Date: Thu, 21 Mar 2019 16:15:29 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r345381 - head/sys/netpfil/ipfw Message-ID: <201903211615.x2LGFTEk049469@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Thu Mar 21 16:15:29 2019 New Revision: 345381 URL: https://svnweb.freebsd.org/changeset/base/345381 Log: Always create ipfw(4) hooks as long as module is loaded. Now enabling ipfw(4) with sysctls controls only linkage of hooks to default heads. When module is loaded fetch sysctls as tunables, to make it possible to boot with ipfw(4) in kernel, but not linked to any pfil(9) hooks. Modified: head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_pfil.c head/sys/netpfil/ipfw/ip_fw_private.h Modified: head/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw2.c Thu Mar 21 14:45:08 2019 (r345380) +++ head/sys/netpfil/ipfw/ip_fw2.c Thu Mar 21 16:15:29 2019 (r345381) @@ -3360,7 +3360,7 @@ vnet_ipfw_init(const void *unused) * is checked on each packet because there are no pfil hooks. */ V_ip_fw_ctl_ptr = ipfw_ctl3; - error = ipfw_attach_hooks(1); + error = ipfw_attach_hooks(); return (error); } @@ -3380,7 +3380,7 @@ vnet_ipfw_uninit(const void *unused) * Then grab, release and grab again the WLOCK so we make * sure the update is propagated and nobody will be in. */ - (void)ipfw_attach_hooks(0 /* detach */); + ipfw_detach_hooks(); V_ip_fw_ctl_ptr = NULL; last = IS_DEFAULT_VNET(curvnet) ? 1 : 0; Modified: head/sys/netpfil/ipfw/ip_fw_pfil.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_pfil.c Thu Mar 21 14:45:08 2019 (r345380) +++ head/sys/netpfil/ipfw/ip_fw_pfil.c Thu Mar 21 16:15:29 2019 (r345381) @@ -536,29 +536,23 @@ VNET_DEFINE_STATIC(pfil_hook_t, ipfw_inet6_hook); VNET_DEFINE_STATIC(pfil_hook_t, ipfw_link_hook); #define V_ipfw_link_hook VNET(ipfw_link_hook) -static int -ipfw_hook(int onoff, int pf) +static void +ipfw_hook(int pf) { struct pfil_hook_args pha; - struct pfil_link_args pla; pfil_hook_t *h; pha.pa_version = PFIL_VERSION; - pha.pa_flags = PFIL_IN | PFIL_OUT | PFIL_MEMPTR; + pha.pa_flags = PFIL_IN | PFIL_OUT; pha.pa_modname = "ipfw"; pha.pa_ruleset = NULL; - pla.pa_version = PFIL_VERSION; - pla.pa_flags = PFIL_IN | PFIL_OUT | - PFIL_HEADPTR | PFIL_HOOKPTR; - switch (pf) { case AF_INET: pha.pa_func = ipfw_check_packet; pha.pa_type = PFIL_TYPE_IP4; pha.pa_rulname = "default"; h = &V_ipfw_inet_hook; - pla.pa_head = V_inet_pfil_head; break; #ifdef INET6 case AF_INET6: @@ -566,57 +560,103 @@ ipfw_hook(int onoff, int pf) pha.pa_type = PFIL_TYPE_IP6; pha.pa_rulname = "default6"; h = &V_ipfw_inet6_hook; - pla.pa_head = V_inet6_pfil_head; break; #endif case AF_LINK: pha.pa_func = ipfw_check_frame; pha.pa_type = PFIL_TYPE_ETHERNET; pha.pa_rulname = "default-link"; + pha.pa_flags |= PFIL_MEMPTR; h = &V_ipfw_link_hook; - pla.pa_head = V_link_pfil_head; break; } - if (onoff) { - *h = pfil_add_hook(&pha); - pla.pa_hook = *h; - (void)pfil_link(&pla); - } else - if (*h != NULL) - pfil_remove_hook(*h); + *h = pfil_add_hook(&pha); +} - return 0; +static void +ipfw_unhook(int pf) +{ + + switch (pf) { + case AF_INET: + pfil_remove_hook(V_ipfw_inet_hook); + break; +#ifdef INET6 + case AF_INET6: + pfil_remove_hook(V_ipfw_inet6_hook); + break; +#endif + case AF_LINK: + pfil_remove_hook(V_ipfw_link_hook); + break; + } } +static int +ipfw_link(int pf, bool unlink) +{ + struct pfil_link_args pla; + + pla.pa_version = PFIL_VERSION; + pla.pa_flags = PFIL_IN | PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR; + if (unlink) + pla.pa_flags |= PFIL_UNLINK; + + switch (pf) { + case AF_INET: + pla.pa_head = V_inet_pfil_head; + pla.pa_hook = V_ipfw_inet_hook; + break; +#ifdef INET6 + case AF_INET6: + pla.pa_head = V_inet6_pfil_head; + pla.pa_hook = V_ipfw_inet6_hook; + break; +#endif + case AF_LINK: + pla.pa_head = V_link_pfil_head; + pla.pa_hook = V_ipfw_link_hook; + break; + } + + return (pfil_link(&pla)); +} + int -ipfw_attach_hooks(int arg) +ipfw_attach_hooks(void) { int error = 0; - if (arg == 0) /* detach */ - ipfw_hook(0, AF_INET); - else if (V_fw_enable && ipfw_hook(1, AF_INET) != 0) { - error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */ + ipfw_hook(AF_INET); + TUNABLE_INT_FETCH("net.inet.ip.fw.enable", &V_fw_enable); + if (V_fw_enable && (error = ipfw_link(AF_INET, false)) != 0) printf("ipfw_hook() error\n"); - } #ifdef INET6 - if (arg == 0) /* detach */ - ipfw_hook(0, AF_INET6); - else if (V_fw6_enable && ipfw_hook(1, AF_INET6) != 0) { - error = ENOENT; + ipfw_hook(AF_INET6); + TUNABLE_INT_FETCH("net.inet6.ip6.fw.enable", &V_fw6_enable); + if (V_fw6_enable && (error = ipfw_link(AF_INET6, false)) != 0) printf("ipfw6_hook() error\n"); - } #endif - if (arg == 0) /* detach */ - ipfw_hook(0, AF_LINK); - else if (V_fwlink_enable && ipfw_hook(1, AF_LINK) != 0) { - error = ENOENT; + ipfw_hook(AF_LINK); + TUNABLE_INT_FETCH("net.link.ether.ipfw", &V_fwlink_enable); + if (V_fwlink_enable && (error = ipfw_link(AF_LINK, false)) != 0) printf("ipfw_link_hook() error\n"); - } - return error; + + return (error); } +void +ipfw_detach_hooks(void) +{ + + ipfw_unhook(AF_INET); +#ifdef INET6 + ipfw_unhook(AF_INET6); +#endif + ipfw_unhook(AF_LINK); +} + int ipfw_chg_hook(SYSCTL_HANDLER_ARGS) { @@ -648,7 +688,7 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS) if (*(int *)arg1 == newval) return (0); - error = ipfw_hook(newval, af); + error = ipfw_link(af, newval == 0 ? true : false); if (error) return (error); *(int *)arg1 = newval; Modified: head/sys/netpfil/ipfw/ip_fw_private.h ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_private.h Thu Mar 21 14:45:08 2019 (r345380) +++ head/sys/netpfil/ipfw/ip_fw_private.h Thu Mar 21 16:15:29 2019 (r345381) @@ -151,8 +151,8 @@ int ipfw_chk(struct ip_fw_args *args); struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *, u_int32_t, u_int32_t, int); -/* attach (arg = 1) or detach (arg = 0) hooks */ -int ipfw_attach_hooks(int); +int ipfw_attach_hooks(void); +void ipfw_detach_hooks(void); #ifdef NOTYET void ipfw_nat_destroy(void); #endif
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903211615.x2LGFTEk049469>