Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 Sep 2012 06:41:54 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r240233 - in head: . contrib/pf/man contrib/pf/pfctl sys/contrib/altq/altq sys/contrib/pf/net sys/modules/pf sys/net sys/netinet sys/netinet/ipfw sys/netinet6 sys/netipsec sys/sys usr.b...
Message-ID:  <201209080641.q886fslk037192@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: glebius
Date: Sat Sep  8 06:41:54 2012
New Revision: 240233
URL: http://svn.freebsd.org/changeset/base/240233

Log:
  Merge the projects/pf/head branch, that was worked on for last six months,
  into head. The most significant achievements in the new code:
  
   o Fine grained locking, thus much better performance.
   o Fixes to many problems in pf, that were specific to FreeBSD port.
  
  New code doesn't have that many ifdefs and much less OpenBSDisms, thus
  is more attractive to our developers.
  
    Those interested in details, can browse through SVN log of the
  projects/pf/head branch. And for reference, here is exact list of
  revisions merged:
  
  r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330,
  r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656,
  r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782,
  r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868,
  r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223,
  r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456,
  r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505,
  r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168,
  r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230,
  r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398,
  r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548,
  r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672,
  r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169,
  r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442,
  r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522,
  r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661,
  r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.
  
  I'd like to thank people who participated in early testing:
  
  Tested by:	Florian Smeets <flo freebsd.org>
  Tested by:	Chekaluk Vitaly <artemrts ukr.net>
  Tested by:	Ben Wilber <ben desync.com>
  Tested by:	Ian FREISLICH <ianf cloudseed.co.za>

Deleted:
  head/sys/contrib/pf/net/if_pflow.h
Modified:
  head/UPDATING
  head/contrib/pf/man/pf.4
  head/contrib/pf/man/pf.conf.5
  head/contrib/pf/pfctl/parse.y
  head/contrib/pf/pfctl/pf_print_state.c
  head/contrib/pf/pfctl/pfctl.c
  head/contrib/pf/pfctl/pfctl_parser.c
  head/contrib/pf/pfctl/pfctl_table.c
  head/sys/contrib/altq/altq/altq_cbq.c
  head/sys/contrib/altq/altq/altq_hfsc.c
  head/sys/contrib/altq/altq/altq_priq.c
  head/sys/contrib/altq/altq/altq_subr.c
  head/sys/contrib/pf/net/if_pflog.c
  head/sys/contrib/pf/net/if_pflog.h
  head/sys/contrib/pf/net/if_pfsync.c
  head/sys/contrib/pf/net/if_pfsync.h
  head/sys/contrib/pf/net/pf.c
  head/sys/contrib/pf/net/pf_if.c
  head/sys/contrib/pf/net/pf_ioctl.c
  head/sys/contrib/pf/net/pf_lb.c
  head/sys/contrib/pf/net/pf_mtag.h
  head/sys/contrib/pf/net/pf_norm.c
  head/sys/contrib/pf/net/pf_osfp.c
  head/sys/contrib/pf/net/pf_ruleset.c
  head/sys/contrib/pf/net/pf_table.c
  head/sys/contrib/pf/net/pfvar.h
  head/sys/modules/pf/Makefile
  head/sys/net/if.c
  head/sys/netinet/in_gif.c
  head/sys/netinet/ip_icmp.c
  head/sys/netinet/ipfw/ip_fw2.c
  head/sys/netinet/raw_ip.c
  head/sys/netinet/tcp_subr.c
  head/sys/netinet6/icmp6.c
  head/sys/netinet6/in6_gif.c
  head/sys/netipsec/ipsec_input.c
  head/sys/netipsec/ipsec_output.c
  head/sys/netipsec/xform_ipip.c
  head/sys/sys/mbuf.h
  head/sys/sys/param.h
  head/usr.bin/netstat/if.c
  head/usr.sbin/bsnmpd/modules/snmp_pf/BEGEMOT-PF-MIB.txt
  head/usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
  head/usr.sbin/bsnmpd/modules/snmp_pf/pf_tree.def

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/UPDATING	Sat Sep  8 06:41:54 2012	(r240233)
@@ -24,6 +24,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10
 	disable the most expensive debugging functionality run
 	"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20120908:
+	The pf(4) packet filter ABI has been changed. pfctl(8) and
+	snmp_pf module need to be recompiled to work with new kernel.
+
 20120828:
 	A new ZFS feature flag "com.delphix:empty_bpobj" has been merged
 	to -HEAD. Pools that have empty_bpobj in active state can not be

Modified: head/contrib/pf/man/pf.4
==============================================================================
--- head/contrib/pf/man/pf.4	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/contrib/pf/man/pf.4	Sat Sep  8 06:41:54 2012	(r240233)
@@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 17 2011
+.Dd June 29 2012
 .Dt PF 4
 .Os
 .Sh NAME
@@ -75,6 +75,25 @@ separated by
 characters, similar to how file system hierarchies are laid out.
 The final component of the anchor path is the anchor under which
 operations will be performed.
+.Sh SYSCTL VARIABLES AND LOADER TUNABLES
+The following
+.Xr loader 8
+tunables are available.
+.Bl -tag -width indent
+.It Va net.pf.states_hashsize
+Size of hash tables that store states.
+Should be power of 2.
+Default value is 32768.
+.It Va net.pf.source_nodes_hashsize
+Size of hash table that store source nodes.
+Should be power of 2.
+Default value is 8192.
+.El
+.Pp
+Read only
+.Xr sysctl 8
+variables with matching names are provided to obtain current values
+at runtime.
 .Sh IOCTL INTERFACE
 .Nm
 supports the following
@@ -351,7 +370,6 @@ struct pf_status {
 	u_int64_t	scounters[SCNT_MAX];
 	u_int64_t	pcounters[2][2][3];
 	u_int64_t	bcounters[2][2];
-	u_int64_t	stateid;
 	u_int32_t	running;
 	u_int32_t	states;
 	u_int32_t	src_nodes;
@@ -493,7 +511,7 @@ struct pfioc_limit {
 };
 
 enum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
-	  PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
+	  PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
 .Ed
 .It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
 Get the hard

Modified: head/contrib/pf/man/pf.conf.5
==============================================================================
--- head/contrib/pf/man/pf.conf.5	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/contrib/pf/man/pf.conf.5	Sat Sep  8 06:41:54 2012	(r240233)
@@ -28,7 +28,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 31 2009
+.Dd June 29 2012
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -1421,7 +1421,7 @@ has the socket open where the packet is 
 (depending on which socket is local).
 This is in addition to the normal information logged.
 .Pp
-Due to the problems described in the BUGS section only the first packet
+Only the first packet
 logged via
 .Ar log (all, user)
 will have the user credentials logged when using stateful matching.
@@ -1479,13 +1479,6 @@ of the following keywords:
 .Bl -tag -width xxxxxxxxxxxxxx -compact
 .It Ar any
 Any address.
-.It Ar route Aq Ar label
-Any address whose associated route has label
-.Aq Ar label .
-See
-.Xr route 4
-and
-.Xr route 8 .
 .It Ar no-route
 Any address which is not currently routable.
 .It Ar urpf-failed
@@ -1594,7 +1587,6 @@ pass in proto tcp from any to any port 2
 pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e
       to ! 10.1.2.3 port != ssh
 pass in proto tcp from any os "OpenBSD"
-pass in proto tcp from route "DTAG"
 .Ed
 .It Ar all
 This is equivalent to "from any to any".
@@ -2949,9 +2941,9 @@ proto-list     = ( proto-name | proto-nu
 
 hosts          = "all" |
                  "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
-                 "{" host-list "}" | "route" string ) [ port ] [ os ]
+                 "{" host-list "}" ) [ port ] [ os ]
                  "to"   ( "any" | "no-route" | "self" | host |
-                 "{" host-list "}" | "route" string ) [ port ]
+                 "{" host-list "}" ) [ port ]
 
 ipspec         = "any" | host | "{" host-list "}"
 host           = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
@@ -3048,28 +3040,6 @@ Protocol name database.
 .It Pa /etc/services
 Service name database.
 .El
-.Sh BUGS
-Due to a lock order reversal (LOR) with the socket layer, the use of the
-.Ar group
-and
-.Ar user
-filter parameter in conjuction with a Giant-free netstack
-can result in a deadlock.
-A workaround is available under the
-.Va debug.pfugidhack
-sysctl which is automatically enabled when a
-.Ar user
-/
-.Ar group
-rule is added or
-.Ar log (user)
-is specified.
-.Pp
-Route labels are not supported by the
-.Fx
-.Xr route 4
-system.
-Rules with a route label do not match any traffic.
 .Sh SEE ALSO
 .Xr altq 4 ,
 .Xr carp 4 ,
@@ -3080,7 +3050,6 @@ Rules with a route label do not match an
 .Xr pf 4 ,
 .Xr pflow 4 ,
 .Xr pfsync 4 ,
-.Xr route 4 ,
 .Xr tcp 4 ,
 .Xr udp 4 ,
 .Xr hosts 5 ,
@@ -3090,7 +3059,6 @@ Rules with a route label do not match an
 .Xr ftp-proxy 8 ,
 .Xr pfctl 8 ,
 .Xr pflogd 8 ,
-.Xr route 8
 .Sh HISTORY
 The
 .Nm

Modified: head/contrib/pf/pfctl/parse.y
==============================================================================
--- head/contrib/pf/pfctl/parse.y	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/contrib/pf/pfctl/parse.y	Sat Sep  8 06:41:54 2012	(r240233)
@@ -159,8 +159,7 @@ enum	{ PF_STATE_OPT_MAX, PF_STATE_OPT_NO
 	    PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN,
 	    PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES,
 	    PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK,
-	    PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, 
-	    PF_STATE_OPT_PFLOW };
+	    PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_SLOPPY, };
 
 enum	{ PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE };
 
@@ -451,7 +450,7 @@ int	parseport(char *, struct range *r, i
 %token	QUEUE PRIORITY QLIMIT RTABLE
 %token	LOAD RULESET_OPTIMIZATION
 %token	STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
-%token	MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW
+%token	MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
 %token	TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS
 %token	DIVERTTO DIVERTREPLY
 %token	<v.string>		STRING
@@ -2081,15 +2080,6 @@ pfrule		: action dir logquick interface 
 					}
 					r.rule_flag |= PFRULE_STATESLOPPY;
 					break;
-				case PF_STATE_OPT_PFLOW:
-					if (r.rule_flag & PFRULE_PFLOW) {
-						yyerror("state pflow "
-						    "option: multiple "
-						    "definitions");
-						YYERROR;
-					}
-					r.rule_flag |= PFRULE_PFLOW;
-					break;
 				case PF_STATE_OPT_TIMEOUT:
 					if (o->data.timeout.number ==
 					    PFTM_ADAPTIVE_START ||
@@ -2909,26 +2899,6 @@ host		: STRING			{
 			$$->next = NULL;
 			$$->tail = $$;
 		}
-		| ROUTE	STRING		{
-			$$ = calloc(1, sizeof(struct node_host));
-			if ($$ == NULL) {
-				free($2);
-				err(1, "host: calloc");
-			}
-			$$->addr.type = PF_ADDR_RTLABEL;
-			if (strlcpy($$->addr.v.rtlabelname, $2,
-			    sizeof($$->addr.v.rtlabelname)) >=
-			    sizeof($$->addr.v.rtlabelname)) {
-				yyerror("route label too long, max %u chars",
-				    sizeof($$->addr.v.rtlabelname) - 1);
-				free($2);
-				free($$);
-				YYERROR;
-			}
-			$$->next = NULL;
-			$$->tail = $$;
-			free($2);
-		}
 		;
 
 number		: NUMBER
@@ -3597,14 +3567,6 @@ state_opt_item	: MAXIMUM NUMBER		{
 			$$->next = NULL;
 			$$->tail = $$;
 		}
-		| PFLOW {
-			$$ = calloc(1, sizeof(struct node_state_opt));
-			if ($$ == NULL)
-				err(1, "state_opt_item: calloc");
-			$$->type = PF_STATE_OPT_PFLOW;
-			$$->next = NULL;
-			$$->tail = $$;
-		}
 		| STRING NUMBER			{
 			int	i;
 
@@ -5320,7 +5282,6 @@ lookup(char *s)
 		{ "out",		OUT},
 		{ "overload",		OVERLOAD},
 		{ "pass",		PASS},
-		{ "pflow",		PFLOW},
 		{ "port",		PORT},
 		{ "priority",		PRIORITY},
 		{ "priq",		PRIQ},

Modified: head/contrib/pf/pfctl/pf_print_state.c
==============================================================================
--- head/contrib/pf/pfctl/pf_print_state.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/contrib/pf/pfctl/pf_print_state.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -119,9 +119,6 @@ print_addr(struct pf_addr_wrap *addr, sa
 	case PF_ADDR_URPFFAILED:
 		printf("urpf-failed");
 		return;
-	case PF_ADDR_RTLABEL:
-		printf("route \"%s\"", addr->v.rtlabelname);
-		return;
 	default:
 		printf("?");
 		return;
@@ -339,8 +336,6 @@ print_state(struct pfsync_state *s, int 
 			printf(", rule %u", ntohl(s->rule));
 		if (s->state_flags & PFSTATE_SLOPPY)
 			printf(", sloppy");
-		if (s->state_flags & PFSTATE_PFLOW)
-			printf(", pflow");
 		if (s->sync_flags & PFSYNC_FLAG_SRCNODE)
 			printf(", source-track");
 		if (s->sync_flags & PFSYNC_FLAG_NATSRCNODE)

Modified: head/contrib/pf/pfctl/pfctl.c
==============================================================================
--- head/contrib/pf/pfctl/pfctl.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/contrib/pf/pfctl/pfctl.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -144,7 +144,6 @@ static const struct {
 	{ "states",		PF_LIMIT_STATES },
 	{ "src-nodes",		PF_LIMIT_SRC_NODES },
 	{ "frags",		PF_LIMIT_FRAGS },
-	{ "tables",		PF_LIMIT_TABLES },
 	{ "table-entries",	PF_LIMIT_TABLE_ENTRIES },
 	{ NULL,			0 }
 };
@@ -1553,9 +1552,6 @@ pfctl_fopen(const char *name, const char
 void
 pfctl_init_options(struct pfctl *pf)
 {
-	int64_t mem;
-	int mib[2];
-	size_t size;
 
 	pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
 	pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
@@ -1581,21 +1577,8 @@ pfctl_init_options(struct pfctl *pf)
 	pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
 	pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
 	pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
-	pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT;
 	pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
 
-	mib[0] = CTL_HW;
-#ifdef __FreeBSD__
-	mib[1] = HW_PHYSMEM;
-#else
-	mib[1] = HW_PHYSMEM64;
-#endif
-	size = sizeof(mem);
-	if (sysctl(mib, 2, &mem, &size, NULL, 0) == -1)
-		err(1, "sysctl");
-	if (mem <= 100*1024*1024)
-		pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL; 
-
 	pf->debug = PF_DEBUG_URGENT;
 }
 

Modified: head/contrib/pf/pfctl/pfctl_parser.c
==============================================================================
--- head/contrib/pf/pfctl/pfctl_parser.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/contrib/pf/pfctl/pfctl_parser.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -955,12 +955,6 @@ print_rule(struct pf_rule *r, const char
 			printf("sloppy");
 			opts = 0;
 		}
-		if (r->rule_flag & PFRULE_PFLOW) {
-			if (!opts)
-				printf(", ");
-			printf("pflow");
-			opts = 0;
-		}
 		for (i = 0; i < PFTM_MAX; ++i)
 			if (r->timeout[i]) {
 				int j;

Modified: head/contrib/pf/pfctl/pfctl_table.c
==============================================================================
--- head/contrib/pf/pfctl/pfctl_table.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/contrib/pf/pfctl/pfctl_table.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -621,8 +621,7 @@ print_iface(struct pfi_kif *p, int opts)
 	if (!(opts & PF_OPT_VERBOSE2))
 		return;
 	printf("\tCleared:     %s", ctime(&tzero));
-	printf("\tReferences:  [ States:  %-18d Rules: %-18d ]\n",
-	    p->pfik_states, p->pfik_rules);
+	printf("\tReferences:  %-18d\n", p->pfik_rulerefs);
 	for (i = 0; i < 8; i++) {
 		af = (i>>2) & 1;
 		dir = (i>>1) &1;

Modified: head/sys/contrib/altq/altq/altq_cbq.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_cbq.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/sys/contrib/altq/altq/altq_cbq.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -271,10 +271,9 @@ cbq_add_altq(struct pf_altq *a)
 		return (ENODEV);
 
 	/* allocate and initialize cbq_state_t */
-	cbqp = malloc(sizeof(cbq_state_t), M_DEVBUF, M_WAITOK);
+	cbqp = malloc(sizeof(cbq_state_t), M_DEVBUF, M_NOWAIT | M_ZERO);
 	if (cbqp == NULL)
 		return (ENOMEM);
-	bzero(cbqp, sizeof(cbq_state_t));
 	CALLOUT_INIT(&cbqp->cbq_callout);
 	cbqp->cbq_qlen = 0;
 	cbqp->ifnp.ifq_ = &ifp->if_snd;	    /* keep the ifq */

Modified: head/sys/contrib/altq/altq/altq_hfsc.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_hfsc.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/sys/contrib/altq/altq/altq_hfsc.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -200,10 +200,9 @@ hfsc_add_altq(struct pf_altq *a)
 	if (!ALTQ_IS_READY(&ifp->if_snd))
 		return (ENODEV);
 
-	hif = malloc(sizeof(struct hfsc_if), M_DEVBUF, M_WAITOK);
+	hif = malloc(sizeof(struct hfsc_if), M_DEVBUF, M_NOWAIT | M_ZERO);
 	if (hif == NULL)
 		return (ENOMEM);
-	bzero(hif, sizeof(struct hfsc_if));
 
 	hif->hif_eligible = ellist_alloc();
 	if (hif->hif_eligible == NULL) {

Modified: head/sys/contrib/altq/altq/altq_priq.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_priq.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/sys/contrib/altq/altq/altq_priq.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -132,11 +132,9 @@ priq_add_altq(struct pf_altq *a)
 	if (!ALTQ_IS_READY(&ifp->if_snd))
 		return (ENODEV);
 
-	pif = malloc(sizeof(struct priq_if),
-	    M_DEVBUF, M_WAITOK);
+	pif = malloc(sizeof(struct priq_if), M_DEVBUF, M_NOWAIT | M_ZERO);
 	if (pif == NULL)
 		return (ENOMEM);
-	bzero(pif, sizeof(struct priq_if));
 	pif->pif_bandwidth = a->ifbandwidth;
 	pif->pif_maxpri = -1;
 	pif->pif_ifq = &ifp->if_snd;

Modified: head/sys/contrib/altq/altq/altq_subr.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_subr.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/sys/contrib/altq/altq/altq_subr.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -401,14 +401,11 @@ tbr_set(ifq, profile)
 		return (0);
 	}
 
-	IFQ_UNLOCK(ifq);
-	tbr = malloc(sizeof(struct tb_regulator),
-	       M_DEVBUF, M_WAITOK);
-	if (tbr == NULL) {		/* can not happen */
+	tbr = malloc(sizeof(struct tb_regulator), M_DEVBUF, M_NOWAIT | M_ZERO);
+	if (tbr == NULL) {
 		IFQ_UNLOCK(ifq);
 		return (ENOMEM);
 	}
-	bzero(tbr, sizeof(struct tb_regulator));
 
 	tbr->tbr_rate = TBR_SCALE(profile->rate / 8) / machclk_freq;
 	tbr->tbr_depth = TBR_SCALE(profile->depth);
@@ -420,7 +417,6 @@ tbr_set(ifq, profile)
 	tbr->tbr_last = read_machclk();
 	tbr->tbr_lastop = ALTDQ_REMOVE;
 
-	IFQ_LOCK(ifq);
 	otbr = ifq->altq_tbr;
 	ifq->altq_tbr = tbr;	/* set the new tbr */
 

Modified: head/sys/contrib/pf/net/if_pflog.c
==============================================================================
--- head/sys/contrib/pf/net/if_pflog.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/sys/contrib/pf/net/if_pflog.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -1,10 +1,10 @@
 /*	$OpenBSD: if_pflog.c,v 1.26 2007/10/18 21:58:18 mpf Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
- * Angelos D. Keromytis (kermit@csd.uch.gr) and 
+ * Angelos D. Keromytis (kermit@csd.uch.gr) and
  * Niels Provos (provos@physnet.uni-hamburg.de).
  *
- * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 
+ * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
  * in November 1995.
  *
  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
@@ -20,7 +20,7 @@
  * Permission to use, copy, and modify this software with or without fee
  * is hereby granted, provided that this entire notice is included in
  * all copies of any software which is or includes a copy or
- * modification of this software. 
+ * modification of this software.
  * You may use this code under the GNU public license if you so wish. Please
  * contribute changes back to the authors under this freer than GPL license
  * so that we may further the use of strong encryption without limitations to
@@ -33,61 +33,34 @@
  * PURPOSE.
  */
 
-#ifdef __FreeBSD__
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_bpf.h"
 #include "opt_pf.h"
 
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#ifdef DEV_BPF
-#define	NBPFILTER	DEV_BPF
-#else
-#define	NBPFILTER	0
-#endif
-
-#ifdef DEV_PFLOG
-#define	NPFLOG		DEV_PFLOG
-#else
-#define	NPFLOG		0
-#endif
-
-#else /* ! __FreeBSD__ */
-#include "bpfilter.h"
-#include "pflog.h"
-#endif /* __FreeBSD__ */
-
 #include <sys/param.h>
-#include <sys/systm.h>
+#include <sys/kernel.h>
 #include <sys/mbuf.h>
+#include <sys/module.h>
 #include <sys/proc.h>
 #include <sys/socket.h>
-#ifdef __FreeBSD__
-#include <sys/kernel.h>
-#include <sys/limits.h>
-#include <sys/malloc.h>
-#include <sys/module.h>
 #include <sys/sockio.h>
-#else
-#include <sys/ioctl.h>
-#endif
 
+#include <net/bpf.h>
 #include <net/if.h>
-#ifdef __FreeBSD__
 #include <net/if_clone.h>
-#endif
+#include <net/if_pflog.h>
 #include <net/if_types.h>
-#include <net/route.h>
-#include <net/bpf.h>
+#include <net/pfvar.h>
 
 #if defined(INET) || defined(INET6)
 #include <netinet/in.h>
 #endif
 #ifdef	INET
 #include <netinet/in_var.h>
-#include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #endif
 
@@ -96,14 +69,9 @@ __FBSDID("$FreeBSD$");
 #include <netinet6/nd6.h>
 #endif /* INET6 */
 
-#include <net/pfvar.h>
-#include <net/if_pflog.h>
-
-#ifdef __FreeBSD__
 #ifdef INET
 #include <machine/in_cksum.h>
 #endif /* INET */
-#endif /* __FreeBSD__ */
 
 #define PFLOGMTU	(32768 + MHLEN + MLEN)
 
@@ -113,170 +81,82 @@ __FBSDID("$FreeBSD$");
 #define DPRINTF(x)
 #endif
 
-void	pflogattach(int);
-int	pflogoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
-#ifdef __FreeBSD__
-	    struct route *);
-#else
-	    struct rtentry *);
-#endif
-int	pflogioctl(struct ifnet *, u_long, caddr_t);
-void	pflogstart(struct ifnet *);
-#ifdef __FreeBSD__
-static int pflog_clone_create(struct if_clone *, int, caddr_t);
-static void pflog_clone_destroy(struct ifnet *);
-#else
-int	pflog_clone_create(struct if_clone *, int);
-int	pflog_clone_destroy(struct ifnet *);
-#endif
+static int	pflogoutput(struct ifnet *, struct mbuf *, struct sockaddr *,
+		    struct route *);
+static void	pflogattach(int);
+static int	pflogioctl(struct ifnet *, u_long, caddr_t);
+static void	pflogstart(struct ifnet *);
+static int	pflog_clone_create(struct if_clone *, int, caddr_t);
+static void	pflog_clone_destroy(struct ifnet *);
 
-LIST_HEAD(, pflog_softc)	pflogif_list;
-#ifdef __FreeBSD__
 IFC_SIMPLE_DECLARE(pflog, 1);
-#else
-struct if_clone	pflog_cloner =
-    IF_CLONE_INITIALIZER("pflog", pflog_clone_create, pflog_clone_destroy);
-#endif
 
 struct ifnet	*pflogifs[PFLOGIFS_MAX];	/* for fast access */
 
-void
+static void
 pflogattach(int npflog)
 {
 	int	i;
-	LIST_INIT(&pflogif_list);
 	for (i = 0; i < PFLOGIFS_MAX; i++)
 		pflogifs[i] = NULL;
 	if_clone_attach(&pflog_cloner);
 }
 
-#ifdef __FreeBSD__
 static int
 pflog_clone_create(struct if_clone *ifc, int unit, caddr_t param)
-#else
-int
-pflog_clone_create(struct if_clone *ifc, int unit)
-#endif
 {
 	struct ifnet *ifp;
-	struct pflog_softc *pflogif;
-	int s;
 
 	if (unit >= PFLOGIFS_MAX)
 		return (EINVAL);
 
-	if ((pflogif = malloc(sizeof(*pflogif),
-	    M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL)
-		return (ENOMEM);
-
-	pflogif->sc_unit = unit;
-#ifdef __FreeBSD__
-	ifp = pflogif->sc_ifp = if_alloc(IFT_PFLOG);
+	ifp = if_alloc(IFT_PFLOG);
 	if (ifp == NULL) {
-		free(pflogif, M_DEVBUF);
 		return (ENOSPC);
 	}
 	if_initname(ifp, ifc->ifc_name, unit);
-#else
-	ifp = &pflogif->sc_if;
-	snprintf(ifp->if_xname, sizeof ifp->if_xname, "pflog%d", unit);
-#endif
-	ifp->if_softc = pflogif;
 	ifp->if_mtu = PFLOGMTU;
 	ifp->if_ioctl = pflogioctl;
 	ifp->if_output = pflogoutput;
 	ifp->if_start = pflogstart;
-#ifndef __FreeBSD__
-	ifp->if_type = IFT_PFLOG;
-#endif
 	ifp->if_snd.ifq_maxlen = ifqmaxlen;
 	ifp->if_hdrlen = PFLOG_HDRLEN;
 	if_attach(ifp);
-#ifndef __FreeBSD__
-	if_alloc_sadl(ifp);
-#endif
 
-#if NBPFILTER > 0
-#ifdef __FreeBSD__
 	bpfattach(ifp, DLT_PFLOG, PFLOG_HDRLEN);
-#else
-	bpfattach(&pflogif->sc_if.if_bpf, ifp, DLT_PFLOG, PFLOG_HDRLEN);
-#endif
-#endif
 
-	s = splnet();
-#ifdef __FreeBSD__
-	/* XXX: Why pf(4) lock?! Better add a pflog lock?! */
-	PF_LOCK();
-#endif
-	LIST_INSERT_HEAD(&pflogif_list, pflogif, sc_list);
 	pflogifs[unit] = ifp;
-#ifdef __FreeBSD__
-	PF_UNLOCK();
-#endif
-	splx(s);
 
 	return (0);
 }
 
-#ifdef __FreeBSD__
 static void
 pflog_clone_destroy(struct ifnet *ifp)
-#else
-int
-pflog_clone_destroy(struct ifnet *ifp)
-#endif
 {
-	struct pflog_softc	*pflogif = ifp->if_softc;
-	int			 s;
+	int i;
 
-	s = splnet();
-#ifdef __FreeBSD__
-	PF_LOCK();
-#endif
-	pflogifs[pflogif->sc_unit] = NULL;
-	LIST_REMOVE(pflogif, sc_list);
-#ifdef __FreeBSD__
-	PF_UNLOCK();
-#endif
-	splx(s);
+	for (i = 0; i < PFLOGIFS_MAX; i++)
+		if (pflogifs[i] == ifp)
+			pflogifs[i] = NULL;
 
-#if NBPFILTER > 0
 	bpfdetach(ifp);
-#endif
 	if_detach(ifp);
-#ifdef __FreeBSD__
 	if_free(ifp);
-#endif
-	free(pflogif, M_DEVBUF);
-#ifndef __FreeBSD__
-	return (0);
-#endif
 }
 
 /*
  * Start output on the pflog interface.
  */
-void
+static void
 pflogstart(struct ifnet *ifp)
 {
 	struct mbuf *m;
-#ifndef __FreeBSD__
-	int s;
-#endif
 
 	for (;;) {
-#ifdef __FreeBSD__
 		IF_LOCK(&ifp->if_snd);
 		_IF_DROP(&ifp->if_snd);
 		_IF_DEQUEUE(&ifp->if_snd, m);
 		IF_UNLOCK(&ifp->if_snd);
-#else
-		s = splnet();
-		IF_DROP(&ifp->if_snd);
-		IF_DEQUEUE(&ifp->if_snd, m);
-		splx(s);
-#endif
 
 		if (m == NULL)
 			return;
@@ -285,35 +165,24 @@ pflogstart(struct ifnet *ifp)
 	}
 }
 
-int
+static int
 pflogoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
-#ifdef __FreeBSD__
 	struct route *rt)
-#else
-	struct rtentry *rt)
-#endif
 {
 	m_freem(m);
 	return (0);
 }
 
 /* ARGSUSED */
-int
+static int
 pflogioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 {
 	switch (cmd) {
 	case SIOCSIFFLAGS:
-#ifdef __FreeBSD__
 		if (ifp->if_flags & IFF_UP)
 			ifp->if_drv_flags |= IFF_DRV_RUNNING;
 		else
 			ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
-#else
-		if (ifp->if_flags & IFF_UP)
-			ifp->if_flags |= IFF_RUNNING;
-		else
-			ifp->if_flags &= ~IFF_RUNNING;
-#endif
 		break;
 	default:
 		return (ENOTTY);
@@ -322,12 +191,11 @@ pflogioctl(struct ifnet *ifp, u_long cmd
 	return (0);
 }
 
-int
+static int
 pflog_packet(struct pfi_kif *kif, struct mbuf *m, sa_family_t af, u_int8_t dir,
     u_int8_t reason, struct pf_rule *rm, struct pf_rule *am,
-    struct pf_ruleset *ruleset, struct pf_pdesc *pd)
+    struct pf_ruleset *ruleset, struct pf_pdesc *pd, int lookupsafe)
 {
-#if NBPFILTER > 0
 	struct ifnet *ifn;
 	struct pfloghdr hdr;
 
@@ -354,23 +222,18 @@ pflog_packet(struct pfi_kif *kif, struct
 			strlcpy(hdr.ruleset, ruleset->anchor->name,
 			    sizeof(hdr.ruleset));
 	}
-	if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done)
-#ifdef __FreeBSD__
-		/*
-		 * XXX: This should not happen as we force an early lookup
-		 * via debug.pfugidhack
-		 */
-		; /* empty */
-#else
-		pd->lookup.done = pf_socket_lookup(dir, pd);
-#endif
-	if (pd->lookup.done > 0) {
+	/*
+	 * XXXGL: we avoid pf_socket_lookup() when we are holding
+	 * state lock, since this leads to unsafe LOR.
+	 * These conditions are very very rare, however.
+	 */
+	if (rm->log & PF_LOG_SOCKET_LOOKUP && !pd->lookup.done && lookupsafe)
+		pd->lookup.done = pf_socket_lookup(dir, pd, m);
+	if (pd->lookup.done > 0)
 		hdr.uid = pd->lookup.uid;
-		hdr.pid = pd->lookup.pid;
-	} else {
+	else
 		hdr.uid = UID_MAX;
-		hdr.pid = NO_PID;
-	}
+	hdr.pid = NO_PID;
 	hdr.rule_uid = rm->cuid;
 	hdr.rule_pid = rm->cpid;
 	hdr.dir = dir;
@@ -387,18 +250,11 @@ pflog_packet(struct pfi_kif *kif, struct
 
 	ifn->if_opackets++;
 	ifn->if_obytes += m->m_pkthdr.len;
-#ifdef __FreeBSD__
 	BPF_MTAP2(ifn, &hdr, PFLOG_HDRLEN, m);
-#else
-	bpf_mtap_hdr(ifn->if_bpf, (char *)&hdr, PFLOG_HDRLEN, m,
-	    BPF_DIRECTION_OUT);
-#endif
-#endif
 
 	return (0);
 }
 
-#ifdef __FreeBSD__
 static int
 pflog_modevent(module_t mod, int type, void *data)
 {
@@ -407,14 +263,14 @@ pflog_modevent(module_t mod, int type, v
 	switch (type) {
 	case MOD_LOAD:
 		pflogattach(1);
-		PF_LOCK();
+		PF_RULES_WLOCK();
 		pflog_packet_ptr = pflog_packet;
-		PF_UNLOCK();
+		PF_RULES_WUNLOCK();
 		break;
 	case MOD_UNLOAD:
-		PF_LOCK();
+		PF_RULES_WLOCK();
 		pflog_packet_ptr = NULL;
-		PF_UNLOCK();
+		PF_RULES_WUNLOCK();
 		if_clone_detach(&pflog_cloner);
 		break;
 	default:
@@ -432,4 +288,3 @@ static moduledata_t pflog_mod = { "pflog
 DECLARE_MODULE(pflog, pflog_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
 MODULE_VERSION(pflog, PFLOG_MODVER);
 MODULE_DEPEND(pflog, pf, PF_MODVER, PF_MODVER, PF_MODVER);
-#endif /* __FreeBSD__ */

Modified: head/sys/contrib/pf/net/if_pflog.h
==============================================================================
--- head/sys/contrib/pf/net/if_pflog.h	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/sys/contrib/pf/net/if_pflog.h	Sat Sep  8 06:41:54 2012	(r240233)
@@ -29,16 +29,6 @@
 
 #define	PFLOGIFS_MAX	16
 
-struct pflog_softc {
-#ifdef __FreeBSD__
-	struct ifnet		*sc_ifp;	/* the interface pointer */
-#else
-	struct ifnet		sc_if;		/* the interface */
-#endif
-	int			sc_unit;
-	LIST_ENTRY(pflog_softc)	sc_list;
-};
-
 #define	PFLOG_RULESET_NAME_SIZE	16
 
 struct pfloghdr {
@@ -62,40 +52,15 @@ struct pfloghdr {
 /* minus pad, also used as a signature */
 #define	PFLOG_REAL_HDRLEN	offsetof(struct pfloghdr, pad)
 
-/* XXX remove later when old format logs are no longer needed */
-struct old_pfloghdr {
-	u_int32_t af;
-	char ifname[IFNAMSIZ];
-	short rnr;
-	u_short reason;
-	u_short action;
-	u_short dir;
-};
-#define	OLD_PFLOG_HDRLEN	sizeof(struct old_pfloghdr)
-
 #ifdef _KERNEL
-#ifdef __FreeBSD__
 struct pf_rule;
 struct pf_ruleset;
 struct pfi_kif;
 struct pf_pdesc;
 
-#if 0
-typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t,
-    u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *,
-    struct pf_ruleset *, struct pf_pdesc *);
-extern pflog_packet_t *pflog_packet_ptr;
-#endif
-#define	PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) do {		\
+#define	PFLOG_PACKET(i,a,b,c,d,e,f,g,h,di) do {		\
 	if (pflog_packet_ptr != NULL)			\
-		pflog_packet_ptr(i,a,b,c,d,e,f,g,h);    \
+		pflog_packet_ptr(i,a,b,c,d,e,f,g,h,di);	\
 } while (0)
-#else /* ! __FreeBSD__ */
-#if NPFLOG > 0
-#define	PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) pflog_packet(i,a,b,c,d,e,f,g,h)
-#else
-#define	PFLOG_PACKET(i,x,a,b,c,d,e,f,g,h) ((void)0)
-#endif /* NPFLOG > 0 */
-#endif
 #endif /* _KERNEL */
 #endif /* _NET_IF_PFLOG_H_ */

Modified: head/sys/contrib/pf/net/if_pfsync.c
==============================================================================
--- head/sys/contrib/pf/net/if_pfsync.c	Sat Sep  8 04:42:33 2012	(r240232)
+++ head/sys/contrib/pf/net/if_pfsync.c	Sat Sep  8 06:41:54 2012	(r240233)
@@ -54,91 +54,44 @@
  * 1.173 - correct expire time processing
  */
 
-#ifdef __FreeBSD__
-#include "opt_inet.h"
-#include "opt_inet6.h"
-#include "opt_pf.h"
-
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
-#define	NBPFILTER	1
-#endif /* __FreeBSD__ */
+#include "opt_inet.h"
+#include "opt_inet6.h"
+#include "opt_pf.h"
 
 #include <sys/param.h>
-#include <sys/kernel.h>
-#ifdef __FreeBSD__
 #include <sys/bus.h>
+#include <sys/endian.h>
 #include <sys/interrupt.h>
-#include <sys/priv.h>
-#endif
-#include <sys/proc.h>
-#include <sys/systm.h>
-#include <sys/time.h>
+#include <sys/kernel.h>
+#include <sys/lock.h>
 #include <sys/mbuf.h>
-#include <sys/socket.h>
-#ifdef __FreeBSD__
-#include <sys/endian.h>
-#include <sys/malloc.h>
 #include <sys/module.h>
-#include <sys/sockio.h>
-#include <sys/taskqueue.h>
-#include <sys/lock.h>
 #include <sys/mutex.h>
+#include <sys/priv.h>
 #include <sys/protosw.h>
-#else
-#include <sys/ioctl.h>
-#include <sys/timeout.h>
-#endif
+#include <sys/socket.h>
+#include <sys/sockio.h>
 #include <sys/sysctl.h>
-#ifndef __FreeBSD__
-#include <sys/pool.h>
-#endif
 
+#include <net/bpf.h>
 #include <net/if.h>
-#ifdef __FreeBSD__
 #include <net/if_clone.h>
-#endif
 #include <net/if_types.h>
-#include <net/route.h>
-#include <net/bpf.h>
-#include <net/netisr.h>
-#ifdef __FreeBSD__
-#include <net/vnet.h>
-#endif
+#include <net/pfvar.h>
+#include <net/if_pfsync.h>
 
-#include <netinet/in.h>
 #include <netinet/if_ether.h>
-#include <netinet/tcp.h>
-#include <netinet/tcp_seq.h>
-
-#ifdef	INET
-#include <netinet/in_systm.h>
+#include <netinet/in.h>
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
-#include <netinet/ip_var.h>
-#endif
-
-#ifdef INET6
-#include <netinet6/nd6.h>
-#endif /* INET6 */
-
-#ifdef __FreeBSD__
-#include <netinet/ip_carp.h>
-#else
-#include "carp.h"
-#if NCARP > 0
 #include <netinet/ip_carp.h>
-#endif
-#endif
-
-#include <net/pfvar.h>
-#include <net/if_pfsync.h>
-
-#ifndef __FreeBSD__

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209080641.q886fslk037192>