527,7 @@ DIOCADDRULE_error: if (((((newrule->action == PF_NAT) || (newrule->action == PF_RDR) || (newrule->action == PF_BINAT) || - (newrule->rt > PF_FASTROUTE)) && + (newrule->rt > PF_NOPFROUTE)) && !newrule->anchor)) && (TAILQ_FIRST(&newrule->rpool.list) == NULL)) error = EINVAL;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201610041935.u94JZEdP020631>