From owner-svn-src-all@freebsd.org Tue Oct 4 19:35:16 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D59ACAF5BC4; Tue, 4 Oct 2016 19:35:16 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 566718F6; Tue, 4 Oct 2016 19:35:16 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u94JZFX4020636; Tue, 4 Oct 2016 19:35:15 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u94JZEdP020631; Tue, 4 Oct 2016 19:35:14 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201610041935.u94JZEdP020631@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Tue, 4 Oct 2016 19:35:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r306684 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2016 19:35:17 -0000 Author: kp Date: Tue Oct 4 19:35:14 2016 New Revision: 306684 URL: https://svnweb.freebsd.org/changeset/base/306684 Log: pf: remove fastroute tag The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code allows to skip the in pfil hooks and completely removes the out pfil invoke, albeit looking up a route that the IP stack will likely find on its own. The code between IPv4 and IPv6 is also inconsistent and marked as "XXX" for years. Submitted by: Franco Fichtner Differential Revision: https://reviews.freebsd.org/D8058 Modified: head/sbin/pfctl/parse.y head/sbin/pfctl/pfctl_parser.c head/share/man/man5/pf.conf.5 head/sys/netpfil/pf/pf.c head/sys/netpfil/pf/pf_ioctl.c Modified: head/sbin/pfctl/parse.y ============================================================================== --- head/sbin/pfctl/parse.y Tue Oct 4 18:07:33 2016 (r306683) +++ head/sbin/pfctl/parse.y Tue Oct 4 19:35:14 2016 (r306684) @@ -2330,7 +2330,7 @@ pfrule : action dir logquick interface memcpy(&r.rpool.key, $5.key, sizeof(struct pf_poolhashkey)); } - if (r.rt && r.rt != PF_FASTROUTE) { + if (r.rt) { decide_address_family($5.host, &r.af); remove_invalid_hosts(&$5.host, &r.af); if ($5.host == NULL) { @@ -4416,8 +4416,9 @@ route : /* empty */ { $$.pool_opts = 0; } | FASTROUTE { + /* backwards-compat */ $$.host = NULL; - $$.rt = PF_FASTROUTE; + $$.rt = 0; $$.pool_opts = 0; } | ROUTETO routespec pool_opts { Modified: head/sbin/pfctl/pfctl_parser.c ============================================================================== --- head/sbin/pfctl/pfctl_parser.c Tue Oct 4 18:07:33 2016 (r306683) +++ head/sbin/pfctl/pfctl_parser.c Tue Oct 4 19:35:14 2016 (r306684) @@ -778,12 +778,8 @@ print_rule(struct pf_rule *r, const char printf(" reply-to"); else if (r->rt == PF_DUPTO) printf(" dup-to"); - else if (r->rt == PF_FASTROUTE) - printf(" fastroute"); - if (r->rt != PF_FASTROUTE) { - printf(" "); - print_pool(&r->rpool, 0, 0, r->af, PF_PASS); - } + printf(" "); + print_pool(&r->rpool, 0, 0, r->af, PF_PASS); } if (r->af) { if (r->af == AF_INET) Modified: head/share/man/man5/pf.conf.5 ============================================================================== --- head/share/man/man5/pf.conf.5 Tue Oct 4 18:07:33 2016 (r306683) +++ head/share/man/man5/pf.conf.5 Tue Oct 4 19:35:14 2016 (r306684) @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 9, 2016 +.Dd September 28, 2016 .Dt PF.CONF 5 .Os .Sh NAME @@ -1874,10 +1874,6 @@ route the packet according to the type o When such a rule creates state, the route option is also applied to all packets matching the same connection. .Bl -tag -width xxxx -.It Ar fastroute -The -.Ar fastroute -option does a normal route lookup to find the next hop for the packet. .It Ar route-to The .Ar route-to @@ -2839,7 +2835,7 @@ option = "set" ( [ "timeout" ( t pf-rule = action [ ( "in" | "out" ) ] [ "log" [ "(" logopts ")"] ] [ "quick" ] - [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ] + [ "on" ifspec ] [ route ] [ af ] [ protospec ] hosts [ filteropt-list ] logopts = logopt [ "," logopts ] Modified: head/sys/netpfil/pf/pf.c ============================================================================== --- head/sys/netpfil/pf/pf.c Tue Oct 4 18:07:33 2016 (r306683) +++ head/sys/netpfil/pf/pf.c Tue Oct 4 19:35:14 2016 (r306684) @@ -3632,7 +3632,7 @@ pf_create_state(struct pf_rule *r, struc s->timeout = PFTM_OTHER_FIRST_PACKET; } - if (r->rt && r->rt != PF_FASTROUTE) { + if (r->rt) { if (pf_map_addr(pd->af, r, pd->src, &s->rt_addr, NULL, &sn)) { REASON_SET(&reason, PFRES_MAPFAILED); pf_src_tree_remove_state(s); @@ -5439,41 +5439,24 @@ pf_route(struct mbuf **m, struct pf_rule dst.sin_len = sizeof(dst); dst.sin_addr = ip->ip_dst; - if (r->rt == PF_FASTROUTE) { - struct nhop4_basic nh4; - - if (s) - PF_STATE_UNLOCK(s); - - if (fib4_lookup_nh_basic(M_GETFIB(m0), ip->ip_dst, 0, - m0->m_pkthdr.flowid, &nh4) != 0) { - KMOD_IPSTAT_INC(ips_noroute); - error = EHOSTUNREACH; - goto bad; - } - - ifp = nh4.nh_ifp; - dst.sin_addr = nh4.nh_addr; + if (TAILQ_EMPTY(&r->rpool.list)) { + DPFPRINTF(PF_DEBUG_URGENT, + ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__)); + goto bad_locked; + } + if (s == NULL) { + pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, + &naddr, NULL, &sn); + if (!PF_AZERO(&naddr, AF_INET)) + dst.sin_addr.s_addr = naddr.v4.s_addr; + ifp = r->rpool.cur->kif ? + r->rpool.cur->kif->pfik_ifp : NULL; } else { - if (TAILQ_EMPTY(&r->rpool.list)) { - DPFPRINTF(PF_DEBUG_URGENT, - ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__)); - goto bad_locked; - } - if (s == NULL) { - pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src, - &naddr, NULL, &sn); - if (!PF_AZERO(&naddr, AF_INET)) - dst.sin_addr.s_addr = naddr.v4.s_addr; - ifp = r->rpool.cur->kif ? - r->rpool.cur->kif->pfik_ifp : NULL; - } else { - if (!PF_AZERO(&s->rt_addr, AF_INET)) - dst.sin_addr.s_addr = - s->rt_addr.v4.s_addr; - ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; - PF_STATE_UNLOCK(s); - } + if (!PF_AZERO(&s->rt_addr, AF_INET)) + dst.sin_addr.s_addr = + s->rt_addr.v4.s_addr; + ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL; + PF_STATE_UNLOCK(s); } if (ifp == NULL) goto bad; @@ -5615,16 +5598,6 @@ pf_route6(struct mbuf **m, struct pf_rul dst.sin6_len = sizeof(dst); dst.sin6_addr = ip6->ip6_dst; - /* Cheat. XXX why only in the v6 case??? */ - if (r->rt == PF_FASTROUTE) { - if (s) - PF_STATE_UNLOCK(s); - m0->m_flags |= M_SKIP_FIREWALL; - ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); - *m = NULL; - return; - } - if (TAILQ_EMPTY(&r->rpool.list)) { DPFPRINTF(PF_DEBUG_URGENT, ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__)); Modified: head/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- head/sys/netpfil/pf/pf_ioctl.c Tue Oct 4 18:07:33 2016 (r306683) +++ head/sys/netpfil/pf/pf_ioctl.c Tue Oct 4 19:35:14 2016 (r306684) @@ -1267,7 +1267,7 @@ pfioctl(struct cdev *dev, u_long cmd, ca pf_mv_pool(&V_pf_pabuf, &rule->rpool.list); if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) || (rule->action == PF_BINAT)) && rule->anchor == NULL) || - (rule->rt > PF_FASTROUTE)) && + (rule->rt > PF_NOPFROUTE)) && (TAILQ_FIRST(&rule->rpool.list) == NULL)) error = EINVAL; @@ -1527,7 +1527,7 @@ DIOCADDRULE_error: if (((((newrule->action == PF_NAT) || (newrule->action == PF_RDR) || (newrule->action == PF_BINAT) || - (newrule->rt > PF_FASTROUTE)) && + (newrule->rt > PF_NOPFROUTE)) && !newrule->anchor)) && (TAILQ_FIRST(&newrule->rpool.list) == NULL)) error = EINVAL;