From owner-p4-projects@FreeBSD.ORG Wed Nov 1 14:19:28 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id DE02A16A4C2; Wed, 1 Nov 2006 14:19:27 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A874016A4AB for ; Wed, 1 Nov 2006 14:19:27 +0000 (UTC) (envelope-from piso@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7630543D46 for ; Wed, 1 Nov 2006 14:19:27 +0000 (GMT) (envelope-from piso@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kA1EJR7F038299 for ; Wed, 1 Nov 2006 14:19:27 GMT (envelope-from piso@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kA1EJQ54038296 for perforce@freebsd.org; Wed, 1 Nov 2006 14:19:26 GMT (envelope-from piso@freebsd.org) Date: Wed, 1 Nov 2006 14:19:26 GMT Message-Id: <200611011419.kA1EJQ54038296@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to piso@freebsd.org using -f From: Paolo Pisati To: Perforce Change Reviews Cc: Subject: PERFORCE change 108917 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2006 14:19:28 -0000 http://perforce.freebsd.org/chv.cgi?CH=108917 Change 108917 by piso@piso_newluxor on 2006/11/01 14:18:45 -back out the #ifdef LIBALIAS ... #endif stuff: libalias + nat support add ~120kb to the total kernel size (if both are compiled in), and i guess people can live with that. If someone with _real_ size constraint complains, i'll take a second look at it. -wrap lines at 80 and fix spacing Affected files ... .. //depot/projects/soc2005/libalias/sys/netinet/ip_fw2.c#26 edit Differences ... ==== //depot/projects/soc2005/libalias/sys/netinet/ip_fw2.c#26 (text+ko) ==== @@ -138,9 +138,7 @@ struct ip_fw_chain { struct ip_fw *rules; /* list of rules */ struct ip_fw *reap; /* list of rules to reap */ -#ifdef LIBALIAS LIST_HEAD(, cfg_nat) nat; /* list of nat entries */ -#endif struct radix_node_head *tables[IPFW_TABLES_MAX]; struct rwlock rwmtx; }; @@ -2032,7 +2030,6 @@ return match; } -#ifdef LIBALIAS static eventhandler_tag ifaddr_event_tag; static void @@ -2053,7 +2050,7 @@ continue; ptr->ip = ((struct sockaddr_in *) (ifa->ifa_addr))->sin_addr; - LibAliasSetAddress(ptr->lib, ptr->ip); + LibAliasSetAddress(ptr->lib, ptr->ip); } mtx_unlock(&ifp->if_addr_mtx); } @@ -2168,14 +2165,17 @@ u_short remotePortCopy = r->rport + i; if (r->rport_cnt == 1 && r->rport == 0) remotePortCopy = 0; - r->alink[i] = LibAliasRedirectPort (ptr->lib, r->laddr, - htons(r->lport + i), - r->raddr, - htons(remotePortCopy), - r->paddr, - htons(r->pport + i), - r->proto); - if (r->alink[i] == NULL) { + r->alink[i] = + LibAliasRedirectPort( + ptr->lib, + r->laddr, + htons(r->lport + i), + r->raddr, + htons(remotePortCopy), + r->paddr, + htons(r->pport + i), + r->proto); + if (r->alink[i] == NULL) { r->alink[0] = NULL; break; } @@ -2186,7 +2186,7 @@ r->laddr, r->raddr, r->paddr, - r->proto); + r->proto); break; default: printf("unknown redirect mode: %u\n", r->mode); @@ -2198,7 +2198,8 @@ } else /* LSNAT handling. */ for (i = 0; i < r->spool_cnt; i++) { ser_s = (struct cfg_spool *)&buf[off]; - s = malloc(sof_redir, M_IPFW, M_WAITOK | M_ZERO); + s = malloc(sof_redir, M_IPFW, + M_WAITOK | M_ZERO); memcpy(s, ser_s, sof_spool); LibAliasAddServer(ptr->lib, r->alink[0], s->addr, @@ -2215,7 +2216,6 @@ /* something really bad happened: panic! */ panic("%s\n", panic_err); } -#endif /* * The main check routine for the firewall. @@ -3439,7 +3439,7 @@ retval = (cmd->opcode == O_NETGRAPH) ? IP_FW_NETGRAPH : IP_FW_NGTEE; goto done; -#ifdef LIBALIAS + case O_NAT: { struct cfg_nat *t; struct mbuf *mcl; @@ -3449,55 +3449,72 @@ args->rule = f; /* Report matching rule. */ retval = 0; - t = ((ipfw_insn_nat *)cmd)->nat; + t = ((ipfw_insn_nat *)cmd)->nat; if (t == NULL) { t = lookup_nat(cmd->arg1); if (t == NULL) { retval = IP_FW_DENY; goto done; } else - ((ipfw_insn_nat *)cmd)->nat = t; + ((ipfw_insn_nat *)cmd)->nat = + t; } - if ((mcl = m_megapullup(m, m->m_pkthdr.len)) == NULL) + if ((mcl = m_megapullup(m, m->m_pkthdr.len)) == + NULL) goto badnat; ip = mtod(mcl, struct ip *); if (args->eh == NULL) { ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); + ip->ip_off = htons(ip->ip_off); } /* - * XXX - Libalias checksum offload 'duct tape': + * XXX - Libalias checksum offload 'duct tape': * - * locally generated packets have only pseudo-header - * checksum calculated and libalias will screw it[1], + * locally generated packets have only + * pseudo-header + * checksum calculated and libalias will + screw it[1], * so mark them for later fix. - * Moreover there are cases when libalias modify tcp + * Moreover there are cases when libalias + modify tcp * packet data[2], mark it for later fix too. * - * [1] libalias was never meant to run in kernel, so - * it doesn't have any knowledge about checksum - * offloading, and it expects a packet with a full + * [1] libalias was never meant to run in + kernel, so + * it doesn't have any knowledge about + checksum + * offloading, and it expects a packet with + a full * internet checksum. Unfortunately, packets * generated locally will have just the pseudo - * header calculated, and when libalias tries to - * adjust the checksum it will actually screw it. + * header calculated, and when libalias tries + to + * adjust the checksum it will actually screw + it. * - * [2] when libalias modify tcp's data content, + * [2] when libalias modify tcp's data content, * full TCP checksum has to be recomputed: - * the problem is that libalias doesn't have any + * the problem is that libalias doesn't have + any * idea about checksum offloading - * To workaround this, we do not do checksumming - * in LibAlias, but only mark the packets in th_x2 + * To workaround this, we do not do + checksumming + * in LibAlias, but only mark the packets in + th_x2 * field. If we receive a marked packet, we * calculate correct checksum for it aware of * offloading. * Why such a terrible hack instead of * recalculating checksum for each packet? - * Because the previous checksum was not checked! - * Recalculating checksums for EVERY packet will - * hide ALL transmission errors. Yes, marked packets - * still suffer from this problem. But, sigh, natd(8) + * Because the previous checksum was not + checked! + * Recalculating checksums for EVERY packet + will + * hide ALL transmission errors. Yes, marked + packets + * still suffer from this problem. But, sigh, + natd(8) * has this problem, too. * * TODO: @@ -3506,15 +3523,17 @@ */ if (mcl->m_pkthdr.rcvif == NULL && - mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { + mcl->m_pkthdr.csum_flags & + CSUM_DELAY_DATA) ldt = 1; - } c = mtod(mcl, char *); if (oif == NULL) - retval = LibAliasIn(t->lib, c, MCLBYTES); + retval = LibAliasIn(t->lib, c, + MCLBYTES); else - retval = LibAliasOut(t->lib, c, MCLBYTES); + retval = LibAliasOut(t->lib, c, + MCLBYTES); if (retval != PKT_ALIAS_OK) { /* XXX - should i add some logging? */ m_free(mcl); @@ -3523,7 +3542,8 @@ retval = IP_FW_DENY; goto done; } - mcl->m_pkthdr.len = mcl->m_len = ntohs(ip->ip_len); + mcl->m_pkthdr.len = mcl->m_len = + ntohs(ip->ip_len); /* * XXX - libalias checksum offload @@ -3532,10 +3552,11 @@ if ((ip->ip_off & htons(IP_OFFMASK)) == 0 && ip->ip_p == IPPROTO_TCP) { - struct tcphdr *th = (struct tcphdr *)(ip + 1); - + struct tcphdr *th; + + th = (struct tcphdr *)(ip + 1); if (th->th_x2) - ldt = 1; + ldt = 1; } if (ldt) { @@ -3544,49 +3565,58 @@ u_short cksum; ip->ip_len = ntohs(ip->ip_len); - cksum = in_pseudo( + cksum = in_pseudo( ip->ip_src.s_addr, ip->ip_dst.s_addr, - htons(ip->ip_p + ip->ip_len - (ip->ip_hl << 2)) + htons(ip->ip_p + ip->ip_len - + (ip->ip_hl << 2)) ); switch (ip->ip_p) { case IPPROTO_TCP: th = (struct tcphdr *)(ip + 1); - /* Maybe it was set in libalias... */ + /* + * Maybe it was set in + * libalias... + */ th->th_x2 = 0; th->th_sum = cksum; mcl->m_pkthdr.csum_data = - offsetof(struct tcphdr, + offsetof(struct tcphdr, th_sum); break; case IPPROTO_UDP: uh = (struct udphdr *)(ip + 1); uh->uh_sum = cksum; mcl->m_pkthdr.csum_data = - offsetof(struct udphdr, + offsetof(struct udphdr, uh_sum); break; } - /* No hw checksum offloading: do it by ourself. */ - if ((mcl->m_pkthdr.csum_flags & CSUM_DELAY_DATA) == 0) { + /* + * No hw checksum offloading: do it + * by ourself. + */ + if ((mcl->m_pkthdr.csum_flags & + CSUM_DELAY_DATA) == 0) { in_delayed_cksum(mcl); - mcl->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; + mcl->m_pkthdr.csum_flags &= + ~CSUM_DELAY_DATA; } ip->ip_len = htons(ip->ip_len); } if (args->eh == NULL) { ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); + ip->ip_off = ntohs(ip->ip_off); } args->m = mcl; retval = IP_FW_NAT; goto done; } -#endif + default: panic("-- unknown opcode %d\n", cmd->opcode); } /* end of switch() on opcodes */ @@ -4533,7 +4563,7 @@ free(tbl, M_TEMP); } break; -#ifdef LIBALIAS + case IP_FW_NAT_CFG: { struct cfg_nat *ptr, *ser_n; @@ -4541,15 +4571,17 @@ buf = malloc(NAT_BUF_LEN, M_IPFW, M_WAITOK | M_ZERO); - error = sooptcopyin(sopt, buf, NAT_BUF_LEN, sizeof(struct cfg_nat)); + error = sooptcopyin(sopt, buf, NAT_BUF_LEN, + sizeof(struct cfg_nat)); ser_n = (struct cfg_nat *)buf; /* * Find/create nat rule. */ IPFW_WLOCK(&layer3_chain); - ptr = lookup_nat(ser_n->id); - if (ptr == NULL) { /* New rule: allocate and init new instance. */ + ptr = lookup_nat(ser_n->id); + if (ptr == NULL) { + /* New rule: allocate and init new instance. */ ptr = malloc(sizeof(struct cfg_nat), M_IPFW, M_NOWAIT | M_ZERO); if (ptr == NULL) { @@ -4561,13 +4593,14 @@ if (ptr->lib == NULL) { free(ptr, M_IPFW); free(buf, M_IPFW); - IPFW_WUNLOCK(&layer3_chain); + IPFW_WUNLOCK(&layer3_chain); return(EINVAL); } LIST_INIT(&ptr->redir_chain); - } else { /* Entry already present: temporarly unhook it. */ + } else { + /* Entry already present: temporarly unhook it. */ UNHOOK_NAT(ptr); - flush_nat_ptrs(ser_n->id); + flush_nat_ptrs(ser_n->id); } IPFW_WUNLOCK(&layer3_chain); @@ -4576,7 +4609,8 @@ */ ptr->id = ser_n->id; /* - * XXX - what if this rule doesn't nat any ip and just redirect? + * XXX - what if this rule doesn't nat any ip and just + * redirect? * do we set aliasaddress to 0.0.0.0? */ ptr->ip = ser_n->ip; @@ -4584,14 +4618,15 @@ ptr->mode = ser_n->mode; LibAliasSetMode(ptr->lib, ser_n->mode, ser_n->mode); LibAliasSetAddress(ptr->lib, ptr->ip); - memcpy(ptr->if_name, ser_n->if_name, IF_NAMESIZE); + memcpy(ptr->if_name, ser_n->if_name, IF_NAMESIZE); /* * Redir and LSNAT configuration. */ - del_redir_spool_cfg(ptr, &ptr->redir_chain); /* Delete old cfgs. */ - add_redir_spool_cfg(&buf[(sizeof(struct cfg_nat))], - ptr); /* Add new entries. */ + /* Delete old cfgs. */ + del_redir_spool_cfg(ptr, &ptr->redir_chain); + /* Add new entries. */ + add_redir_spool_cfg(&buf[(sizeof(struct cfg_nat))], ptr); free(buf, M_IPFW); IPFW_WLOCK(&layer3_chain); HOOK_NAT(&layer3_chain.nat, ptr); @@ -4643,11 +4678,16 @@ off += sof_nat; LIST_FOREACH(r, &n->redir_chain, _next) { if (off + sof_redir < NAT_BUF_LEN) { - bcopy(r, &data[off], sof_redir); + bcopy(r, &data[off], + sof_redir); off += sof_redir; - LIST_FOREACH(s, &r->spool_chain, _next) { - if (off + sof_spool < NAT_BUF_LEN) { - bcopy(s, &data[off], sof_spool); + LIST_FOREACH(s, + &r->spool_chain, + _next) { + if (off + sof_spool < + NAT_BUF_LEN) { + bcopy(s, &data[off], + sof_spool); off += sof_spool; } else goto nospace; @@ -4665,7 +4705,8 @@ break; nospace: IPFW_RUNLOCK(&layer3_chain); - printf("serialized data buffer not big enough: please increase NAT_BUF_LEN\n"); + printf("serialized data buffer not big enough:" + "please increase NAT_BUF_LEN\n"); free(data, M_IPFW); } break; @@ -4699,7 +4740,7 @@ free(data, M_IPFW); } break; -#endif + default: printf("ipfw: ipfw_ctl invalid option %d\n", sopt->sopt_name); error = EINVAL; @@ -4872,11 +4913,9 @@ ip_fw_ctl_ptr = ipfw_ctl; ip_fw_chk_ptr = ipfw_chk; callout_reset(&ipfw_timeout, hz, ipfw_tick, NULL); -#ifdef LIBALIAS LIST_INIT(&layer3_chain.nat); ifaddr_event_tag = EVENTHANDLER_REGISTER(ifaddr_event, ifaddr_change, NULL, EVENTHANDLER_PRI_ANY); -#endif return (0); } @@ -4884,16 +4923,13 @@ ipfw_destroy(void) { struct ip_fw *reap; -#ifdef LIBALIAS struct cfg_nat *ptr, *ptr_temp; -#endif ip_fw_chk_ptr = NULL; ip_fw_ctl_ptr = NULL; callout_drain(&ipfw_timeout); IPFW_WLOCK(&layer3_chain); flush_tables(&layer3_chain); -#ifdef LIBALIAS LIST_FOREACH_SAFE(ptr, &layer3_chain.nat, _next, ptr_temp) { LIST_REMOVE(ptr, _next); del_redir_spool_cfg(ptr, &ptr->redir_chain); @@ -4901,7 +4937,6 @@ free(ptr, M_IPFW); } EVENTHANDLER_DEREGISTER(ifaddr_event, ifaddr_event_tag); -#endif layer3_chain.reap = NULL; free_chain(&layer3_chain, 1 /* kill default rule */); reap = layer3_chain.reap, layer3_chain.reap = NULL;