From owner-svn-src-stable@FreeBSD.ORG Sat May 18 05:31:18 2013 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E38C530A; Sat, 18 May 2013 05:31:18 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id D31FF166; Sat, 18 May 2013 05:31:18 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4I5VIkI000272; Sat, 18 May 2013 05:31:18 GMT (envelope-from melifaro@svn.freebsd.org) Received: (from melifaro@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4I5VHZL000266; Sat, 18 May 2013 05:31:17 GMT (envelope-from melifaro@svn.freebsd.org) Message-Id: <201305180531.r4I5VHZL000266@svn.freebsd.org> From: "Alexander V. Chernikov" Date: Sat, 18 May 2013 05:31:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r250760 - stable/9/sys/netpfil/ipfw X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 May 2013 05:31:19 -0000 Author: melifaro Date: Sat May 18 05:31:17 2013 New Revision: 250760 URL: http://svnweb.freebsd.org/changeset/base/250760 Log: Merge r244633, r250246. Use unified IP_FW_ARG_TABLEARG() macro for most tablearg checks. Log real value instead of IP_FW_TABLEARG (65535) in ipfw_log(). Use unified method for accessing / updating cached rule pointers. Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c stable/9/sys/netpfil/ipfw/ip_fw_log.c stable/9/sys/netpfil/ipfw/ip_fw_private.h Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- stable/9/sys/netpfil/ipfw/ip_fw2.c Sat May 18 04:49:00 2013 (r250759) +++ stable/9/sys/netpfil/ipfw/ip_fw2.c Sat May 18 05:31:17 2013 (r250760) @@ -782,6 +782,38 @@ set_match(struct ip_fw_args *args, int s } /* + * Helper function to enable cached rule lookups using + * x_next and next_rule fields in ipfw rule. + */ +static int +jump_fast(struct ip_fw_chain *chain, struct ip_fw *f, int num, + int tablearg, int jump_backwards) +{ + int f_pos; + + /* If possible use cached f_pos (in f->next_rule), + * whose version is written in f->next_rule + * (horrible hacks to avoid changing the ABI). + */ + if (num != IP_FW_TABLEARG && (uintptr_t)f->x_next == chain->id) + f_pos = (uintptr_t)f->next_rule; + else { + int i = IP_FW_ARG_TABLEARG(num); + /* make sure we do not jump backward */ + if (jump_backwards == 0 && i <= f->rulenum) + i = f->rulenum + 1; + f_pos = ipfw_find_rule(chain, i, 0); + /* update the cache */ + if (num != IP_FW_TABLEARG) { + f->next_rule = (void *)(uintptr_t)f_pos; + f->x_next = (void *)(uintptr_t)chain->id; + } + } + + return (f_pos); +} + +/* * The main check routine for the firewall. * * All arguments are in args so we can modify them and return them @@ -1842,8 +1874,7 @@ do { \ case O_TAG: { struct m_tag *mtag; - uint32_t tag = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; + uint32_t tag = IP_FW_ARG_TABLEARG(cmd->arg1); /* Packet is already tagged with this tag? */ mtag = m_tag_locate(m, MTAG_IPFW, tag, NULL); @@ -1922,8 +1953,7 @@ do { \ case O_TAGGED: { struct m_tag *mtag; - uint32_t tag = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; + uint32_t tag = IP_FW_ARG_TABLEARG(cmd->arg1); if (cmdlen == 1) { match = m_tag_locate(m, MTAG_IPFW, @@ -2062,8 +2092,7 @@ do { \ case O_PIPE: case O_QUEUE: set_match(args, f_pos, chain); - args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; + args->rule.info = IP_FW_ARG_TABLEARG(cmd->arg1); if (cmd->opcode == O_PIPE) args->rule.info |= IPFW_IS_PIPE; if (V_fw_one_pass) @@ -2083,8 +2112,7 @@ do { \ retval = (cmd->opcode == O_DIVERT) ? IP_FW_DIVERT : IP_FW_TEE; set_match(args, f_pos, chain); - args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; + args->rule.info = IP_FW_ARG_TABLEARG(cmd->arg1); break; case O_COUNT: @@ -2098,28 +2126,7 @@ do { \ f->pcnt++; /* update stats */ f->bcnt += pktlen; f->timestamp = time_uptime; - /* If possible use cached f_pos (in f->next_rule), - * whose version is written in f->next_rule - * (horrible hacks to avoid changing the ABI). - */ - if (cmd->arg1 != IP_FW_TABLEARG && - (uintptr_t)f->x_next == chain->id) { - f_pos = (uintptr_t)f->next_rule; - } else { - int i = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; - /* make sure we do not jump backward */ - if (i <= f->rulenum) - i = f->rulenum + 1; - f_pos = ipfw_find_rule(chain, i, 0); - /* update the cache */ - if (cmd->arg1 != IP_FW_TABLEARG) { - f->next_rule = - (void *)(uintptr_t)f_pos; - f->x_next = - (void *)(uintptr_t)chain->id; - } - } + f_pos = jump_fast(chain, f, cmd->arg1, tablearg, 0); /* * Skip disabled rules, and re-enter * the inner loop with the correct @@ -2210,26 +2217,8 @@ do { \ if (IS_CALL) { stack[mtag->m_tag_id] = f->rulenum; mtag->m_tag_id++; - if (cmd->arg1 != IP_FW_TABLEARG && - (uintptr_t)f->x_next == chain->id) { - f_pos = (uintptr_t)f->next_rule; - } else { - jmpto = (cmd->arg1 == - IP_FW_TABLEARG) ? tablearg: - cmd->arg1; - f_pos = ipfw_find_rule(chain, - jmpto, 0); - /* update the cache */ - if (cmd->arg1 != - IP_FW_TABLEARG) { - f->next_rule = - (void *)(uintptr_t) - f_pos; - f->x_next = - (void *)(uintptr_t) - chain->id; - } - } + f_pos = jump_fast(chain, f, cmd->arg1, + tablearg, 1); } else { /* `return' action */ mtag->m_tag_id--; jmpto = stack[mtag->m_tag_id] + 1; @@ -2336,8 +2325,7 @@ do { \ case O_NETGRAPH: case O_NGTEE: set_match(args, f_pos, chain); - args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; + args->rule.info = IP_FW_ARG_TABLEARG(cmd->arg1); if (V_fw_one_pass) args->rule.info |= IPFW_ONEPASS; retval = (cmd->opcode == O_NETGRAPH) ? @@ -2352,8 +2340,7 @@ do { \ f->pcnt++; /* update stats */ f->bcnt += pktlen; f->timestamp = time_uptime; - fib = (cmd->arg1 == IP_FW_TABLEARG) ? tablearg: - cmd->arg1; + fib = IP_FW_ARG_TABLEARG(cmd->arg1); if (fib >= rt_numfibs) fib = 0; M_SETFIB(m, fib); @@ -2379,8 +2366,7 @@ do { \ } t = ((ipfw_insn_nat *)cmd)->nat; if (t == NULL) { - nat_id = (cmd->arg1 == IP_FW_TABLEARG) ? - tablearg : cmd->arg1; + nat_id = IP_FW_ARG_TABLEARG(cmd->arg1); t = (*lookup_nat_ptr)(&chain->nat, nat_id); if (t == NULL) { Modified: stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c ============================================================================== --- stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c Sat May 18 04:49:00 2013 (r250759) +++ stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c Sat May 18 05:31:17 2013 (r250760) @@ -696,8 +696,7 @@ ipfw_install_state(struct ip_fw *rule, i uint16_t limit_mask = cmd->limit_mask; int pindex; - conn_limit = (cmd->conn_limit == IP_FW_TABLEARG) ? - tablearg : cmd->conn_limit; + conn_limit = IP_FW_ARG_TABLEARG(cmd->conn_limit); DEB( if (cmd->conn_limit == IP_FW_TABLEARG) Modified: stable/9/sys/netpfil/ipfw/ip_fw_log.c ============================================================================== --- stable/9/sys/netpfil/ipfw/ip_fw_log.c Sat May 18 04:49:00 2013 (r250759) +++ stable/9/sys/netpfil/ipfw/ip_fw_log.c Sat May 18 05:31:17 2013 (r250760) @@ -255,19 +255,19 @@ ipfw_log(struct ip_fw *f, u_int hlen, st break; case O_SETFIB: snprintf(SNPARGS(action2, 0), "SetFib %d", - cmd->arg1); + IP_FW_ARG_TABLEARG(cmd->arg1)); break; case O_SKIPTO: snprintf(SNPARGS(action2, 0), "SkipTo %d", - cmd->arg1); + IP_FW_ARG_TABLEARG(cmd->arg1)); break; case O_PIPE: snprintf(SNPARGS(action2, 0), "Pipe %d", - cmd->arg1); + IP_FW_ARG_TABLEARG(cmd->arg1)); break; case O_QUEUE: snprintf(SNPARGS(action2, 0), "Queue %d", - cmd->arg1); + IP_FW_ARG_TABLEARG(cmd->arg1)); break; case O_FORWARD_IP: { ipfw_insn_sa *sa = (ipfw_insn_sa *)cmd; Modified: stable/9/sys/netpfil/ipfw/ip_fw_private.h ============================================================================== --- stable/9/sys/netpfil/ipfw/ip_fw_private.h Sat May 18 04:49:00 2013 (r250759) +++ stable/9/sys/netpfil/ipfw/ip_fw_private.h Sat May 18 05:31:17 2013 (r250760) @@ -236,6 +236,8 @@ struct ip_fw_chain { struct sockopt; /* used by tcp_var.h */ + +#define IP_FW_ARG_TABLEARG(a) ((a) == IP_FW_TABLEARG) ? tablearg : (a) /* * The lock is heavily used by ip_fw2.c (the main file) and ip_fw_nat.c * so the variable and the macros must be here.