From owner-svn-src-all@freebsd.org  Thu Mar 21 16:15:31 2019
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4424154714B;
 Thu, 21 Mar 2019 16:15:30 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 86C4A6BB8A;
 Thu, 21 Mar 2019 16:15:30 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6B0F2B3ED;
 Thu, 21 Mar 2019 16:15:30 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2LGFU5T049472;
 Thu, 21 Mar 2019 16:15:30 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2LGFTEk049469;
 Thu, 21 Mar 2019 16:15:29 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201903211615.x2LGFTEk049469@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Thu, 21 Mar 2019 16:15:29 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r345381 - head/sys/netpfil/ipfw
X-SVN-Group: head
X-SVN-Commit-Author: glebius
X-SVN-Commit-Paths: head/sys/netpfil/ipfw
X-SVN-Commit-Revision: 345381
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 86C4A6BB8A
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-2.96 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_HAM_MEDIUM(-1.00)[-0.998,0];
 NEURAL_HAM_SHORT(-0.96)[-0.961,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 16:15:31 -0000

Author: glebius
Date: Thu Mar 21 16:15:29 2019
New Revision: 345381
URL: https://svnweb.freebsd.org/changeset/base/345381

Log:
  Always create ipfw(4) hooks as long as module is loaded.
  
  Now enabling ipfw(4) with sysctls controls only linkage of hooks to default
  heads. When module is loaded fetch sysctls as tunables, to make it possible
  to boot with ipfw(4) in kernel, but not linked to any pfil(9) hooks.

Modified:
  head/sys/netpfil/ipfw/ip_fw2.c
  head/sys/netpfil/ipfw/ip_fw_pfil.c
  head/sys/netpfil/ipfw/ip_fw_private.h

Modified: head/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw2.c	Thu Mar 21 14:45:08 2019	(r345380)
+++ head/sys/netpfil/ipfw/ip_fw2.c	Thu Mar 21 16:15:29 2019	(r345381)
@@ -3360,7 +3360,7 @@ vnet_ipfw_init(const void *unused)
 	 * is checked on each packet because there are no pfil hooks.
 	 */
 	V_ip_fw_ctl_ptr = ipfw_ctl3;
-	error = ipfw_attach_hooks(1);
+	error = ipfw_attach_hooks();
 	return (error);
 }
 
@@ -3380,7 +3380,7 @@ vnet_ipfw_uninit(const void *unused)
 	 * Then grab, release and grab again the WLOCK so we make
 	 * sure the update is propagated and nobody will be in.
 	 */
-	(void)ipfw_attach_hooks(0 /* detach */);
+	ipfw_detach_hooks();
 	V_ip_fw_ctl_ptr = NULL;
 
 	last = IS_DEFAULT_VNET(curvnet) ? 1 : 0;

Modified: head/sys/netpfil/ipfw/ip_fw_pfil.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_pfil.c	Thu Mar 21 14:45:08 2019	(r345380)
+++ head/sys/netpfil/ipfw/ip_fw_pfil.c	Thu Mar 21 16:15:29 2019	(r345381)
@@ -536,29 +536,23 @@ VNET_DEFINE_STATIC(pfil_hook_t, ipfw_inet6_hook);
 VNET_DEFINE_STATIC(pfil_hook_t, ipfw_link_hook);
 #define	V_ipfw_link_hook	VNET(ipfw_link_hook)
 
-static int
-ipfw_hook(int onoff, int pf)
+static void
+ipfw_hook(int pf)
 {
 	struct pfil_hook_args pha;
-	struct pfil_link_args pla;
 	pfil_hook_t *h;
 
 	pha.pa_version = PFIL_VERSION;
-	pha.pa_flags = PFIL_IN | PFIL_OUT | PFIL_MEMPTR;
+	pha.pa_flags = PFIL_IN | PFIL_OUT;
 	pha.pa_modname = "ipfw";
 	pha.pa_ruleset = NULL;
 
-	pla.pa_version = PFIL_VERSION;
-	pla.pa_flags = PFIL_IN | PFIL_OUT |
-	    PFIL_HEADPTR | PFIL_HOOKPTR;
-
 	switch (pf) {
 	case AF_INET:
 		pha.pa_func = ipfw_check_packet;
 		pha.pa_type = PFIL_TYPE_IP4;
 		pha.pa_rulname = "default";
 		h = &V_ipfw_inet_hook;
-		pla.pa_head = V_inet_pfil_head;
 		break;
 #ifdef INET6
 	case AF_INET6:
@@ -566,57 +560,103 @@ ipfw_hook(int onoff, int pf)
 		pha.pa_type = PFIL_TYPE_IP6;
 		pha.pa_rulname = "default6";
 		h = &V_ipfw_inet6_hook;
-		pla.pa_head = V_inet6_pfil_head;
 		break;
 #endif
 	case AF_LINK:
 		pha.pa_func = ipfw_check_frame;
 		pha.pa_type = PFIL_TYPE_ETHERNET;
 		pha.pa_rulname = "default-link";
+		pha.pa_flags |= PFIL_MEMPTR;
 		h = &V_ipfw_link_hook;
-		pla.pa_head = V_link_pfil_head;
 		break;
 	}
 
-	if (onoff) {
-		*h = pfil_add_hook(&pha);
-		pla.pa_hook = *h;
-		(void)pfil_link(&pla);
-	} else
-		if (*h != NULL)
-			pfil_remove_hook(*h);
+	*h = pfil_add_hook(&pha);
+}
 
-	return 0;
+static void
+ipfw_unhook(int pf)
+{
+
+	switch (pf) {
+	case AF_INET:
+		pfil_remove_hook(V_ipfw_inet_hook);
+		break;
+#ifdef INET6
+	case AF_INET6:
+		pfil_remove_hook(V_ipfw_inet6_hook);
+		break;
+#endif
+	case AF_LINK:
+		pfil_remove_hook(V_ipfw_link_hook);
+		break;
+	}
 }
 
+static int
+ipfw_link(int pf, bool unlink)
+{
+	struct pfil_link_args pla;
+
+	pla.pa_version = PFIL_VERSION;
+	pla.pa_flags = PFIL_IN | PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
+	if (unlink)
+		pla.pa_flags |= PFIL_UNLINK;
+
+	switch (pf) {
+	case AF_INET:
+		pla.pa_head = V_inet_pfil_head;
+		pla.pa_hook = V_ipfw_inet_hook;
+		break;
+#ifdef INET6
+	case AF_INET6:
+		pla.pa_head = V_inet6_pfil_head;
+		pla.pa_hook = V_ipfw_inet6_hook;
+		break;
+#endif
+	case AF_LINK:
+		pla.pa_head = V_link_pfil_head;
+		pla.pa_hook = V_ipfw_link_hook;
+		break;
+	}
+
+	return (pfil_link(&pla));
+}
+
 int
-ipfw_attach_hooks(int arg)
+ipfw_attach_hooks(void)
 {
 	int error = 0;
 
-	if (arg == 0) /* detach */
-		ipfw_hook(0, AF_INET);
-	else if (V_fw_enable && ipfw_hook(1, AF_INET) != 0) {
-                error = ENOENT; /* see ip_fw_pfil.c::ipfw_hook() */
+	ipfw_hook(AF_INET);
+	TUNABLE_INT_FETCH("net.inet.ip.fw.enable", &V_fw_enable);
+	if (V_fw_enable && (error = ipfw_link(AF_INET, false)) != 0)
                 printf("ipfw_hook() error\n");
-        }
 #ifdef INET6
-	if (arg == 0) /* detach */
-		ipfw_hook(0, AF_INET6);
-	else if (V_fw6_enable && ipfw_hook(1, AF_INET6) != 0) {
-                error = ENOENT;
+	ipfw_hook(AF_INET6);
+	TUNABLE_INT_FETCH("net.inet6.ip6.fw.enable", &V_fw6_enable);
+	if (V_fw6_enable && (error = ipfw_link(AF_INET6, false)) != 0)
                 printf("ipfw6_hook() error\n");
-        }
 #endif
-	if (arg == 0) /* detach */
-		ipfw_hook(0, AF_LINK);
-	else if (V_fwlink_enable && ipfw_hook(1, AF_LINK) != 0) {
-                error = ENOENT;
+	ipfw_hook(AF_LINK);
+	TUNABLE_INT_FETCH("net.link.ether.ipfw", &V_fwlink_enable);
+	if (V_fwlink_enable && (error = ipfw_link(AF_LINK, false)) != 0)
                 printf("ipfw_link_hook() error\n");
-        }
-	return error;
+
+	return (error);
 }
 
+void
+ipfw_detach_hooks(void)
+{
+
+	ipfw_unhook(AF_INET);
+#ifdef INET6
+	ipfw_unhook(AF_INET6);
+#endif
+	ipfw_unhook(AF_LINK);
+}
+
 int
 ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
 {
@@ -648,7 +688,7 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
 	if (*(int *)arg1 == newval)
 		return (0);
 
-	error = ipfw_hook(newval, af);
+	error = ipfw_link(af, newval == 0 ? true : false);
 	if (error)
 		return (error);
 	*(int *)arg1 = newval;

Modified: head/sys/netpfil/ipfw/ip_fw_private.h
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_private.h	Thu Mar 21 14:45:08 2019	(r345380)
+++ head/sys/netpfil/ipfw/ip_fw_private.h	Thu Mar 21 16:15:29 2019	(r345381)
@@ -151,8 +151,8 @@ int ipfw_chk(struct ip_fw_args *args);
 struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *,
     u_int32_t, u_int32_t, int);
 
-/* attach (arg = 1) or detach (arg = 0) hooks */
-int ipfw_attach_hooks(int);
+int ipfw_attach_hooks(void);
+void ipfw_detach_hooks(void);
 #ifdef NOTYET
 void ipfw_nat_destroy(void);
 #endif