Date: Mon, 12 Oct 2009 18:11:59 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Ermal LuXi <eri@FreeBSD.org> Cc: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: Re: svn commit: r197988 - user/eri/pf45/head/sys/contrib/pf/net Message-ID: <alpine.BSF.2.00.0910121811060.80615@fledge.watson.org> In-Reply-To: <200910121651.n9CGpm4L077443@svn.freebsd.org> References: <200910121651.n9CGpm4L077443@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 12 Oct 2009, Ermal LuXi wrote: > Author: eri > Date: Mon Oct 12 16:51:48 2009 > New Revision: 197988 > URL: http://svn.freebsd.org/changeset/base/197988 > > Log: > * First pass at adding virtualization to pf(4). > * The rule of V_ is not followed in an attempt to minimize the diff with upstream(hopefully it works). I've found that this sometimes work -- the usual risk is namespace collisions where the macro wrapping VNET() happens to match another useful C token, such as a structure name. If it compiles, it probably works, but it's worth looking fairly closely to be sure. Robert > * Fix some whitespaces around. > > NOTE: The tree might not build now. > > Modified: > user/eri/pf45/head/sys/contrib/pf/net/pf.c > user/eri/pf45/head/sys/contrib/pf/net/pf_if.c > user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c > user/eri/pf45/head/sys/contrib/pf/net/pf_lb.c > user/eri/pf45/head/sys/contrib/pf/net/pf_norm.c > user/eri/pf45/head/sys/contrib/pf/net/pf_osfp.c > user/eri/pf45/head/sys/contrib/pf/net/pfvar.h > > Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c > ============================================================================== > --- user/eri/pf45/head/sys/contrib/pf/net/pf.c Mon Oct 12 16:47:55 2009 (r197987) > +++ user/eri/pf45/head/sys/contrib/pf/net/pf.c Mon Oct 12 16:51:48 2009 (r197988) > @@ -88,20 +88,20 @@ __FBSDID("$FreeBSD$"); > #include <sys/socketvar.h> > #include <sys/kernel.h> > #include <sys/time.h> > - #ifdef __FreeBSD__ > - #include <sys/random.h> > - #include <sys/sysctl.h> > - #include <sys/endian.h> > - #define betoh64 be64toh > - #else > +#ifdef __FreeBSD__ > +#include <sys/random.h> > +#include <sys/sysctl.h> > +#include <sys/endian.h> > +#define betoh64 be64toh > +#else > #include <sys/pool.h> > #endif > #include <sys/proc.h> > - #ifdef __FreeBSD__ > - #include <sys/kthread.h> > - #include <sys/lock.h> > - #include <sys/sx.h> > - #else > +#ifdef __FreeBSD__ > +#include <sys/kthread.h> > +#include <sys/lock.h> > +#include <sys/sx.h> > +#else > #include <sys/rwlock.h> > #endif > > @@ -155,21 +155,21 @@ __FBSDID("$FreeBSD$"); > #include <netinet/in_pcb.h> > #include <netinet/icmp6.h> > #include <netinet6/nd6.h> > - #ifdef __FreeBSD__ > - #include <netinet6/ip6_var.h> > - #include <netinet6/in6_pcb.h> > - #endif > +#ifdef __FreeBSD__ > +#include <netinet6/ip6_var.h> > +#include <netinet6/in6_pcb.h> > +#endif > #endif /* INET6 */ > > #ifdef __FreeBSD__ > - #include <machine/in_cksum.h> > - #include <sys/limits.h> > - #include <sys/ucred.h> > - #include <security/mac/mac_framework.h> > +#include <machine/in_cksum.h> > +#include <sys/limits.h> > +#include <sys/ucred.h> > +#include <security/mac/mac_framework.h> > > - extern int ip_optcopy(struct ip *, struct ip *); > - extern int debug_pfugidhack; > - #endif > +extern int ip_optcopy(struct ip *, struct ip *); > +extern int debug_pfugidhack; > +#endif > > #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x > > @@ -178,6 +178,41 @@ __FBSDID("$FreeBSD$"); > */ > > /* state tables */ > +#ifdef __FreeBSD__ > +VNET_DEFINE(struct pf_state_tree, pf_statetbl); > + > +VNET_DEFINE(struct pf_altqqueue, pf_altqs[2]); > +VNET_DEFINE(struct pf_palist, pf_pabuf); > +VNET_DEFINE(struct pf_altqqueue, *pf_altqs_active); > +VNET_DEFINE(struct pf_altqqueue, *pf_altqs_inactive); > +VNET_DEFINE(struct pf_status, pf_status); > + > +VNET_DEFINE(u_int32_t, ticket_altqs_active); > +VNET_DEFINE(u_int32_t, ticket_altqs_inactive); > +VNET_DEFINE(int, altqs_inactive_open); > +VNET_DEFINE(u_int32_t, ticket_pabuf); > + > +VNET_DEFINE(MD5_CTX, pf_tcp_secret_ctx); > +VNET_DEFINE(u_char, pf_tcp_secret[16]); > +VNET_DEFINE(int, pf_tcp_secret_init); > +VNET_DEFINE(int, pf_tcp_iss_off); > + > +struct pf_anchor_stackframe { > + struct pf_ruleset *rs; > + struct pf_rule *r; > + struct pf_anchor_node *parent; > + struct pf_anchor *child; > +}; > +VNET_DEFINE(struct pf_anchor_stackframe, pf_anchor_stack[64]); > + > +VNET_DEFINE(uma_zone_t, pf_src_tree_pl); > +VNET_DEFINE(uma_zone_t, pf_rule_pl); > +VNET_DEFINE(uma_zone_t, pf_pooladdr_pl); > +VNET_DEFINE(uma_zone_t, pf_state_pl); > +VNET_DEFINE(uma_zone_t, pf_state_key_pl); > +VNET_DEFINE(uma_zone_t, pf_state_item_pl); > +VNET_DEFINE(uma_zone_t, pf_altq_pl); > +#else > struct pf_state_tree pf_statetbl; > > struct pf_altqqueue pf_altqs[2]; > @@ -203,11 +238,6 @@ struct pf_anchor_stackframe { > struct pf_anchor *child; > } pf_anchor_stack[64]; > > - #ifdef __FreeBSD__ > - uma_zone_t pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl; > - uma_zone_t pf_state_pl, pf_state_key_pl, pf_state_item_pl; > -uma_zone_t pf_altq_pl; > - #else > struct pool pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl; > struct pool pf_state_pl, pf_state_key_pl, pf_state_item_pl; > struct pool pf_altq_pl; > @@ -323,12 +353,12 @@ int pf_src_connlimit(struct pf_state > int pf_check_congestion(struct ifqueue *); > > #ifdef __FreeBSD__ > - int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len); > +int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len); > > - extern int pf_end_threads; > +VNET_DECLARE(int, pf_end_threads); > > - struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; > - #else > +VNET_DEFINE(struct pf_pool_limit, pf_pool_limits[PF_LIMIT_MAX]); > +#else > extern struct pool pfr_ktable_pl; > extern struct pool pfr_kentry_pl; > > @@ -405,10 +435,17 @@ static __inline int pf_state_compare_key > static __inline int pf_state_compare_id(struct pf_state *, > struct pf_state *); > > +#ifdef __FreeBSD__ > +VNET_DEFINE(struct pf_src_tree, tree_src_tracking); > + > +VNET_DEFINE(struct pf_state_tree_id, tree_id); > +VNET_DEFINE(struct pf_state_queue, state_list); > +#else > struct pf_src_tree tree_src_tracking; > > struct pf_state_tree_id tree_id; > struct pf_state_queue state_list; > +#endif > > RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); > RB_GENERATE(pf_state_tree, pf_state_key, entry, pf_state_compare_key); > @@ -1233,10 +1270,10 @@ pf_state_expires(const struct pf_state * > return (state->expire + timeout); > } > > - #ifdef __FreeBSD__ > - int > - pf_purge_expired_src_nodes(int waslocked) > - #else > +#ifdef __FreeBSD__ > +int > +pf_purge_expired_src_nodes(int waslocked) > +#else > void > pf_purge_expired_src_nodes(int waslocked) > #endif > @@ -1315,7 +1352,7 @@ pf_src_tree_remove_state(struct pf_state > void > pf_unlink_state(struct pf_state *cur) > { > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > if (cur->local_flags & PFSTATE_EXPIRING) > return; > cur->local_flags |= PFSTATE_EXPIRING; > @@ -1378,10 +1415,10 @@ pf_free_state(struct pf_state *cur) > #endif > return; > #endif > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > KASSERT(cur->timeout == PFTM_UNLINKED, > ("pf_free_state: cur->timeout != PFTM_UNLINKED")); > - #else > +#else > KASSERT(cur->timeout == PFTM_UNLINKED); > #endif > if (--cur->rule.ptr->states_cur <= 0 && > @@ -1404,10 +1441,10 @@ pf_free_state(struct pf_state *cur) > pf_status.states--; > } > > - #ifdef __FreeBSD__ > - int > - pf_purge_expired_states(u_int32_t maxcheck, int waslocked) > - #else > +#ifdef __FreeBSD__ > +int > +pf_purge_expired_states(u_int32_t maxcheck, int waslocked) > +#else > void > pf_purge_expired_states(u_int32_t maxcheck) > #endif > @@ -1947,9 +1984,9 @@ pf_modulate_sack(struct mbuf *m, int off > struct tcphdr *th, struct pf_state_peer *dst) > { > int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen; > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > u_int8_t opts[TCP_MAXOLEN], *opt = opts; > - #else > +#else > u_int8_t opts[MAX_TCPOPTLEN], *opt = opts; > #endif > int copyback = 0, i, olen; > @@ -2004,9 +2041,9 @@ pf_modulate_sack(struct mbuf *m, int off > } > > void > - #ifdef __FreeBSD__ > - pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, > - #else > +#ifdef __FreeBSD__ > +pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, > +#else > pf_send_tcp(const struct pf_rule *r, sa_family_t af, > #endif > const struct pf_addr *saddr, const struct pf_addr *daddr, > @@ -2245,40 +2282,40 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty > struct pf_rule *r) > { > struct mbuf *m0; > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > struct ip *ip; > struct pf_mtag *pf_mtag; > - #endif > +#endif > > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > m0 = m_copypacket(m, M_DONTWAIT); > if (m0 == NULL) > return; > - #else > +#else > if ((m0 = m_copy(m, 0, M_COPYALL)) == NULL) > return; > #endif > > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > if ((pf_mtag = pf_get_mtag(m0)) == NULL) > return; > /* XXX: revisit */ > m0->m_flags |= M_SKIP_FIREWALL; > - #else > +#else > m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; > #endif > > if (r->rtableid >= 0) > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > { > M_SETFIB(m0, r->rtableid); > pf_mtag->rtableid = r->rtableid; > - #else > +#else > m0->m_pkthdr.pf.rtableid = r->rtableid; > - #endif > - #ifdef __FreeBSD__ > +#endif > +#ifdef __FreeBSD__ > } > - #endif > +#endif > > #ifdef ALTQ > if (r->qid) { > @@ -2297,7 +2334,7 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty > switch (af) { > #ifdef INET > case AF_INET: > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > /* icmp_error() expects host byte ordering */ > ip = mtod(m0, struct ip *); > NTOHS(ip->ip_len); > @@ -2305,20 +2342,20 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty > PF_UNLOCK(); > icmp_error(m0, type, code, 0, 0); > PF_LOCK(); > - #else > +#else > icmp_error(m0, type, code, 0, 0); > #endif > break; > #endif /* INET */ > #ifdef INET6 > case AF_INET6: > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > PF_UNLOCK(); > - #endif > +#endif > icmp6_error(m0, type, code, 0); > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > PF_LOCK(); > - #endif > +#endif > break; > #endif /* INET6 */ > } > @@ -2639,17 +2676,17 @@ pf_addr_inc(struct pf_addr *addr, sa_fam > #endif /* INET6 */ > > int > - #ifdef __FreeBSD__ > - pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg) > - #else > +#ifdef __FreeBSD__ > +pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg) > +#else > pf_socket_lookup(int direction, struct pf_pdesc *pd) > #endif > { > struct pf_addr *saddr, *daddr; > u_int16_t sport, dport; > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > struct inpcbinfo *pi; > - #else > +#else > struct inpcbtable *tb; > #endif > struct inpcb *inp; > @@ -2763,11 +2800,11 @@ pf_socket_lookup(int direction, struct p > default: > return (-1); > } > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > pd->lookup.uid = inp->inp_cred->cr_uid; > pd->lookup.gid = inp->inp_cred->cr_groups[0]; > INP_INFO_RUNLOCK(pi); > - #else > +#else > pd->lookup.uid = inp->inp_socket->so_euid; > pd->lookup.gid = inp->inp_socket->so_egid; > pd->lookup.pid = inp->inp_socket->so_cpid; > > Modified: user/eri/pf45/head/sys/contrib/pf/net/pf_if.c > ============================================================================== > --- user/eri/pf45/head/sys/contrib/pf/net/pf_if.c Mon Oct 12 16:47:55 2009 (r197987) > +++ user/eri/pf45/head/sys/contrib/pf/net/pf_if.c Mon Oct 12 16:51:48 2009 (r197988) > @@ -32,37 +32,37 @@ > * POSSIBILITY OF SUCH DAMAGE. > */ > > - #if defined(__FreeBSD__) > - #include "opt_inet.h" > - #include "opt_inet6.h" > +#if defined(__FreeBSD__) > +#include "opt_inet.h" > +#include "opt_inet6.h" > > - #include <sys/cdefs.h> > +#include <sys/cdefs.h> > __FBSDID("$FreeBSD$"); > - #endif > +#endif > > #include <sys/param.h> > #include <sys/systm.h> > - #ifdef __FreeBSD__ > - #include <sys/malloc.h> > - #endif > +#ifdef __FreeBSD__ > +#include <sys/malloc.h> > +#endif > #include <sys/mbuf.h> > #include <sys/filio.h> > #include <sys/socket.h> > #include <sys/socketvar.h> > #include <sys/kernel.h> > - #ifndef __FreeBSD__ > +#ifndef __FreeBSD__ > #include <sys/device.h> > #endif > #include <sys/time.h> > - #ifndef __FreeBSD__ > +#ifndef __FreeBSD__ > #include <sys/pool.h> > #endif > > #include <net/if.h> > #include <net/if_types.h> > - #ifdef __FreeBSD__ > - #include <net/vnet.h> > - #endif > +#ifdef __FreeBSD__ > +#include <net/vnet.h> > +#endif > > #include <netinet/in.h> > #include <netinet/in_var.h> > @@ -76,25 +76,36 @@ __FBSDID("$FreeBSD$"); > #include <netinet/ip6.h> > #endif /* INET6 */ > > +#ifdef __FreeBSD__ > +VNET_DEFINE(struct pfi_kif, *pfi_all); > +VNET_DEFINE(uma_zone_t, pfi_addr_pl); > +VNET_DEFINE(struct pfi_ifhead, pfi_ifs); > +#define pfi_ifs VNET(pfi_ifs) > +VNET_DEFINE(long, pfi_update); > +#define pfi_update VNET(pfi_update) > +VNET_DEFINE(struct pfr_addr, *pfi_buffer); > +#define pfi_buffer VNET(pfi_buffer) > +VNET_DEFINE(int, pfi_buffer_cnt); > +#define pfi_buffer_cnt VNET(pfi_buffer_cnt) > +VNET_DEFINE(int, pfi_buffer_max); > +#define pfi_buffer_max VNET(pfi_buffer_max) > +#else > struct pfi_kif *pfi_all = NULL; > - #ifdef __FreeBSD__ > - uma_zone_t pfi_addr_pl; > - #else > struct pool pfi_addr_pl; > -#endif > struct pfi_ifhead pfi_ifs; > long pfi_update = 1; > struct pfr_addr *pfi_buffer; > int pfi_buffer_cnt; > int pfi_buffer_max; > - #ifdef __FreeBSD__ > - eventhandler_tag pfi_attach_cookie = NULL; > - eventhandler_tag pfi_detach_cookie = NULL; > - eventhandler_tag pfi_attach_group_cookie = NULL; > - eventhandler_tag pfi_change_group_cookie = NULL; > - eventhandler_tag pfi_detach_group_cookie = NULL; > - eventhandler_tag pfi_ifaddr_event_cookie = NULL; > - #endif > +#endif > +#ifdef __FreeBSD__ > +VNET_DEFINE(eventhandler_tag, pfi_attach_cookie); > +VNET_DEFINE(eventhandler_tag, pfi_detach_cookie); > +VNET_DEFINE(eventhandler_tag, pfi_attach_group_cookie); > +VNET_DEFINE(eventhandler_tag, pfi_change_group_cookie); > +VNET_DEFINE(eventhandler_tag, pfi_detach_group_cookie); > +VNET_DEFINE(eventhandler_tag, pfi_ifaddr_event_cookie); > +#endif > > void pfi_kif_update(struct pfi_kif *); > void pfi_dynaddr_update(struct pfi_dynaddr *dyn); > @@ -106,15 +117,15 @@ void pfi_address_add(struct sockaddr * > int pfi_if_compare(struct pfi_kif *, struct pfi_kif *); > int pfi_skip_if(const char *, struct pfi_kif *); > int pfi_unmask(void *); > - #ifdef __FreeBSD__ > - void pfi_attach_ifnet_event(void * __unused, struct ifnet *); > - void pfi_detach_ifnet_event(void * __unused, struct ifnet *); > - void pfi_attach_group_event(void * __unused, struct ifg_group *); > - void pfi_change_group_event(void * __unused, char *); > - void pfi_detach_group_event(void * __unused, struct ifg_group *); > - void pfi_ifaddr_event(void * __unused, struct ifnet *); > +#ifdef __FreeBSD__ > +void pfi_attach_ifnet_event(void * __unused, struct ifnet *); > +void pfi_detach_ifnet_event(void * __unused, struct ifnet *); > +void pfi_attach_group_event(void * __unused, struct ifg_group *); > +void pfi_change_group_event(void * __unused, char *); > +void pfi_detach_group_event(void * __unused, struct ifg_group *); > +void pfi_ifaddr_event(void * __unused, struct ifnet *); > > - #endif > +#endif > > RB_PROTOTYPE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare); > RB_GENERATE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare); > > Modified: user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c > ============================================================================== > --- user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Mon Oct 12 16:47:55 2009 (r197987) > +++ user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Mon Oct 12 16:51:48 2009 (r197988) > @@ -176,24 +176,41 @@ int pf_addr_setup(struct pf_ruleset * > struct pf_addr_wrap *, sa_family_t); > void pf_addr_copyout(struct pf_addr_wrap *); > > -struct pf_rule pf_default_rule; > +#define TAGID_MAX 50000 > #ifdef __FreeBSD__ > -struct sx pf_consistency_lock; > -SX_SYSINIT(pf_consistency_lock, &pf_consistency_lock, "pf_statetbl_lock"); > -#else > -struct rwlock pf_consistency_lock = RWLOCK_INITIALIZER("pfcnslk"); > +VNET_DEFINE(struct pf_rule, pf_default_rule); > +#define pf_default_rule VNET(pf_default_rule); > +VNET_DEFINE(struct sx, pf_consistency_lock); > +#define pf_consistency_lock VNET(pf_consistency_lock); > +SX_SYSINIT(pf_consistency_lock, &pf_consistency_lock, > + "pf_statetbl_lock"); > +#ifdef ALTQ > +static VNET_DEFINE(int, pf_altq_running); > +#define pf_altq_running VNET(pf_altq_running) > #endif > + > +TAILQ_HEAD(pf_tags, pf_tagname); > + > +VNET_DEFINE(struct pf_tags, pf_tags); > +#define pf_tags VNET(pf_tags) > +VNET_DEFINE(struct pf_tags, pf_qids); > +#define pf_qids VNET(pf_qids); > + > +#else /* !__FreeBSD__ */ > +struct pf_rule pf_default_rule; > +struct rwlock pf_consistency_lock = RWLOCK_INITIALIZER("pfcnslk"); > #ifdef ALTQ > -static int pf_altq_running; > +static int pf_altq_running; > #endif > > -#define TAGID_MAX 50000 > TAILQ_HEAD(pf_tags, pf_tagname) pf_tags = TAILQ_HEAD_INITIALIZER(pf_tags), > pf_qids = TAILQ_HEAD_INITIALIZER(pf_qids); > +#endif /* __FreeBSD__ */ > > #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE) > #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE > #endif > + > u_int16_t tagname2tag(struct pf_tags *, char *); > void tag2tagname(struct pf_tags *, u_int16_t, char *); > void tag_unref(struct pf_tags *, u_int16_t); > @@ -204,120 +221,116 @@ void pf_rtlabel_copyout(struct pf_add > #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x > > #ifdef __FreeBSD__ > - static struct cdev *pf_dev; > - > - /* > - * XXX - These are new and need to be checked when moveing to a new version > - */ > - static void pf_clear_states(void); > - static int pf_clear_tables(void); > - static void pf_clear_srcnodes(void); > - /* > - * XXX - These are new and need to be checked when moveing to a new version > - */ > - > - /* > - * Wrapper functions for pfil(9) hooks > - */ > - static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, > - int dir, struct inpcb *inp); > - static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, > - int dir, struct inpcb *inp); > - #ifdef INET6 > - static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, > - int dir, struct inpcb *inp); > - static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, > - int dir, struct inpcb *inp); > - #endif > - > - static int hook_pf(void); > - static int dehook_pf(void); > - static int shutdown_pf(void); > - static int pf_load(void); > - static int pf_unload(void); > - > -static struct cdevsw pf_cdevsw = { > - .d_ioctl = pfioctl, > - .d_name = PF_NAME, > - .d_version = D_VERSION, > - }; > - > - static volatile int pf_pfil_hooked = 0; > - int pf_end_threads = 0; > - struct mtx pf_task_mtx; > - #ifdef __FreeBSD__ > - /* pfsync */ > - pfsync_state_import_t *pfsync_state_import_ptr = NULL; > - pfsync_insert_state_t *pfsync_insert_state_ptr = NULL; > - pfsync_update_state_t *pfsync_update_state_ptr = NULL; > - pfsync_delete_state_t *pfsync_delete_state_ptr = NULL; > - pfsync_clear_states_t *pfsync_clear_states_ptr = NULL; > - pfsync_state_in_use_t *pfsync_state_in_use_ptr = NULL; > - pfsync_defer_t *pfsync_defer_ptr = NULL; > - pfsync_up_t *pfsync_up_ptr = NULL; > - /* pflow */ > - export_pflow_t *export_pflow_ptr = NULL; > - #if NPFLOG >0 > - pflog_packet_t *pflog_packet_ptr = NULL; > - #endif > - #else > - pflog_packet_t *pflog_packet_ptr = NULL; > - #endif > - > - int debug_pfugidhack = 0; > - SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0, > - "Enable/disable pf user/group rules mpsafe hack"); > - > - void > - init_pf_mutex(void) > - { > - mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF); > - } > +static VNET_DEFINE(struct cdev, *pf_dev); > > - void > - destroy_pf_mutex(void) > - { > - mtx_destroy(&pf_task_mtx); > - } > - void > - init_zone_var(void) > - { > - pf_src_tree_pl = pf_rule_pl = NULL; > - pf_state_pl = pf_state_key_pl = pf_state_item_pl = NULL; > +/* > + * XXX - These are new and need to be checked when moveing to a new version > + */ > +static void pf_clear_states(void); > +static int pf_clear_tables(void); > +static void pf_clear_srcnodes(void); > +/* > + * XXX - These are new and need to be checked when moveing to a new version > + */ > + > +/* > + * Wrapper functions for pfil(9) hooks > + */ > +static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, > + int dir, struct inpcb *inp); > +static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, > + int dir, struct inpcb *inp); > +#ifdef INET6 > +static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, > + int dir, struct inpcb *inp); > +static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, > + int dir, struct inpcb *inp); > +#endif > + > +static int hook_pf(void); > +static int dehook_pf(void); > +static int shutdown_pf(void); > +static int pf_load(void); > +static int pf_unload(void); > + > +static VNET_DEFINE(struct cdevsw, pf_cdevsw); > +#define pf_cdevsw VNET(pf_cdevsw) > + > +static volatile VNET_DEFINE(int, pf_pfil_hooked); > +#define pf_pfil_hooked VNET(pf_pfil_hooked) > +VNET_DEFINE(int, pf_end_threads); > +#define pf_end_threads VNET(pf_end_threads) > +struct mtx pf_task_mtx; > + > +/* pfsync */ > +VNET_DEFINE(pfsync_state_import_t, *pfsync_state_import_ptr); > +VNET_DEFINE(pfsync_insert_state_t, *pfsync_insert_state_ptr); > +VNET_DEFINE(pfsync_update_state_t, *pfsync_update_state_ptr); > +VNET_DEFINE(pfsync_delete_state_t, *pfsync_delete_state_ptr); > +VNET_DEFINE(pfsync_clear_states_t, *pfsync_clear_states_ptr); > +VNET_DEFINE(pfsync_state_in_use_t, *pfsync_state_in_use_ptr); > +VNET_DEFINE(pfsync_defer_t, *pfsync_defer_ptr); > +VNET_DEFINE(pfsync_up_t, *pfsync_up_ptr); > +/* pflow */ > +VNET_DEFINE(export_pflow_t, *export_pflow_ptr); > +/* pflog */ > +VNET_DEFINE(pflog_packet_t, *pflog_packet_ptr); > + > +VNET_DEFINE(int, debug_pfugidhack); > +SYSCTL_VNET_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, > + &debug_pfugidhack, 0, > + "Enable/disable pf user/group rules mpsafe hack"); > + > +void > +init_pf_mutex(void) > +{ > + mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF); > +} > + > +void > +destroy_pf_mutex(void) > +{ > + mtx_destroy(&pf_task_mtx); > +} > +void > +init_zone_var(void) > +{ > + pf_src_tree_pl = pf_rule_pl = NULL; > + pf_state_pl = pf_state_key_pl = pf_state_item_pl = NULL; > pf_altq_pl = pf_pooladdr_pl = NULL; > - pf_frent_pl = pf_frag_pl = pf_cache_pl = pf_cent_pl = NULL; > - pf_state_scrub_pl = NULL; > - pfr_ktable_pl = pfr_kentry_pl = NULL; > - } > - > - void > - cleanup_pf_zone(void) > - { > - UMA_DESTROY(pf_src_tree_pl); > - UMA_DESTROY(pf_rule_pl); > - UMA_DESTROY(pf_state_pl); > - UMA_DESTROY(pf_state_key_pl); > - UMA_DESTROY(pf_state_item_pl); > - UMA_DESTROY(pf_altq_pl); > - UMA_DESTROY(pf_pooladdr_pl); > - UMA_DESTROY(pf_frent_pl); > - UMA_DESTROY(pf_frag_pl); > - UMA_DESTROY(pf_cache_pl); > - UMA_DESTROY(pf_cent_pl); > - UMA_DESTROY(pfr_ktable_pl); > - UMA_DESTROY(pfr_kentry_pl); > - UMA_DESTROY(pf_state_scrub_pl); > - UMA_DESTROY(pfi_addr_pl); > - } > + pf_frent_pl = pf_frag_pl = pf_cache_pl = pf_cent_pl = NULL; > + pf_state_scrub_pl = NULL; > + pfr_ktable_pl = pfr_kentry_pl = NULL; > +} > + > +void > +cleanup_pf_zone(void) > +{ > + UMA_DESTROY(pf_src_tree_pl); > + UMA_DESTROY(pf_rule_pl); > + UMA_DESTROY(pf_state_pl); > + UMA_DESTROY(pf_state_key_pl); > + UMA_DESTROY(pf_state_item_pl); > + UMA_DESTROY(pf_altq_pl); > + UMA_DESTROY(pf_pooladdr_pl); > + UMA_DESTROY(pf_frent_pl); > + UMA_DESTROY(pf_frag_pl); > + UMA_DESTROY(pf_cache_pl); > + UMA_DESTROY(pf_cent_pl); > + UMA_DESTROY(pfr_ktable_pl); > + UMA_DESTROY(pfr_kentry_pl); > + UMA_DESTROY(pf_state_scrub_pl); > + UMA_DESTROY(pfi_addr_pl); > +} > > int > - pfattach(void) > - { > - u_int32_t *my_timeout = pf_default_rule.timeout; > - int error = 1; > - > +pfattach(void) > +{ > + u_int32_t *my_timeout = pf_default_rule.timeout; > + int error = 1; > + > do { > - UMA_CREATE(pf_src_tree_pl,struct pf_src_node, "pfsrctrpl"); > + UMA_CREATE(pf_src_tree_pl,struct pf_src_node, "pfsrctrpl"); > UMA_CREATE(pf_rule_pl, struct pf_rule, "pfrulepl"); > UMA_CREATE(pf_state_pl, struct pf_state, "pfstatepl"); > UMA_CREATE(pf_state_key_pl, struct pf_state, "pfstatekeypl"); > @@ -410,9 +423,9 @@ int > if (kproc_create(pf_purge_thread, NULL, NULL, 0, 0, "pfpurge")) > return (ENXIO); > > - return (error); > - } > - #else /* !__FreeBSD__ */ > + return (error); > +} > +#else /* !__FreeBSD__ */ > > void > pfattach(int num) > @@ -3463,7 +3476,7 @@ fail: > return (error); > } > > - #ifdef __FreeBSD__ > +#ifdef __FreeBSD__ > void > pfsync_state_export(struct pfsync_state *sp, struct pf_state *st) > { > @@ -3525,34 +3538,34 @@ pfsync_state_export(struct pfsync_state > > } > > - /* > - * XXX - Check for version missmatch!!! > - */ > - static void > - pf_clear_states(void) > - { > +/* > + * XXX - Check for version missmatch!!! > + */ > +static void > +pf_clear_states(void) > +{ > struct pf_state *state; > > RB_FOREACH(state, pf_state_tree_id, &tree_id) { > state->timeout = PFTM_PURGE; > - #if NPFSYNC > +#if NPFSYNC > /* don't send out individual delete messages */ > state->sync_state = PFSTATE_NOSYNC; > - #endif > +#endif > pf_unlink_state(state); > } > > #if 0 /* NPFSYNC */ > - /* > - * XXX This is called on module unload, we do not want to sync that over? */ > - */ > - pfsync_clear_states(pf_status.hostid, psk->psk_ifname); > - #endif > - } > +/* > + * XXX This is called on module unload, we do not want to sync that over? */ > + */ > + pfsync_clear_states(pf_status.hostid, psk->psk_ifname); > +#endif > +} > > - static int > - pf_clear_tables(void) > - { > +static int > +pf_clear_tables(void) > +{ > struct pfioc_table io; > int error; > > @@ -3562,11 +3575,11 @@ pfsync_state_export(struct pfsync_state > io.pfrio_flags); > > return (error); > - } > +} > > - static void > - pf_clear_srcnodes(void) > - { > +static void > +pf_clear_srcnodes(void) > +{ > struct pf_src_node *n; > struct pf_state *state; > > @@ -3578,17 +3591,17 @@ pfsync_state_export(struct pfsync_state > n->expire = 1; > n->states = 0; > } > - } > - /* > - * XXX - Check for version missmatch!!! > - */ > - > - /* > - * Duplicate pfctl -Fa operation to get rid of as much as we can. > - */ > - static int > - shutdown_pf(void) > - { > +} > +/* > + * XXX - Check for version missmatch!!! > + */ > + > +/* > + * Duplicate pfctl -Fa operation to get rid of as much as we can. > + */ > +static int > +shutdown_pf(void) > +{ > int error = 0; > u_int32_t t[5]; > char nn = '\0'; > @@ -3631,13 +3644,13 @@ pfsync_state_export(struct pfsync_state > if ((error = pf_clear_tables()) != 0) > break; > > - #ifdef ALTQ > +#ifdef ALTQ > if ((error = pf_begin_altq(&t[0])) != 0) { > DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n")); > break; > } > pf_commit_altq(t[0]); > - #endif > +#endif > > pf_clear_states(); > > @@ -3648,12 +3661,13 @@ pfsync_state_export(struct pfsync_state > } while(0); > > return (error); > - } > +} > > - static int > - pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, > - struct inpcb *inp) > - { > +#ifdef INET > +static int > +pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, > + struct inpcb *inp) > +{ > /* > * XXX Wed Jul 9 22:03:16 2003 UTC > * OpenBSD has changed its byte ordering convention on ip_len/ip_off > @@ -3683,12 +3697,12 @@ pfsync_state_export(struct pfsync_state > NTOHS(h->ip_off); > } > return chk; > - } > +} > > - static int > - pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, > - struct inpcb *inp) > - { > +static int > +pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, > + struct inpcb *inp) > +{ > /* > * XXX Wed Jul 9 22:03:16 2003 UTC > * OpenBSD has changed its byte ordering convention on ip_len/ip_off > @@ -3724,12 +3738,13 @@ pfsync_state_export(struct pfsync_state > } > return chk; > } > +#endif > > - #ifdef INET6 > - static int > - pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, > - struct inpcb *inp) > - { > +#ifdef INET6 > +static int > +pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, > + struct inpcb *inp) > +{ > > /* > * IPv6 is not affected by ip_len/ip_off byte order changes. > @@ -3748,12 +3763,12 @@ pfsync_state_export(struct pfsync_state > *m = NULL; > } > return chk; > - } > +} > > - static int > - pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, > - struct inpcb *inp) > - { > +static int > +pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, > + struct inpcb *inp) > +{ > /* > * IPv6 does not affected ip_len/ip_off byte order changes. > */ > @@ -3770,28 +3785,32 @@ pfsync_state_export(struct pfsync_state > *m = NULL; > } > return chk; > - } > - #endif /* INET6 */ > +} > +#endif /* INET6 */ > > - static int > - hook_pf(void) > - { > +static int > +hook_pf(void) > +{ > +#ifdef INET > struct pfil_head *pfh_inet; > - #ifdef INET6 > +#endif > +#ifdef INET6 > struct pfil_head *pfh_inet6; > - #endif > +#endif > > PF_ASSERT(MA_NOTOWNED); > > if (pf_pfil_hooked) > return (0); > > +#ifdef INET > pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); > > *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0910121811060.80615>