Date: Fri, 2 Nov 2012 01:20:56 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r242463 - in head: . sbin/ipfw sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw Message-ID: <201211020120.qA21Kuwn015037@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Fri Nov 2 01:20:55 2012 New Revision: 242463 URL: http://svn.freebsd.org/changeset/base/242463 Log: Remove the recently added sysctl variable net.pfil.forward. Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set. Suggested by: andre Modified: head/UPDATING head/sbin/ipfw/ipfw.8 head/sys/net/pfil.c head/sys/net/pfil.h head/sys/netinet/ip_fastfwd.c head/sys/netinet/ip_input.c head/sys/netinet/ip_output.c head/sys/netinet/ip_var.h head/sys/netinet/tcp_input.c head/sys/netinet/udp_usrreq.c head/sys/netinet6/ip6_forward.c head/sys/netinet6/ip6_input.c head/sys/netinet6/ip6_output.c head/sys/netinet6/ip6_var.h head/sys/netinet6/udp6_usrreq.c head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_pfil.c Modified: head/UPDATING ============================================================================== --- head/UPDATING Fri Nov 2 00:17:30 2012 (r242462) +++ head/UPDATING Fri Nov 2 01:20:55 2012 (r242463) @@ -24,10 +24,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10 disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) -20121025: +20121102: The IPFIREWALL_FORWARD kernel option has been removed. Its - functionality now can be turned on using the net.pfil.forward - sysctl variable. + functionality now turned on by default. 20121023: The ZERO_COPY_SOCKET kernel option has been removed and Modified: head/sbin/ipfw/ipfw.8 ============================================================================== --- head/sbin/ipfw/ipfw.8 Fri Nov 2 00:17:30 2012 (r242462) +++ head/sbin/ipfw/ipfw.8 Fri Nov 2 01:20:55 2012 (r242463) @@ -774,14 +774,6 @@ This makes the .Xr netstat 1 entry look rather weird but is intended for use with transparent proxy servers. -.Pp -To enable -.Cm fwd -the -.Xr sysctl 8 -variable -.Va net.pfil.forward -should be set to 1. .It Cm nat Ar nat_nr | tablearg Pass packet to a nat instance Modified: head/sys/net/pfil.c ============================================================================== --- head/sys/net/pfil.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/net/pfil.c Fri Nov 2 01:20:55 2012 (r242463) @@ -37,7 +37,6 @@ #include <sys/rmlock.h> #include <sys/socket.h> #include <sys/socketvar.h> -#include <sys/sysctl.h> #include <sys/systm.h> #include <sys/condvar.h> #include <sys/lock.h> @@ -65,11 +64,6 @@ VNET_DEFINE(struct pfilheadhead, pfil_he VNET_DEFINE(struct rmlock, pfil_lock); #define V_pfil_lock VNET(pfil_lock) -VNET_DEFINE(int, pfilforward) = 0; -SYSCTL_NODE(_net, OID_AUTO, pfil, CTLFLAG_RW, 0, "Packer filter interface"); -SYSCTL_VNET_INT(_net_pfil, OID_AUTO, forward, CTLFLAG_RW, - &VNET_NAME(pfilforward), 0, - "Enable forwarding performed by packet filters"); /* * pfil_run_hooks() runs the specified packet filter hooks. */ Modified: head/sys/net/pfil.h ============================================================================== --- head/sys/net/pfil.h Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/net/pfil.h Fri Nov 2 01:20:55 2012 (r242463) @@ -38,14 +38,11 @@ #include <sys/_mutex.h> #include <sys/lock.h> #include <sys/rmlock.h> -#include <net/vnet.h> struct mbuf; struct ifnet; struct inpcb; -VNET_DECLARE(int, pfilforward); -#define V_pfilforward VNET(pfilforward) /* * The packet filter hooks are designed for anything to call them to * possibly intercept the packet. Modified: head/sys/netinet/ip_fastfwd.c ============================================================================== --- head/sys/netinet/ip_fastfwd.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet/ip_fastfwd.c Fri Nov 2 01:20:55 2012 (r242463) @@ -446,7 +446,7 @@ passin: /* * Destination address changed? */ - if (V_pfilforward != 0) + if (m->m_flags & M_IP_NEXTHOP) fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (odest.s_addr != dest.s_addr || fwd_tag != NULL) { /* @@ -469,6 +469,7 @@ forwardlocal: dest.s_addr = ((struct sockaddr_in *) (fwd_tag + 1))->sin_addr.s_addr; m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } RTFREE(ro.ro_rt); if ((dst = ip_findroute(&ro, dest, m)) == NULL) Modified: head/sys/netinet/ip_input.c ============================================================================== --- head/sys/netinet/ip_input.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet/ip_input.c Fri Nov 2 01:20:55 2012 (r242463) @@ -509,23 +509,22 @@ tooshort: dchg = (odst.s_addr != ip->ip_dst.s_addr); ifp = m->m_pkthdr.rcvif; - if (V_pfilforward == 0) - goto passin; - if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; goto ours; } - if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { - /* - * Directly ship the packet on. This allows forwarding - * packets originally destined to us to some other directly - * connected host. - */ - ip_forward(m, dchg); - return; + if (m->m_flags & M_IP_NEXTHOP) { + dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL); + if (dchg != 0) { + /* + * Directly ship the packet on. This allows + * forwarding packets originally destined to us + * to some other directly connected host. + */ + ip_forward(m, 1); + return; + } } - passin: /* Modified: head/sys/netinet/ip_output.c ============================================================================== --- head/sys/netinet/ip_output.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet/ip_output.c Fri Nov 2 01:20:55 2012 (r242463) @@ -537,9 +537,6 @@ sendit: } } - if (V_pfilforward == 0) - goto passout; - /* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -560,11 +557,12 @@ sendit: goto done; } /* Or forward to some other address? */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag) { + if ((m->m_flags & M_IP_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { dst = (struct sockaddr_in *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in)); m->m_flags |= M_SKIP_FIREWALL; + m->m_flags &= ~M_IP_NEXTHOP; m_tag_delete(m, fwd_tag); if (ia != NULL) ifa_free(&ia->ia_ifa); Modified: head/sys/netinet/ip_var.h ============================================================================== --- head/sys/netinet/ip_var.h Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet/ip_var.h Fri Nov 2 01:20:55 2012 (r242463) @@ -163,6 +163,7 @@ void kmod_ipstat_dec(int statnum); * mbuf flag used by ip_fastfwd */ #define M_FASTFWD_OURS M_PROTO1 /* changed dst to local */ +#define M_IP_NEXTHOP M_PROTO2 /* explicit ip nexthop */ #ifdef __NO_STRICT_ALIGNMENT #define IP_HDR_ALIGNED_P(ip) 1 Modified: head/sys/netinet/tcp_input.c ============================================================================== --- head/sys/netinet/tcp_input.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet/tcp_input.c Fri Nov 2 01:20:55 2012 (r242463) @@ -75,7 +75,6 @@ __FBSDID("$FreeBSD$"); #include <vm/uma.h> #include <net/if.h> -#include <net/pfil.h> #include <net/route.h> #include <net/vnet.h> @@ -781,7 +780,7 @@ findpcb: /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - if (V_pfilforward != 0) + if (m->m_flags & M_IP_NEXTHOP) fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); #ifdef INET6 @@ -810,6 +809,7 @@ findpcb: } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } else if (isipv6) { inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport, @@ -846,6 +846,7 @@ findpcb: } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } else inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport, ip->ip_dst, th->th_dport, Modified: head/sys/netinet/udp_usrreq.c ============================================================================== --- head/sys/netinet/udp_usrreq.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet/udp_usrreq.c Fri Nov 2 01:20:55 2012 (r242463) @@ -65,7 +65,6 @@ __FBSDID("$FreeBSD$"); #include <vm/uma.h> #include <net/if.h> -#include <net/pfil.h> #include <net/route.h> #include <netinet/in.h> @@ -549,7 +548,7 @@ udp_input(struct mbuf *m, int off) /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - if (V_pfilforward != 0 && + if ((m->m_flags & M_IP_NEXTHOP) && (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in *next_hop; @@ -575,6 +574,7 @@ udp_input(struct mbuf *m, int off) } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } else inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport, ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD | Modified: head/sys/netinet6/ip6_forward.c ============================================================================== --- head/sys/netinet6/ip6_forward.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet6/ip6_forward.c Fri Nov 2 01:20:55 2012 (r242463) @@ -592,8 +592,6 @@ skip_routing: goto again; /* Redo the routing table lookup. */ } - if (V_pfilforward == 0) - goto pass; /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -611,11 +609,12 @@ skip_routing: goto out; } /* Or forward to some other address? */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag) { + if ((m->m_flags & M_IP6_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { dst = (struct sockaddr_in6 *)&rin6.ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6)); m->m_flags |= M_SKIP_FIREWALL; + m->m_flags &= ~M_IP6_NEXTHOP; m_tag_delete(m, fwd_tag); goto again2; } Modified: head/sys/netinet6/ip6_input.c ============================================================================== --- head/sys/netinet6/ip6_input.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet6/ip6_input.c Fri Nov 2 01:20:55 2012 (r242463) @@ -628,15 +628,14 @@ ip6_input(struct mbuf *m) ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); - if (V_pfilforward == 0) - goto passin; if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; ours = 1; deliverifp = m->m_pkthdr.rcvif; goto hbhcheck; } - if (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) { + if ((m->m_flags & M_IP6_NEXTHOP) && + m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) { /* * Directly ship the packet on. This allows forwarding * packets originally destined to us to some other directly Modified: head/sys/netinet6/ip6_output.c ============================================================================== --- head/sys/netinet6/ip6_output.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet6/ip6_output.c Fri Nov 2 01:20:55 2012 (r242463) @@ -913,8 +913,6 @@ again: goto again; /* Redo the routing table lookup. */ } - if (V_pfilforward == 0) - goto passout; /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -932,11 +930,12 @@ again: goto done; } /* Or forward to some other address? */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag) { + if ((m->m_flags & M_IP6_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { dst = (struct sockaddr_in6 *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6)); m->m_flags |= M_SKIP_FIREWALL; + m->m_flags &= ~M_IP6_NEXTHOP; m_tag_delete(m, fwd_tag); goto again; } Modified: head/sys/netinet6/ip6_var.h ============================================================================== --- head/sys/netinet6/ip6_var.h Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet6/ip6_var.h Fri Nov 2 01:20:55 2012 (r242463) @@ -285,6 +285,8 @@ struct ip6aux { #define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */ #define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */ +#define M_IP6_NEXTHOP M_PROTO2 /* explicit ip nexthop */ + #ifdef __NO_STRICT_ALIGNMENT #define IP6_HDR_ALIGNED_P(ip) 1 #else Modified: head/sys/netinet6/udp6_usrreq.c ============================================================================== --- head/sys/netinet6/udp6_usrreq.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netinet6/udp6_usrreq.c Fri Nov 2 01:20:55 2012 (r242463) @@ -92,7 +92,6 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/if_types.h> -#include <net/pfil.h> #include <net/route.h> #include <netinet/in.h> @@ -396,7 +395,7 @@ udp6_input(struct mbuf **mp, int *offp, /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - if (V_pfilforward != 0 && + if ((m->m_flags & M_IP6_NEXTHOP) && (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in6 *next_hop6; @@ -423,6 +422,7 @@ udp6_input(struct mbuf **mp, int *offp, } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP6_NEXTHOP; } else inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src, uh->uh_sport, &ip6->ip6_dst, uh->uh_dport, Modified: head/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 2 01:20:55 2012 (r242463) @@ -2535,7 +2535,6 @@ ipfw_init(void) "(+ipv6) " #endif "initialized, divert %s, nat %s, " - "rule-based forwarding turned %s, " "default to %s, logging ", #ifdef IPDIVERT "enabled", @@ -2547,7 +2546,6 @@ ipfw_init(void) #else "loadable", #endif - V_pfilforward ? "on": "off", default_to_accept ? "accept" : "deny"); /* Modified: head/sys/netpfil/ipfw/ip_fw_pfil.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_pfil.c Fri Nov 2 00:17:30 2012 (r242462) +++ head/sys/netpfil/ipfw/ip_fw_pfil.c Fri Nov 2 01:20:55 2012 (r242463) @@ -159,8 +159,6 @@ again: /* next_hop may be set by ipfw_chk */ if (args.next_hop == NULL && args.next_hop6 == NULL) break; /* pass */ - if (V_pfilforward == 0) - break; #if (!defined(INET6) && !defined(INET)) ret = EACCES; #else @@ -201,6 +199,7 @@ again: bcopy(args.next_hop6, (fwd_tag+1), len); if (in6_localip(&args.next_hop6->sin6_addr)) (*m0)->m_flags |= M_FASTFWD_OURS; + (*m0)->m_flags |= M_IP6_NEXTHOP; } #endif #ifdef INET @@ -208,6 +207,7 @@ again: bcopy(args.next_hop, (fwd_tag+1), len); if (in_localip(args.next_hop->sin_addr)) (*m0)->m_flags |= M_FASTFWD_OURS; + (*m0)->m_flags |= M_IP_NEXTHOP; } #endif m_tag_prepend(*m0, fwd_tag);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211020120.qA21Kuwn015037>