Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 Nov 2012 01:20:56 +0000 (UTC)
From:      "Andrey V. Elsukov" <ae@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r242463 - in head: . sbin/ipfw sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw
Message-ID:  <201211020120.qA21Kuwn015037@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ae
Date: Fri Nov  2 01:20:55 2012
New Revision: 242463
URL: http://svn.freebsd.org/changeset/base/242463

Log:
  Remove the recently added sysctl variable net.pfil.forward.
  Instead, add protocol specific mbuf flags M_IP_NEXTHOP and
  M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain
  contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup
  only when this flag is set.
  
  Suggested by:	andre

Modified:
  head/UPDATING
  head/sbin/ipfw/ipfw.8
  head/sys/net/pfil.c
  head/sys/net/pfil.h
  head/sys/netinet/ip_fastfwd.c
  head/sys/netinet/ip_input.c
  head/sys/netinet/ip_output.c
  head/sys/netinet/ip_var.h
  head/sys/netinet/tcp_input.c
  head/sys/netinet/udp_usrreq.c
  head/sys/netinet6/ip6_forward.c
  head/sys/netinet6/ip6_input.c
  head/sys/netinet6/ip6_output.c
  head/sys/netinet6/ip6_var.h
  head/sys/netinet6/udp6_usrreq.c
  head/sys/netpfil/ipfw/ip_fw2.c
  head/sys/netpfil/ipfw/ip_fw_pfil.c

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/UPDATING	Fri Nov  2 01:20:55 2012	(r242463)
@@ -24,10 +24,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10
 	disable the most expensive debugging functionality run
 	"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
-20121025:
+20121102:
 	The IPFIREWALL_FORWARD kernel option has been removed. Its
-	functionality now can be turned on using the net.pfil.forward
-	sysctl variable.
+	functionality now turned on by default.
 
 20121023:
 	The ZERO_COPY_SOCKET kernel option has been removed and

Modified: head/sbin/ipfw/ipfw.8
==============================================================================
--- head/sbin/ipfw/ipfw.8	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sbin/ipfw/ipfw.8	Fri Nov  2 01:20:55 2012	(r242463)
@@ -774,14 +774,6 @@ This makes the
 .Xr netstat 1
 entry look rather weird but is intended for
 use with transparent proxy servers.
-.Pp
-To enable
-.Cm fwd
-the
-.Xr sysctl 8
-variable
-.Va net.pfil.forward
-should be set to 1.
 .It Cm nat Ar nat_nr | tablearg
 Pass packet to a
 nat instance

Modified: head/sys/net/pfil.c
==============================================================================
--- head/sys/net/pfil.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/net/pfil.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -37,7 +37,6 @@
 #include <sys/rmlock.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
-#include <sys/sysctl.h>
 #include <sys/systm.h>
 #include <sys/condvar.h>
 #include <sys/lock.h>
@@ -65,11 +64,6 @@ VNET_DEFINE(struct pfilheadhead, pfil_he
 VNET_DEFINE(struct rmlock, pfil_lock);
 #define	V_pfil_lock	VNET(pfil_lock)
 
-VNET_DEFINE(int, pfilforward) = 0;
-SYSCTL_NODE(_net, OID_AUTO, pfil, CTLFLAG_RW, 0, "Packer filter interface");
-SYSCTL_VNET_INT(_net_pfil, OID_AUTO, forward, CTLFLAG_RW,
-    &VNET_NAME(pfilforward), 0,
-    "Enable forwarding performed by packet filters");
 /*
  * pfil_run_hooks() runs the specified packet filter hooks.
  */

Modified: head/sys/net/pfil.h
==============================================================================
--- head/sys/net/pfil.h	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/net/pfil.h	Fri Nov  2 01:20:55 2012	(r242463)
@@ -38,14 +38,11 @@
 #include <sys/_mutex.h>
 #include <sys/lock.h>
 #include <sys/rmlock.h>
-#include <net/vnet.h>
 
 struct mbuf;
 struct ifnet;
 struct inpcb;
 
-VNET_DECLARE(int, pfilforward);
-#define	V_pfilforward		VNET(pfilforward)
 /*
  * The packet filter hooks are designed for anything to call them to
  * possibly intercept the packet.

Modified: head/sys/netinet/ip_fastfwd.c
==============================================================================
--- head/sys/netinet/ip_fastfwd.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet/ip_fastfwd.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -446,7 +446,7 @@ passin:
 	/*
 	 * Destination address changed?
 	 */
-	if (V_pfilforward != 0)
+	if (m->m_flags & M_IP_NEXTHOP)
 		fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
 	if (odest.s_addr != dest.s_addr || fwd_tag != NULL) {
 		/*
@@ -469,6 +469,7 @@ forwardlocal:
 			dest.s_addr = ((struct sockaddr_in *)
 				    (fwd_tag + 1))->sin_addr.s_addr;
 			m_tag_delete(m, fwd_tag);
+			m->m_flags &= ~M_IP_NEXTHOP;
 		}
 		RTFREE(ro.ro_rt);
 		if ((dst = ip_findroute(&ro, dest, m)) == NULL)

Modified: head/sys/netinet/ip_input.c
==============================================================================
--- head/sys/netinet/ip_input.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet/ip_input.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -509,23 +509,22 @@ tooshort:
 	dchg = (odst.s_addr != ip->ip_dst.s_addr);
 	ifp = m->m_pkthdr.rcvif;
 
-	if (V_pfilforward == 0)
-		goto passin;
-
 	if (m->m_flags & M_FASTFWD_OURS) {
 		m->m_flags &= ~M_FASTFWD_OURS;
 		goto ours;
 	}
-	if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
-		/*
-		 * Directly ship the packet on.  This allows forwarding
-		 * packets originally destined to us to some other directly
-		 * connected host.
-		 */
-		ip_forward(m, dchg);
-		return;
+	if (m->m_flags & M_IP_NEXTHOP) {
+		dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
+		if (dchg != 0) {
+			/*
+			 * Directly ship the packet on.  This allows
+			 * forwarding packets originally destined to us
+			 * to some other directly connected host.
+			 */
+			ip_forward(m, 1);
+			return;
+		}
 	}
-
 passin:
 
 	/*

Modified: head/sys/netinet/ip_output.c
==============================================================================
--- head/sys/netinet/ip_output.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet/ip_output.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -537,9 +537,6 @@ sendit:
 		}
 	}
 
-	if (V_pfilforward == 0)
-		goto passout;
-
 	/* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */
 	if (m->m_flags & M_FASTFWD_OURS) {
 		if (m->m_pkthdr.rcvif == NULL)
@@ -560,11 +557,12 @@ sendit:
 		goto done;
 	}
 	/* Or forward to some other address? */
-	fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
-	if (fwd_tag) {
+	if ((m->m_flags & M_IP_NEXTHOP) &&
+	    (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
 		dst = (struct sockaddr_in *)&ro->ro_dst;
 		bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
 		m->m_flags |= M_SKIP_FIREWALL;
+		m->m_flags &= ~M_IP_NEXTHOP;
 		m_tag_delete(m, fwd_tag);
 		if (ia != NULL)
 			ifa_free(&ia->ia_ifa);

Modified: head/sys/netinet/ip_var.h
==============================================================================
--- head/sys/netinet/ip_var.h	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet/ip_var.h	Fri Nov  2 01:20:55 2012	(r242463)
@@ -163,6 +163,7 @@ void	kmod_ipstat_dec(int statnum);
  * mbuf flag used by ip_fastfwd
  */
 #define	M_FASTFWD_OURS		M_PROTO1	/* changed dst to local */
+#define	M_IP_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
 
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP_HDR_ALIGNED_P(ip)	1

Modified: head/sys/netinet/tcp_input.c
==============================================================================
--- head/sys/netinet/tcp_input.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet/tcp_input.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -75,7 +75,6 @@ __FBSDID("$FreeBSD$");
 #include <vm/uma.h>
 
 #include <net/if.h>
-#include <net/pfil.h>
 #include <net/route.h>
 #include <net/vnet.h>
 
@@ -781,7 +780,7 @@ findpcb:
 	/*
 	 * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
 	 */
-	if (V_pfilforward != 0)
+	if (m->m_flags & M_IP_NEXTHOP)
 		fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
 
 #ifdef INET6
@@ -810,6 +809,7 @@ findpcb:
 		}
 		/* Remove the tag from the packet.  We don't need it anymore. */
 		m_tag_delete(m, fwd_tag);
+		m->m_flags &= ~M_IP_NEXTHOP;
 	} else if (isipv6) {
 		inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src,
 		    th->th_sport, &ip6->ip6_dst, th->th_dport,
@@ -846,6 +846,7 @@ findpcb:
 		}
 		/* Remove the tag from the packet.  We don't need it anymore. */
 		m_tag_delete(m, fwd_tag);
+		m->m_flags &= ~M_IP_NEXTHOP;
 	} else
 		inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src,
 		    th->th_sport, ip->ip_dst, th->th_dport,

Modified: head/sys/netinet/udp_usrreq.c
==============================================================================
--- head/sys/netinet/udp_usrreq.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet/udp_usrreq.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -65,7 +65,6 @@ __FBSDID("$FreeBSD$");
 #include <vm/uma.h>
 
 #include <net/if.h>
-#include <net/pfil.h>
 #include <net/route.h>
 
 #include <netinet/in.h>
@@ -549,7 +548,7 @@ udp_input(struct mbuf *m, int off)
 	/*
 	 * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
 	 */
-	if (V_pfilforward != 0 &&
+	if ((m->m_flags & M_IP_NEXTHOP) &&
 	    (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
 		struct sockaddr_in *next_hop;
 
@@ -575,6 +574,7 @@ udp_input(struct mbuf *m, int off)
 		}
 		/* Remove the tag from the packet. We don't need it anymore. */
 		m_tag_delete(m, fwd_tag);
+		m->m_flags &= ~M_IP_NEXTHOP;
 	} else
 		inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport,
 		    ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD |

Modified: head/sys/netinet6/ip6_forward.c
==============================================================================
--- head/sys/netinet6/ip6_forward.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet6/ip6_forward.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -592,8 +592,6 @@ skip_routing:
 			goto again;	/* Redo the routing table lookup. */
 	}
 
-	if (V_pfilforward == 0)
-		goto pass;
 	/* See if local, if yes, send it to netisr. */
 	if (m->m_flags & M_FASTFWD_OURS) {
 		if (m->m_pkthdr.rcvif == NULL)
@@ -611,11 +609,12 @@ skip_routing:
 		goto out;
 	}
 	/* Or forward to some other address? */
-	fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
-	if (fwd_tag) {
+	if ((m->m_flags & M_IP6_NEXTHOP) &&
+	    (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
 		dst = (struct sockaddr_in6 *)&rin6.ro_dst;
 		bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
 		m->m_flags |= M_SKIP_FIREWALL;
+		m->m_flags &= ~M_IP6_NEXTHOP;
 		m_tag_delete(m, fwd_tag);
 		goto again2;
 	}

Modified: head/sys/netinet6/ip6_input.c
==============================================================================
--- head/sys/netinet6/ip6_input.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet6/ip6_input.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -628,15 +628,14 @@ ip6_input(struct mbuf *m)
 	ip6 = mtod(m, struct ip6_hdr *);
 	srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
 
-	if (V_pfilforward == 0)
-		goto passin;
 	if (m->m_flags & M_FASTFWD_OURS) {
 		m->m_flags &= ~M_FASTFWD_OURS;
 		ours = 1;
 		deliverifp = m->m_pkthdr.rcvif;
 		goto hbhcheck;
 	}
-	if (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
+	if ((m->m_flags & M_IP6_NEXTHOP) &&
+	    m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
 		/*
 		 * Directly ship the packet on.  This allows forwarding
 		 * packets originally destined to us to some other directly

Modified: head/sys/netinet6/ip6_output.c
==============================================================================
--- head/sys/netinet6/ip6_output.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet6/ip6_output.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -913,8 +913,6 @@ again:
 			goto again;	/* Redo the routing table lookup. */
 	}
 
-	if (V_pfilforward == 0)
-		goto passout;
 	/* See if local, if yes, send it to netisr. */
 	if (m->m_flags & M_FASTFWD_OURS) {
 		if (m->m_pkthdr.rcvif == NULL)
@@ -932,11 +930,12 @@ again:
 		goto done;
 	}
 	/* Or forward to some other address? */
-	fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
-	if (fwd_tag) {
+	if ((m->m_flags & M_IP6_NEXTHOP) &&
+	    (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
 		dst = (struct sockaddr_in6 *)&ro->ro_dst;
 		bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
 		m->m_flags |= M_SKIP_FIREWALL;
+		m->m_flags &= ~M_IP6_NEXTHOP;
 		m_tag_delete(m, fwd_tag);
 		goto again;
 	}

Modified: head/sys/netinet6/ip6_var.h
==============================================================================
--- head/sys/netinet6/ip6_var.h	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet6/ip6_var.h	Fri Nov  2 01:20:55 2012	(r242463)
@@ -285,6 +285,8 @@ struct ip6aux {
 #define	IPV6_FORWARDING		0x02	/* most of IPv6 header exists */
 #define	IPV6_MINMTU		0x04	/* use minimum MTU (IPV6_USE_MIN_MTU) */
 
+#define	M_IP6_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
+
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP6_HDR_ALIGNED_P(ip)	1
 #else

Modified: head/sys/netinet6/udp6_usrreq.c
==============================================================================
--- head/sys/netinet6/udp6_usrreq.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netinet6/udp6_usrreq.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -92,7 +92,6 @@ __FBSDID("$FreeBSD$");
 
 #include <net/if.h>
 #include <net/if_types.h>
-#include <net/pfil.h>
 #include <net/route.h>
 
 #include <netinet/in.h>
@@ -396,7 +395,7 @@ udp6_input(struct mbuf **mp, int *offp, 
 	/*
 	 * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
 	 */
-	if (V_pfilforward != 0 &&
+	if ((m->m_flags & M_IP6_NEXTHOP) &&
 	    (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
 		struct sockaddr_in6 *next_hop6;
 
@@ -423,6 +422,7 @@ udp6_input(struct mbuf **mp, int *offp, 
 		}
 		/* Remove the tag from the packet. We don't need it anymore. */
 		m_tag_delete(m, fwd_tag);
+		m->m_flags &= ~M_IP6_NEXTHOP;
 	} else
 		inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src,
 		    uh->uh_sport, &ip6->ip6_dst, uh->uh_dport,

Modified: head/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw2.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netpfil/ipfw/ip_fw2.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -2535,7 +2535,6 @@ ipfw_init(void)
 		"(+ipv6) "
 #endif
 		"initialized, divert %s, nat %s, "
-		"rule-based forwarding turned %s, "
 		"default to %s, logging ",
 #ifdef IPDIVERT
 		"enabled",
@@ -2547,7 +2546,6 @@ ipfw_init(void)
 #else
 		"loadable",
 #endif
-		V_pfilforward ? "on": "off",
 		default_to_accept ? "accept" : "deny");
 
 	/*

Modified: head/sys/netpfil/ipfw/ip_fw_pfil.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_pfil.c	Fri Nov  2 00:17:30 2012	(r242462)
+++ head/sys/netpfil/ipfw/ip_fw_pfil.c	Fri Nov  2 01:20:55 2012	(r242463)
@@ -159,8 +159,6 @@ again:
 		/* next_hop may be set by ipfw_chk */
 		if (args.next_hop == NULL && args.next_hop6 == NULL)
 			break; /* pass */
-		if (V_pfilforward == 0)
-			break;
 #if (!defined(INET6) && !defined(INET))
 		ret = EACCES;
 #else
@@ -201,6 +199,7 @@ again:
 			bcopy(args.next_hop6, (fwd_tag+1), len);
 			if (in6_localip(&args.next_hop6->sin6_addr))
 				(*m0)->m_flags |= M_FASTFWD_OURS;
+			(*m0)->m_flags |= M_IP6_NEXTHOP;
 		}
 #endif
 #ifdef INET
@@ -208,6 +207,7 @@ again:
 			bcopy(args.next_hop, (fwd_tag+1), len);
 			if (in_localip(args.next_hop->sin_addr))
 				(*m0)->m_flags |= M_FASTFWD_OURS;
+			(*m0)->m_flags |= M_IP_NEXTHOP;
 		}
 #endif
 		m_tag_prepend(*m0, fwd_tag);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211020120.qA21Kuwn015037>