Date: Sat, 8 Sep 2012 06:41:54 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r240233 - in head: . contrib/pf/man contrib/pf/pfctl sys/contrib/altq/altq sys/contrib/pf/net sys/modules/pf sys/net sys/netinet sys/netinet/ipfw sys/netinet6 sys/netipsec sys/sys usr.b... Message-ID: <201209080641.q886fslk037192@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Sat Sep 8 06:41:54 2012 New Revision: 240233 URL: http://svn.freebsd.org/changeset/base/240233 Log: Merge the projects/pf/head branch, that was worked on for last six months, into head. The most significant achievements in the new code: o Fine grained locking, thus much better performance. o Fixes to many problems in pf, that were specific to FreeBSD port. New code doesn't have that many ifdefs and much less OpenBSDisms, thus is more attractive to our developers. Those interested in details, can browse through SVN log of the projects/pf/head branch. And for reference, here is exact list of revisions merged: r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330, r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656, r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782, r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868, r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223, r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456, r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505, r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168, r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230, r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398, r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548, r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672, r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169, r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442, r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522, r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661, r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212. I'd like to thank people who participated in early testing: Tested by: Florian Smeets <flo freebsd.org> Tested by: Chekaluk Vitaly <artemrts ukr.net> Tested by: Ben Wilber <ben desync.com> Tested by: Ian FREISLICH <ianf cloudseed.co.za> Deleted: head/sys/contrib/pf/net/if_pflow.h Modified: head/UPDATING head/contrib/pf/man/pf.4 head/contrib/pf/man/pf.conf.5 head/contrib/pf/pfctl/parse.y head/contrib/pf/pfctl/pf_print_state.c head/contrib/pf/pfctl/pfctl.c head/contrib/pf/pfctl/pfctl_parser.c head/contrib/pf/pfctl/pfctl_table.c head/sys/contrib/altq/altq/altq_cbq.c head/sys/contrib/altq/altq/altq_hfsc.c head/sys/contrib/altq/altq/altq_priq.c head/sys/contrib/altq/altq/altq_subr.c head/sys/contrib/pf/net/if_pflog.c head/sys/contrib/pf/net/if_pflog.h head/sys/contrib/pf/net/if_pfsync.c head/sys/contrib/pf/net/if_pfsync.h head/sys/contrib/pf/net/pf.c head/sys/contrib/pf/net/pf_if.c head/sys/contrib/pf/net/pf_ioctl.c head/sys/contrib/pf/net/pf_lb.c head/sys/contrib/pf/net/pf_mtag.h head/sys/contrib/pf/net/pf_norm.c head/sys/contrib/pf/net/pf_osfp.c head/sys/contrib/pf/net/pf_ruleset.c head/sys/contrib/pf/net/pf_table.c head/sys/contrib/pf/net/pfvar.h head/sys/modules/pf/Makefile head/sys/net/if.c head/sys/netinet/in_gif.c head/sys/netinet/ip_icmp.c head/sys/netinet/ipfw/ip_fw2.c head/sys/netinet/raw_ip.c head/sys/netinet/tcp_subr.c head/sys/netinet6/icmp6.c head/sys/netinet6/in6_gif.c head/sys/netipsec/ipsec_input.c head/sys/netipsec/ipsec_output.c head/sys/netipsec/xform_ipip.c head/sys/sys/mbuf.h head/sys/sys/param.h head/usr.bin/netstat/if.c head/usr.sbin/bsnmpd/modules/snmp_pf/BEGEMOT-PF-MIB.txt head/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c head/usr.sbin/bsnmpd/modules/snmp_pf/pf_tree.def Modified: head/UPDATING ============================================================================== --- head/UPDATING Sat Sep 8 04:42:33 2012 (r240232) +++ head/UPDATING Sat Sep 8 06:41:54 2012 (r240233) @@ -24,6 +24,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10 disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20120908: + The pf(4) packet filter ABI has been changed. pfctl(8) and + snmp_pf module need to be recompiled to work with new kernel. + 20120828: A new ZFS feature flag "com.delphix:empty_bpobj" has been merged to -HEAD. Pools that have empty_bpobj in active state can not be Modified: head/contrib/pf/man/pf.4 ============================================================================== --- head/contrib/pf/man/pf.4 Sat Sep 8 04:42:33 2012 (r240232) +++ head/contrib/pf/man/pf.4 Sat Sep 8 06:41:54 2012 (r240233) @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 17 2011 +.Dd June 29 2012 .Dt PF 4 .Os .Sh NAME @@ -75,6 +75,25 @@ separated by characters, similar to how file system hierarchies are laid out. The final component of the anchor path is the anchor under which operations will be performed. +.Sh SYSCTL VARIABLES AND LOADER TUNABLES +The following +.Xr loader 8 +tunables are available. +.Bl -tag -width indent +.It Va net.pf.states_hashsize +Size of hash tables that store states. +Should be power of 2. +Default value is 32768. +.It Va net.pf.source_nodes_hashsize +Size of hash table that store source nodes. +Should be power of 2. +Default value is 8192. +.El +.Pp +Read only +.Xr sysctl 8 +variables with matching names are provided to obtain current values +at runtime. .Sh IOCTL INTERFACE .Nm supports the following @@ -351,7 +370,6 @@ struct pf_status { u_int64_t scounters[SCNT_MAX]; u_int64_t pcounters[2][2][3]; u_int64_t bcounters[2][2]; - u_int64_t stateid; u_int32_t running; u_int32_t states; u_int32_t src_nodes; @@ -493,7 +511,7 @@ struct pfioc_limit { }; enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, - PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; + PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; .Ed .It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" Get the hard Modified: head/contrib/pf/man/pf.conf.5 ============================================================================== --- head/contrib/pf/man/pf.conf.5 Sat Sep 8 04:42:33 2012 (r240232) +++ head/contrib/pf/man/pf.conf.5 Sat Sep 8 06:41:54 2012 (r240233) @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 31 2009 +.Dd June 29 2012 .Dt PF.CONF 5 .Os .Sh NAME @@ -1421,7 +1421,7 @@ has the socket open where the packet is (depending on which socket is local). This is in addition to the normal information logged. .Pp -Due to the problems described in the BUGS section only the first packet +Only the first packet logged via .Ar log (all, user) will have the user credentials logged when using stateful matching. @@ -1479,13 +1479,6 @@ of the following keywords: .Bl -tag -width xxxxxxxxxxxxxx -compact .It Ar any Any address. -.It Ar route Aq Ar label -Any address whose associated route has label -.Aq Ar label . -See -.Xr route 4 -and -.Xr route 8 . .It Ar no-route Any address which is not currently routable. .It Ar urpf-failed @@ -1594,7 +1587,6 @@ pass in proto tcp from any to any port 2 pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e to ! 10.1.2.3 port != ssh pass in proto tcp from any os "OpenBSD" -pass in proto tcp from route "DTAG" .Ed .It Ar all This is equivalent to "from any to any". @@ -2949,9 +2941,9 @@ proto-list = ( proto-name | proto-nu hosts = "all" | "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | - "{" host-list "}" | "route" string ) [ port ] [ os ] + "{" host-list "}" ) [ port ] [ os ] "to" ( "any" | "no-route" | "self" | host | - "{" host-list "}" | "route" string ) [ port ] + "{" host-list "}" ) [ port ] ipspec = "any" | host | "{" host-list "}" host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) @@ -3048,28 +3040,6 @@ Protocol name database. .It Pa /etc/services Service name database. .El -.Sh BUGS -Due to a lock order reversal (LOR) with the socket layer, the use of the -.Ar group -and -.Ar user -filter parameter in conjuction with a Giant-free netstack -can result in a deadlock. -A workaround is available under the -.Va debug.pfugidhack -sysctl which is automatically enabled when a -.Ar user -/ -.Ar group -rule is added or -.Ar log (user) -is specified. -.Pp -Route labels are not supported by the -.Fx -.Xr route 4 -system. -Rules with a route label do not match any traffic. .Sh SEE ALSO .Xr altq 4 , .Xr carp 4 , @@ -3080,7 +3050,6 @@ Rules with a route label do not match an .Xr pf 4 , .Xr pflow 4 , .Xr pfsync 4 , -.Xr route 4 , .Xr tcp 4 , .Xr udp 4 , .Xr hosts 5 , @@ -3090,7 +3059,6 @@ Rules with a route label do not match an .Xr ftp-proxy 8 , .Xr pfctl 8 , .Xr pflogd 8 , -.Xr route 8 .Sh HISTORY The .Nm Modified: head/contrib/pf/pfctl/parse.y ============================================================================== --- head/contrib/pf/pfctl/parse.y Sat Sep 8 04:42:33 2012 (r240232) +++ head/contrib/pf/pfctl/parse.y Sat Sep 8 06:41:54 2012 (r240233) @@ -159,8 +159,7 @@ enum { PF_STATE_OPT_MAX, PF_STATE_OPT_NO PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN, PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES, PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK, - PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, - PF_STATE_OPT_PFLOW }; + PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, }; enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE }; @@ -451,7 +450,7 @@ int parseport(char *, struct range *r, i %token QUEUE PRIORITY QLIMIT RTABLE %token LOAD RULESET_OPTIMIZATION %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE -%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW +%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS %token DIVERTTO DIVERTREPLY %token <v.string> STRING @@ -2081,15 +2080,6 @@ pfrule : action dir logquick interface } r.rule_flag |= PFRULE_STATESLOPPY; break; - case PF_STATE_OPT_PFLOW: - if (r.rule_flag & PFRULE_PFLOW) { - yyerror("state pflow " - "option: multiple " - "definitions"); - YYERROR; - } - r.rule_flag |= PFRULE_PFLOW; - break; case PF_STATE_OPT_TIMEOUT: if (o->data.timeout.number == PFTM_ADAPTIVE_START || @@ -2909,26 +2899,6 @@ host : STRING { $$->next = NULL; $$->tail = $$; } - | ROUTE STRING { - $$ = calloc(1, sizeof(struct node_host)); - if ($$ == NULL) { - free($2); - err(1, "host: calloc"); - } - $$->addr.type = PF_ADDR_RTLABEL; - if (strlcpy($$->addr.v.rtlabelname, $2, - sizeof($$->addr.v.rtlabelname)) >= - sizeof($$->addr.v.rtlabelname)) { - yyerror("route label too long, max %u chars", - sizeof($$->addr.v.rtlabelname) - 1); - free($2); - free($$); - YYERROR; - } - $$->next = NULL; - $$->tail = $$; - free($2); - } ; number : NUMBER @@ -3597,14 +3567,6 @@ state_opt_item : MAXIMUM NUMBER { $$->next = NULL; $$->tail = $$; } - | PFLOW { - $$ = calloc(1, sizeof(struct node_state_opt)); - if ($$ == NULL) - err(1, "state_opt_item: calloc"); - $$->type = PF_STATE_OPT_PFLOW; - $$->next = NULL; - $$->tail = $$; - } | STRING NUMBER { int i; @@ -5320,7 +5282,6 @@ lookup(char *s) { "out", OUT}, { "overload", OVERLOAD}, { "pass", PASS}, - { "pflow", PFLOW}, { "port", PORT}, { "priority", PRIORITY}, { "priq", PRIQ}, Modified: head/contrib/pf/pfctl/pf_print_state.c ============================================================================== --- head/contrib/pf/pfctl/pf_print_state.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/contrib/pf/pfctl/pf_print_state.c Sat Sep 8 06:41:54 2012 (r240233) @@ -119,9 +119,6 @@ print_addr(struct pf_addr_wrap *addr, sa case PF_ADDR_URPFFAILED: printf("urpf-failed"); return; - case PF_ADDR_RTLABEL: - printf("route \"%s\"", addr->v.rtlabelname); - return; default: printf("?"); return; @@ -339,8 +336,6 @@ print_state(struct pfsync_state *s, int printf(", rule %u", ntohl(s->rule)); if (s->state_flags & PFSTATE_SLOPPY) printf(", sloppy"); - if (s->state_flags & PFSTATE_PFLOW) - printf(", pflow"); if (s->sync_flags & PFSYNC_FLAG_SRCNODE) printf(", source-track"); if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE) Modified: head/contrib/pf/pfctl/pfctl.c ============================================================================== --- head/contrib/pf/pfctl/pfctl.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/contrib/pf/pfctl/pfctl.c Sat Sep 8 06:41:54 2012 (r240233) @@ -144,7 +144,6 @@ static const struct { { "states", PF_LIMIT_STATES }, { "src-nodes", PF_LIMIT_SRC_NODES }, { "frags", PF_LIMIT_FRAGS }, - { "tables", PF_LIMIT_TABLES }, { "table-entries", PF_LIMIT_TABLE_ENTRIES }, { NULL, 0 } }; @@ -1553,9 +1552,6 @@ pfctl_fopen(const char *name, const char void pfctl_init_options(struct pfctl *pf) { - int64_t mem; - int mib[2]; - size_t size; pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL; pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL; @@ -1581,21 +1577,8 @@ pfctl_init_options(struct pfctl *pf) pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT; pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT; pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT; - pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT; pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT; - mib[0] = CTL_HW; -#ifdef __FreeBSD__ - mib[1] = HW_PHYSMEM; -#else - mib[1] = HW_PHYSMEM64; -#endif - size = sizeof(mem); - if (sysctl(mib, 2, &mem, &size, NULL, 0) == -1) - err(1, "sysctl"); - if (mem <= 100*1024*1024) - pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL; - pf->debug = PF_DEBUG_URGENT; } Modified: head/contrib/pf/pfctl/pfctl_parser.c ============================================================================== --- head/contrib/pf/pfctl/pfctl_parser.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/contrib/pf/pfctl/pfctl_parser.c Sat Sep 8 06:41:54 2012 (r240233) @@ -955,12 +955,6 @@ print_rule(struct pf_rule *r, const char printf("sloppy"); opts = 0; } - if (r->rule_flag & PFRULE_PFLOW) { - if (!opts) - printf(", "); - printf("pflow"); - opts = 0; - } for (i = 0; i < PFTM_MAX; ++i) if (r->timeout[i]) { int j; Modified: head/contrib/pf/pfctl/pfctl_table.c ============================================================================== --- head/contrib/pf/pfctl/pfctl_table.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/contrib/pf/pfctl/pfctl_table.c Sat Sep 8 06:41:54 2012 (r240233) @@ -621,8 +621,7 @@ print_iface(struct pfi_kif *p, int opts) if (!(opts & PF_OPT_VERBOSE2)) return; printf("\tCleared: %s", ctime(&tzero)); - printf("\tReferences: [ States: %-18d Rules: %-18d ]\n", - p->pfik_states, p->pfik_rules); + printf("\tReferences: %-18d\n", p->pfik_rulerefs); for (i = 0; i < 8; i++) { af = (i>>2) & 1; dir = (i>>1) &1; Modified: head/sys/contrib/altq/altq/altq_cbq.c ============================================================================== --- head/sys/contrib/altq/altq/altq_cbq.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/sys/contrib/altq/altq/altq_cbq.c Sat Sep 8 06:41:54 2012 (r240233) @@ -271,10 +271,9 @@ cbq_add_altq(struct pf_altq *a) return (ENODEV); /* allocate and initialize cbq_state_t */ - cbqp = malloc(sizeof(cbq_state_t), M_DEVBUF, M_WAITOK); + cbqp = malloc(sizeof(cbq_state_t), M_DEVBUF, M_NOWAIT | M_ZERO); if (cbqp == NULL) return (ENOMEM); - bzero(cbqp, sizeof(cbq_state_t)); CALLOUT_INIT(&cbqp->cbq_callout); cbqp->cbq_qlen = 0; cbqp->ifnp.ifq_ = &ifp->if_snd; /* keep the ifq */ Modified: head/sys/contrib/altq/altq/altq_hfsc.c ============================================================================== --- head/sys/contrib/altq/altq/altq_hfsc.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/sys/contrib/altq/altq/altq_hfsc.c Sat Sep 8 06:41:54 2012 (r240233) @@ -200,10 +200,9 @@ hfsc_add_altq(struct pf_altq *a) if (!ALTQ_IS_READY(&ifp->if_snd)) return (ENODEV); - hif = malloc(sizeof(struct hfsc_if), M_DEVBUF, M_WAITOK); + hif = malloc(sizeof(struct hfsc_if), M_DEVBUF, M_NOWAIT | M_ZERO); if (hif == NULL) return (ENOMEM); - bzero(hif, sizeof(struct hfsc_if)); hif->hif_eligible = ellist_alloc(); if (hif->hif_eligible == NULL) { Modified: head/sys/contrib/altq/altq/altq_priq.c ============================================================================== --- head/sys/contrib/altq/altq/altq_priq.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/sys/contrib/altq/altq/altq_priq.c Sat Sep 8 06:41:54 2012 (r240233) @@ -132,11 +132,9 @@ priq_add_altq(struct pf_altq *a) if (!ALTQ_IS_READY(&ifp->if_snd)) return (ENODEV); - pif = malloc(sizeof(struct priq_if), - M_DEVBUF, M_WAITOK); + pif = malloc(sizeof(struct priq_if), M_DEVBUF, M_NOWAIT | M_ZERO); if (pif == NULL) return (ENOMEM); - bzero(pif, sizeof(struct priq_if)); pif->pif_bandwidth = a->ifbandwidth; pif->pif_maxpri = -1; pif->pif_ifq = &ifp->if_snd; Modified: head/sys/contrib/altq/altq/altq_subr.c ============================================================================== --- head/sys/contrib/altq/altq/altq_subr.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/sys/contrib/altq/altq/altq_subr.c Sat Sep 8 06:41:54 2012 (r240233) @@ -401,14 +401,11 @@ tbr_set(ifq, profile) return (0); } - IFQ_UNLOCK(ifq); - tbr = malloc(sizeof(struct tb_regulator), - M_DEVBUF, M_WAITOK); - if (tbr == NULL) { /* can not happen */ + tbr = malloc(sizeof(struct tb_regulator), M_DEVBUF, M_NOWAIT | M_ZERO); + if (tbr == NULL) { IFQ_UNLOCK(ifq); return (ENOMEM); } - bzero(tbr, sizeof(struct tb_regulator)); tbr->tbr_rate = TBR_SCALE(profile->rate / 8) / machclk_freq; tbr->tbr_depth = TBR_SCALE(profile->depth); @@ -420,7 +417,6 @@ tbr_set(ifq, profile) tbr->tbr_last = read_machclk(); tbr->tbr_lastop = ALTDQ_REMOVE; - IFQ_LOCK(ifq); otbr = ifq->altq_tbr; ifq->altq_tbr = tbr; /* set the new tbr */ Modified: head/sys/contrib/pf/net/if_pflog.c ============================================================================== --- head/sys/contrib/pf/net/if_pflog.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/sys/contrib/pf/net/if_pflog.c Sat Sep 8 06:41:54 2012 (r240233) @@ -1,10 +1,10 @@ /* $OpenBSD: if_pflog.c,v 1.26 2007/10/18 21:58:18 mpf Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and + * Angelos D. Keromytis (kermit@csd.uch.gr) and * Niels Provos (provos@physnet.uni-hamburg.de). * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, + * This code was written by John Ioannidis for BSD/OS in Athens, Greece, * in November 1995. * * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, @@ -20,7 +20,7 @@ * Permission to use, copy, and modify this software with or without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or - * modification of this software. + * modification of this software. * You may use this code under the GNU public license if you so wish. Please * contribute changes back to the authors under this freer than GPL license * so that we may further the use of strong encryption without limitations to @@ -33,61 +33,34 @@ * PURPOSE. */ -#ifdef __FreeBSD__ +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + #include "opt_inet.h" #include "opt_inet6.h" #include "opt_bpf.h" #include "opt_pf.h" -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#ifdef DEV_BPF -#define NBPFILTER DEV_BPF -#else -#define NBPFILTER 0 -#endif - -#ifdef DEV_PFLOG -#define NPFLOG DEV_PFLOG -#else -#define NPFLOG 0 -#endif - -#else /* ! __FreeBSD__ */ -#include "bpfilter.h" -#include "pflog.h" -#endif /* __FreeBSD__ */ - #include <sys/param.h> -#include <sys/systm.h> +#include <sys/kernel.h> #include <sys/mbuf.h> +#include <sys/module.h> #include <sys/proc.h> #include <sys/socket.h> -#ifdef __FreeBSD__ -#include <sys/kernel.h> -#include <sys/limits.h> -#include <sys/malloc.h> -#include <sys/module.h> #include <sys/sockio.h> -#else -#include <sys/ioctl.h> -#endif +#include <net/bpf.h> #include <net/if.h> -#ifdef __FreeBSD__ #include <net/if_clone.h> -#endif +#include <net/if_pflog.h> #include <net/if_types.h> -#include <net/route.h> -#include <net/bpf.h> +#include <net/pfvar.h> #if defined(INET) || defined(INET6) #include <netinet/in.h> #endif #ifdef INET #include <netinet/in_var.h> -#include <netinet/in_systm.h> #include <netinet/ip.h> #endif @@ -96,14 +69,9 @@ __FBSDID("$FreeBSD$"); #include <netinet6/nd6.h> #endif /* INET6 */ -#include <net/pfvar.h> -#include <net/if_pflog.h> - -#ifdef __FreeBSD__ #ifdef INET #include <machine/in_cksum.h> #endif /* INET */ -#endif /* __FreeBSD__ */ #define PFLOGMTU (32768 + MHLEN + MLEN) @@ -113,170 +81,82 @@ __FBSDID("$FreeBSD$"); #define DPRINTF(x) #endif -void pflogattach(int); -int pflogoutput(struct ifnet *, struct mbuf *, struct sockaddr *, -#ifdef __FreeBSD__ - struct route *); -#else - struct rtentry *); -#endif -int pflogioctl(struct ifnet *, u_long, caddr_t); -void pflogstart(struct ifnet *); -#ifdef __FreeBSD__ -static int pflog_clone_create(struct if_clone *, int, caddr_t); -static void pflog_clone_destroy(struct ifnet *); -#else -int pflog_clone_create(struct if_clone *, int); -int pflog_clone_destroy(struct ifnet *); -#endif +static int pflogoutput(struct ifnet *, struct mbuf *, struct sockaddr *, + struct route *); +static void pflogattach(int); +static int pflogioctl(struct ifnet *, u_long, caddr_t); +static void pflogstart(struct ifnet *); +static int pflog_clone_create(struct if_clone *, int, caddr_t); +static void pflog_clone_destroy(struct ifnet *); -LIST_HEAD(, pflog_softc) pflogif_list; -#ifdef __FreeBSD__ IFC_SIMPLE_DECLARE(pflog, 1); -#else -struct if_clone pflog_cloner = - IF_CLONE_INITIALIZER("pflog", pflog_clone_create, pflog_clone_destroy); -#endif struct ifnet *pflogifs[PFLOGIFS_MAX]; /* for fast access */ -void +static void pflogattach(int npflog) { int i; - LIST_INIT(&pflogif_list); for (i = 0; i < PFLOGIFS_MAX; i++) pflogifs[i] = NULL; if_clone_attach(&pflog_cloner); } -#ifdef __FreeBSD__ static int pflog_clone_create(struct if_clone *ifc, int unit, caddr_t param) -#else -int -pflog_clone_create(struct if_clone *ifc, int unit) -#endif { struct ifnet *ifp; - struct pflog_softc *pflogif; - int s; if (unit >= PFLOGIFS_MAX) return (EINVAL); - if ((pflogif = malloc(sizeof(*pflogif), - M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL) - return (ENOMEM); - - pflogif->sc_unit = unit; -#ifdef __FreeBSD__ - ifp = pflogif->sc_ifp = if_alloc(IFT_PFLOG); + ifp = if_alloc(IFT_PFLOG); if (ifp == NULL) { - free(pflogif, M_DEVBUF); return (ENOSPC); } if_initname(ifp, ifc->ifc_name, unit); -#else - ifp = &pflogif->sc_if; - snprintf(ifp->if_xname, sizeof ifp->if_xname, "pflog%d", unit); -#endif - ifp->if_softc = pflogif; ifp->if_mtu = PFLOGMTU; ifp->if_ioctl = pflogioctl; ifp->if_output = pflogoutput; ifp->if_start = pflogstart; -#ifndef __FreeBSD__ - ifp->if_type = IFT_PFLOG; -#endif ifp->if_snd.ifq_maxlen = ifqmaxlen; ifp->if_hdrlen = PFLOG_HDRLEN; if_attach(ifp); -#ifndef __FreeBSD__ - if_alloc_sadl(ifp); -#endif -#if NBPFILTER > 0 -#ifdef __FreeBSD__ bpfattach(ifp, DLT_PFLOG, PFLOG_HDRLEN); -#else - bpfattach(&pflogif->sc_if.if_bpf, ifp, DLT_PFLOG, PFLOG_HDRLEN); -#endif -#endif - s = splnet(); -#ifdef __FreeBSD__ - /* XXX: Why pf(4) lock?! Better add a pflog lock?! */ - PF_LOCK(); -#endif - LIST_INSERT_HEAD(&pflogif_list, pflogif, sc_list); pflogifs[unit] = ifp; -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); return (0); } -#ifdef __FreeBSD__ static void pflog_clone_destroy(struct ifnet *ifp) -#else -int -pflog_clone_destroy(struct ifnet *ifp) -#endif { - struct pflog_softc *pflogif = ifp->if_softc; - int s; + int i; - s = splnet(); -#ifdef __FreeBSD__ - PF_LOCK(); -#endif - pflogifs[pflogif->sc_unit] = NULL; - LIST_REMOVE(pflogif, sc_list); -#ifdef __FreeBSD__ - PF_UNLOCK(); -#endif - splx(s); + for (i = 0; i < PFLOGIFS_MAX; i++) + if (pflogifs[i] == ifp) + pflogifs[i] = NULL; -#if NBPFILTER > 0 bpfdetach(ifp); -#endif if_detach(ifp); -#ifdef __FreeBSD__ if_free(ifp); -#endif - free(pflogif, M_DEVBUF); -#ifndef __FreeBSD__ - return (0); -#endif } /* * Start output on the pflog interface. */ -void +static void pflogstart(struct ifnet *ifp) { struct mbuf *m; -#ifndef __FreeBSD__ - int s; -#endif for (;;) { -#ifdef __FreeBSD__ IF_LOCK(&ifp->if_snd); _IF_DROP(&ifp->if_snd); _IF_DEQUEUE(&ifp->if_snd, m); IF_UNLOCK(&ifp->if_snd); -#else - s = splnet(); - IF_DROP(&ifp->if_snd); - IF_DEQUEUE(&ifp->if_snd, m); - splx(s); -#endif if (m == NULL) return; @@ -285,35 +165,24 @@ pflogstart(struct ifnet *ifp) } } -int +static int pflogoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, -#ifdef __FreeBSD__ struct route *rt) -#else - struct rtentry *rt) -#endif { m_freem(m); return (0); } /* ARGSUSED */ -int +static int pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data) { switch (cmd) { case SIOCSIFFLAGS: -#ifdef __FreeBSD__ if (ifp->if_flags & IFF_UP) ifp->if_drv_flags |= IFF_DRV_RUNNING; else ifp->if_drv_flags &= ~IFF_DRV_RUNNING; -#else - if (ifp->if_flags & IFF_UP) - ifp->if_flags |= IFF_RUNNING; - else - ifp->if_flags &= ~IFF_RUNNING; -#endif break; default: return (ENOTTY); @@ -322,12 +191,11 @@ pflogioctl(struct ifnet *ifp, u_long cmd return (0); } -int +static int pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir, u_int8_t reason, struct pf_rule *rm, struct pf_rule *am, - struct pf_ruleset *ruleset, struct pf_pdesc *pd) + struct pf_ruleset *ruleset, struct pf_pdesc *pd, int lookupsafe) { -#if NBPFILTER > 0 struct ifnet *ifn; struct pfloghdr hdr; @@ -354,23 +222,18 @@ pflog_packet(struct pfi_kif *kif, struct strlcpy(hdr.ruleset, ruleset->anchor->name, sizeof(hdr.ruleset)); } - if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done) -#ifdef __FreeBSD__ - /* - * XXX: This should not happen as we force an early lookup - * via debug.pfugidhack - */ - ; /* empty */ -#else - pd->lookup.done = pf_socket_lookup(dir, pd); -#endif - if (pd->lookup.done > 0) { + /* + * XXXGL: we avoid pf_socket_lookup() when we are holding + * state lock, since this leads to unsafe LOR. + * These conditions are very very rare, however. + */ + if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe) + pd->lookup.done = pf_socket_lookup(dir, pd, m); + if (pd->lookup.done > 0) hdr.uid = pd->lookup.uid; - hdr.pid = pd->lookup.pid; - } else { + else hdr.uid = UID_MAX; - hdr.pid = NO_PID; - } + hdr.pid = NO_PID; hdr.rule_uid = rm->cuid; hdr.rule_pid = rm->cpid; hdr.dir = dir; @@ -387,18 +250,11 @@ pflog_packet(struct pfi_kif *kif, struct ifn->if_opackets++; ifn->if_obytes += m->m_pkthdr.len; -#ifdef __FreeBSD__ BPF_MTAP2(ifn, &hdr, PFLOG_HDRLEN, m); -#else - bpf_mtap_hdr(ifn->if_bpf, (char *)&hdr, PFLOG_HDRLEN, m, - BPF_DIRECTION_OUT); -#endif -#endif return (0); } -#ifdef __FreeBSD__ static int pflog_modevent(module_t mod, int type, void *data) { @@ -407,14 +263,14 @@ pflog_modevent(module_t mod, int type, v switch (type) { case MOD_LOAD: pflogattach(1); - PF_LOCK(); + PF_RULES_WLOCK(); pflog_packet_ptr = pflog_packet; - PF_UNLOCK(); + PF_RULES_WUNLOCK(); break; case MOD_UNLOAD: - PF_LOCK(); + PF_RULES_WLOCK(); pflog_packet_ptr = NULL; - PF_UNLOCK(); + PF_RULES_WUNLOCK(); if_clone_detach(&pflog_cloner); break; default: @@ -432,4 +288,3 @@ static moduledata_t pflog_mod = { "pflog DECLARE_MODULE(pflog, pflog_mod, SI_SUB_PSEUDO, SI_ORDER_ANY); MODULE_VERSION(pflog, PFLOG_MODVER); MODULE_DEPEND(pflog, pf, PF_MODVER, PF_MODVER, PF_MODVER); -#endif /* __FreeBSD__ */ Modified: head/sys/contrib/pf/net/if_pflog.h ============================================================================== --- head/sys/contrib/pf/net/if_pflog.h Sat Sep 8 04:42:33 2012 (r240232) +++ head/sys/contrib/pf/net/if_pflog.h Sat Sep 8 06:41:54 2012 (r240233) @@ -29,16 +29,6 @@ #define PFLOGIFS_MAX 16 -struct pflog_softc { -#ifdef __FreeBSD__ - struct ifnet *sc_ifp; /* the interface pointer */ -#else - struct ifnet sc_if; /* the interface */ -#endif - int sc_unit; - LIST_ENTRY(pflog_softc) sc_list; -}; - #define PFLOG_RULESET_NAME_SIZE 16 struct pfloghdr { @@ -62,40 +52,15 @@ struct pfloghdr { /* minus pad, also used as a signature */ #define PFLOG_REAL_HDRLEN offsetof(struct pfloghdr, pad) -/* XXX remove later when old format logs are no longer needed */ -struct old_pfloghdr { - u_int32_t af; - char ifname[IFNAMSIZ]; - short rnr; - u_short reason; - u_short action; - u_short dir; -}; -#define OLD_PFLOG_HDRLEN sizeof(struct old_pfloghdr) - #ifdef _KERNEL -#ifdef __FreeBSD__ struct pf_rule; struct pf_ruleset; struct pfi_kif; struct pf_pdesc; -#if 0 -typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t, - u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *, - struct pf_ruleset *, struct pf_pdesc *); -extern pflog_packet_t *pflog_packet_ptr; -#endif -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) do { \ +#define PFLOG_PACKET(i,a,b,c,d,e,f,g,h,di) do { \ if (pflog_packet_ptr != NULL) \ - pflog_packet_ptr(i,a,b,c,d,e,f,g,h); \ + pflog_packet_ptr(i,a,b,c,d,e,f,g,h,di); \ } while (0) -#else /* ! __FreeBSD__ */ -#if NPFLOG > 0 -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) pflog_packet(i,a,b,c,d,e,f,g,h) -#else -#define PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) ((void)0) -#endif /* NPFLOG > 0 */ -#endif #endif /* _KERNEL */ #endif /* _NET_IF_PFLOG_H_ */ Modified: head/sys/contrib/pf/net/if_pfsync.c ============================================================================== --- head/sys/contrib/pf/net/if_pfsync.c Sat Sep 8 04:42:33 2012 (r240232) +++ head/sys/contrib/pf/net/if_pfsync.c Sat Sep 8 06:41:54 2012 (r240233) @@ -54,91 +54,44 @@ * 1.173 - correct expire time processing */ -#ifdef __FreeBSD__ -#include "opt_inet.h" -#include "opt_inet6.h" -#include "opt_pf.h" - #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); -#define NBPFILTER 1 -#endif /* __FreeBSD__ */ +#include "opt_inet.h" +#include "opt_inet6.h" +#include "opt_pf.h" #include <sys/param.h> -#include <sys/kernel.h> -#ifdef __FreeBSD__ #include <sys/bus.h> +#include <sys/endian.h> #include <sys/interrupt.h> -#include <sys/priv.h> -#endif -#include <sys/proc.h> -#include <sys/systm.h> -#include <sys/time.h> +#include <sys/kernel.h> +#include <sys/lock.h> #include <sys/mbuf.h> -#include <sys/socket.h> -#ifdef __FreeBSD__ -#include <sys/endian.h> -#include <sys/malloc.h> #include <sys/module.h> -#include <sys/sockio.h> -#include <sys/taskqueue.h> -#include <sys/lock.h> #include <sys/mutex.h> +#include <sys/priv.h> #include <sys/protosw.h> -#else -#include <sys/ioctl.h> -#include <sys/timeout.h> -#endif +#include <sys/socket.h> +#include <sys/sockio.h> #include <sys/sysctl.h> -#ifndef __FreeBSD__ -#include <sys/pool.h> -#endif +#include <net/bpf.h> #include <net/if.h> -#ifdef __FreeBSD__ #include <net/if_clone.h> -#endif #include <net/if_types.h> -#include <net/route.h> -#include <net/bpf.h> -#include <net/netisr.h> -#ifdef __FreeBSD__ -#include <net/vnet.h> -#endif +#include <net/pfvar.h> +#include <net/if_pfsync.h> -#include <netinet/in.h> #include <netinet/if_ether.h> -#include <netinet/tcp.h> -#include <netinet/tcp_seq.h> - -#ifdef INET -#include <netinet/in_systm.h> +#include <netinet/in.h> #include <netinet/in_var.h> #include <netinet/ip.h> -#include <netinet/ip_var.h> -#endif - -#ifdef INET6 -#include <netinet6/nd6.h> -#endif /* INET6 */ - -#ifdef __FreeBSD__ -#include <netinet/ip_carp.h> -#else -#include "carp.h" -#if NCARP > 0 #include <netinet/ip_carp.h> -#endif -#endif - -#include <net/pfvar.h> -#include <net/if_pfsync.h> - -#ifndef __FreeBSD__ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209080641.q886fslk037192>