Date: Sat, 25 Jun 2016 14:14:56 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r302199 - projects/vnet/sys/contrib/ipfilter/netinet Message-ID: <201606251414.u5PEEuDv065651@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Sat Jun 25 14:14:55 2016 New Revision: 302199 URL: https://svnweb.freebsd.org/changeset/base/302199 Log: A first cut of V_irtualising ipfilter. Untested. Sponsored by: The FreeBSD Foundation Modified: projects/vnet/sys/contrib/ipfilter/netinet/ip_fil.h projects/vnet/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c projects/vnet/sys/contrib/ipfilter/netinet/ip_nat.c projects/vnet/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c projects/vnet/sys/contrib/ipfilter/netinet/ip_rules.c projects/vnet/sys/contrib/ipfilter/netinet/mlfk_ipl.c Modified: projects/vnet/sys/contrib/ipfilter/netinet/ip_fil.h ============================================================================== --- projects/vnet/sys/contrib/ipfilter/netinet/ip_fil.h Sat Jun 25 12:54:27 2016 (r302198) +++ projects/vnet/sys/contrib/ipfilter/netinet/ip_fil.h Sat Jun 25 14:14:55 2016 (r302199) @@ -1710,7 +1710,6 @@ typedef struct ipf_main_softc_s { #ifndef _KERNEL extern int ipf_check __P((void *, struct ip *, int, void *, int, mb_t **)); -extern int (*ipf_checkp) __P((ip_t *, int, void *, int, mb_t **)); extern struct ifnet *get_unit __P((char *, int)); extern char *get_ifname __P((struct ifnet *)); extern int ipfioctl __P((ipf_main_softc_t *, int, ioctlcmd_t, Modified: projects/vnet/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c ============================================================================== --- projects/vnet/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c Sat Jun 25 12:54:27 2016 (r302198) +++ projects/vnet/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c Sat Jun 25 14:14:55 2016 (r302199) @@ -99,31 +99,29 @@ MALLOC_DEFINE(M_IPFILTER, "ipfilter", "I # endif -static int (*ipf_savep) __P((void *, ip_t *, int, void *, int, struct mbuf **)); static int ipf_send_ip __P((fr_info_t *, mb_t *)); static void ipf_timer_func __P((void *arg)); -int ipf_locks_done = 0; -ipf_main_softc_t ipfmain; +VNET_DEFINE(ipf_main_softc_t, ipfmain); +#define V_ipfmain VNET(ipfmain) # include <sys/conf.h> # if defined(NETBSD_PF) # include <net/pfil.h> # endif /* NETBSD_PF */ -/* - * We provide the ipf_checkp name just to minimize changes later. - */ -int (*ipf_checkp) __P((void *, ip_t *ip, int hlen, void *ifp, int out, mb_t **mp)); - static eventhandler_tag ipf_arrivetag, ipf_departtag, ipf_clonetag; -static void ipf_ifevent(void *arg); +static void ipf_ifevent(void *arg, struct ifnet *ifp); -static void ipf_ifevent(arg) +static void ipf_ifevent(arg, ifp) void *arg; + struct ifnet *ifp; { - ipf_sync(arg, NULL); + + CURVNET_SET(ifp->if_vnet); + ipf_sync(&V_ipfmain, NULL); + CURVNET_RESTORE(); } @@ -141,8 +139,10 @@ ipf_check_wrapper(void *arg, struct mbuf ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); #endif - rv = ipf_check(&ipfmain, ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), + CURVNET_SET(ifp->if_vnet); + rv = ipf_check(&V_ipfmain, ip, ip->ip_hl << 2, ifp, (dir == PFIL_OUT), mp); + CURVNET_RESTORE(); #if (__FreeBSD_version < 1000019) if ((rv == 0) && (*mp != NULL)) { ip = mtod(*mp, struct ip *); @@ -159,8 +159,13 @@ ipf_check_wrapper(void *arg, struct mbuf static int ipf_check_wrapper6(void *arg, struct mbuf **mp, struct ifnet *ifp, int dir) { - return (ipf_check(&ipfmain, mtod(*mp, struct ip *), - sizeof(struct ip6_hdr), ifp, (dir == PFIL_OUT), mp)); + int error; + + CURVNET_SET(ifp->if_vnet); + error = ipf_check(&V_ipfmain, mtod(*mp, struct ip *), + sizeof(struct ip6_hdr), ifp, (dir == PFIL_OUT), mp); + CURVNET_RESTORE(); + return (error); } # endif #if defined(IPFILTER_LKM) @@ -221,12 +226,7 @@ ipfattach(softc) } - if (ipf_checkp != ipf_check) { - ipf_savep = ipf_checkp; - ipf_checkp = ipf_check; - } - - bzero((char *)ipfmain.ipf_selwait, sizeof(ipfmain.ipf_selwait)); + bzero((char *)V_ipfmain.ipf_selwait, sizeof(V_ipfmain.ipf_selwait)); softc->ipf_running = 1; if (softc->ipf_control_forwarding & 1) @@ -268,12 +268,6 @@ ipfdetach(softc) #endif callout_drain(&softc->ipf_slow_ch); -#ifndef NETBSD_PF - if (ipf_checkp != NULL) - ipf_checkp = ipf_savep; - ipf_savep = NULL; -#endif - ipf_fini_all(softc); softc->ipf_running = -2; @@ -304,27 +298,27 @@ ipfioctl(dev, cmd, data, mode #if (BSD >= 199306) if (securelevel_ge(p->p_cred, 3) && (mode & FWRITE)) { - ipfmain.ipf_interror = 130001; + V_ipfmain.ipf_interror = 130001; return EPERM; } #endif unit = GET_MINOR(dev); if ((IPL_LOGMAX < unit) || (unit < 0)) { - ipfmain.ipf_interror = 130002; + V_ipfmain.ipf_interror = 130002; return ENXIO; } - if (ipfmain.ipf_running <= 0) { + if (V_ipfmain.ipf_running <= 0) { if (unit != IPL_LOGIPF && cmd != SIOCIPFINTERROR) { - ipfmain.ipf_interror = 130003; + V_ipfmain.ipf_interror = 130003; return EIO; } if (cmd != SIOCIPFGETNEXT && cmd != SIOCIPFGET && cmd != SIOCIPFSET && cmd != SIOCFRENB && cmd != SIOCGETFS && cmd != SIOCGETFF && cmd != SIOCIPFINTERROR) { - ipfmain.ipf_interror = 130004; + V_ipfmain.ipf_interror = 130004; return EIO; } } @@ -332,7 +326,7 @@ ipfioctl(dev, cmd, data, mode SPL_NET(s); CURVNET_SET(TD_TO_VNET(p)); - error = ipf_ioctlswitch(&ipfmain, unit, data, cmd, mode, p->p_uid, p); + error = ipf_ioctlswitch(&V_ipfmain, unit, data, cmd, mode, p->p_uid, p); CURVNET_RESTORE(); if (error != -1) { SPL_X(s); @@ -580,7 +574,7 @@ ipf_send_icmp_err(type, fin, dst) } if (dst == 0) { - if (ipf_ifpaddr(&ipfmain, 4, FRI_NORMAL, ifp, + if (ipf_ifpaddr(&V_ipfmain, 4, FRI_NORMAL, ifp, &dst6, NULL) == -1) { FREE_MB_T(m); return -1; @@ -617,7 +611,7 @@ ipf_send_icmp_err(type, fin, dst) xtra = MIN(fin->fin_plen, avail - iclen - max_linkhdr); xtra = MIN(xtra, IPV6_MMTU - iclen); if (dst == 0) { - if (ipf_ifpaddr(&ipfmain, 6, FRI_NORMAL, ifp, + if (ipf_ifpaddr(&V_ipfmain, 6, FRI_NORMAL, ifp, &dst6, NULL) == -1) { FREE_MB_T(m); return -1; @@ -941,9 +935,9 @@ sendorfree: } done: if (!error) - ipfmain.ipf_frouteok[0]++; + V_ipfmain.ipf_frouteok[0]++; else - ipfmain.ipf_frouteok[1]++; + V_ipfmain.ipf_frouteok[1]++; if (has_nhop) fib4_free_nh_ext(fibnum, &nh4); @@ -1405,13 +1399,13 @@ void ipf_event_reg(void) { ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \ - ipf_ifevent, &ipfmain, \ + ipf_ifevent, NULL, \ EVENTHANDLER_PRI_ANY); ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \ - ipf_ifevent, &ipfmain, \ + ipf_ifevent, NULL, \ EVENTHANDLER_PRI_ANY); ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \ - &ipfmain, EVENTHANDLER_PRI_ANY); + NULL, EVENTHANDLER_PRI_ANY); } void Modified: projects/vnet/sys/contrib/ipfilter/netinet/ip_nat.c ============================================================================== --- projects/vnet/sys/contrib/ipfilter/netinet/ip_nat.c Sat Jun 25 12:54:27 2016 (r302198) +++ projects/vnet/sys/contrib/ipfilter/netinet/ip_nat.c Sat Jun 25 14:14:55 2016 (r302199) @@ -133,8 +133,6 @@ static const char rcsid[] = "@(#)$FreeBS #define NBUMPSIDEDF(y,x)do { softn->ipf_nat_stats.ns_side[y].x++; \ DT1(x, fr_info_t *, fin); } while (0) -frentry_t ipfnatblock; - static ipftuneable_t ipf_nat_tuneables[] = { /* nat */ { { (void *)offsetof(ipf_nat_softc_t, ipf_nat_lock) }, @@ -275,9 +273,6 @@ static void ipf_nat_tabmove __P((ipf_nat int ipf_nat_main_load() { - bzero((char *)&ipfnatblock, sizeof(ipfnatblock)); - ipfnatblock.fr_flags = FR_BLOCK|FR_QUICK; - ipfnatblock.fr_ref = 1; return 0; } Modified: projects/vnet/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c ============================================================================== --- projects/vnet/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c Sat Jun 25 12:54:27 2016 (r302198) +++ projects/vnet/sys/contrib/ipfilter/netinet/ip_rpcb_pxy.c Sat Jun 25 14:14:55 2016 (r302199) @@ -80,7 +80,9 @@ static void ipf_p_rpcb_fixlen __P((f */ static frentry_t rpcbfr; /* Skeleton rule for reference by entities this proxy creates. */ -static int rpcbcnt; /* Upper bound of allocated RPCB sessions. */ +static VNET_DEFINE(int, rpcbcnt); +#define V_rpcbcnt VNET(rpcbcnt) + /* Upper bound of allocated RPCB sessions. */ /* XXX rpcbcnt still requires locking. */ static int rpcb_proxy_init = 0; @@ -107,7 +109,7 @@ static int rpcb_proxy_init = 0; void ipf_p_rpcb_main_load() { - rpcbcnt = 0; + V_rpcbcnt = 0; bzero((char *)&rpcbfr, sizeof(rpcbfr)); rpcbfr.fr_ref = 1; @@ -581,7 +583,7 @@ ipf_p_rpcb_insert(rs, rx) return(0); } - if (rpcbcnt == RPCB_MAXREQS) + if (V_rpcbcnt == RPCB_MAXREQS) return(-1); KMALLOC(rxp, rpcb_xact_t *); @@ -599,7 +601,7 @@ ipf_p_rpcb_insert(rs, rx) rxp->rx_ref = 1; - ++rpcbcnt; + ++V_rpcbcnt; return(0); } @@ -1084,7 +1086,7 @@ ipf_p_rpcb_deref(rs, rx) KFREE(rx); - --rpcbcnt; + --V_rpcbcnt; } /* -------------------------------------------------------------------- */ Modified: projects/vnet/sys/contrib/ipfilter/netinet/ip_rules.c ============================================================================== --- projects/vnet/sys/contrib/ipfilter/netinet/ip_rules.c Sat Jun 25 12:54:27 2016 (r302198) +++ projects/vnet/sys/contrib/ipfilter/netinet/ip_rules.c Sat Jun 25 14:14:55 2016 (r302199) @@ -51,7 +51,8 @@ #ifdef IPFILTER_COMPILED -extern ipf_main_softc_t ipfmain; +VNET_DECLARE(ipf_main_softc_t, ipfmain); +#define V_ipfmain VNET(ipfmain) static u_long in_rule__0[] = { @@ -129,8 +130,8 @@ int ipfrule_add_out_() fp->fr_dsize = sizeof(ipf_rules_out_[0]); fp->fr_family = AF_INET; fp->fr_func = (ipfunc_t)ipfrule_match_out_; - err = frrequest(&ipfmain, IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, - ipfmain.ipf_active, 0); + err = frrequest(&V_ipfmain, IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, + V_ipfmain.ipf_active, 0); return err; } @@ -156,9 +157,9 @@ int ipfrule_remove_out_() } } if (err == 0) - err = frrequest(&ipfmain, IPL_LOGIPF, SIOCDELFR, + err = frrequest(&V_ipfmain, IPL_LOGIPF, SIOCDELFR, (caddr_t)&ipfrule_out_, - ipfmain.ipf_active, 0); + V_ipfmain.ipf_active, 0); if (err) return err; @@ -198,8 +199,8 @@ int ipfrule_add_in_() fp->fr_dsize = sizeof(ipf_rules_in_[0]); fp->fr_family = AF_INET; fp->fr_func = (ipfunc_t)ipfrule_match_in_; - err = frrequest(&ipfmain, IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, - ipfmain.ipf_active, 0); + err = frrequest(&V_ipfmain, IPL_LOGIPF, SIOCADDFR, (caddr_t)fp, + V_ipfmain.ipf_active, 0); return err; } @@ -225,9 +226,9 @@ int ipfrule_remove_in_() } } if (err == 0) - err = frrequest(&ipfmain, IPL_LOGIPF, SIOCDELFR, + err = frrequest(&V_ipfmain, IPL_LOGIPF, SIOCDELFR, (caddr_t)&ipfrule_in_, - ipfmain.ipf_active, 0); + V_ipfmain.ipf_active, 0); if (err) return err; Modified: projects/vnet/sys/contrib/ipfilter/netinet/mlfk_ipl.c ============================================================================== --- projects/vnet/sys/contrib/ipfilter/netinet/mlfk_ipl.c Sat Jun 25 12:54:27 2016 (r302198) +++ projects/vnet/sys/contrib/ipfilter/netinet/mlfk_ipl.c Sat Jun 25 14:14:55 2016 (r302199) @@ -18,6 +18,7 @@ #include <sys/select.h> #if __FreeBSD_version >= 500000 # include <sys/selinfo.h> +# include <sys/jail.h> #endif #include <net/if.h> #include <netinet/in_systm.h> @@ -33,7 +34,8 @@ #include "netinet/ip_frag.h" #include "netinet/ip_sync.h" -extern ipf_main_softc_t ipfmain; +VNET_DECLARE(ipf_main_softc_t, ipfmain); +#define V_ipfmain VNET(ipfmain) #if __FreeBSD_version >= 502116 static struct cdev *ipf_devs[IPL_LOGSIZE]; @@ -70,40 +72,41 @@ static int ipfwrite __P((dev_t, struct u SYSCTL_DECL(_net_inet); #define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \ - SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \ - ptr, val, sysctl_ipf_int, "I", descr); + SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|CTLFLAG_VNET|access, \ + ptr, val, sysctl_ipf_int, "I", descr) #define SYSCTL_DYN_IPF(parent, nbr, name, access,ptr, val, descr) \ - SYSCTL_ADD_OID(&ipf_clist, SYSCTL_STATIC_CHILDREN(parent), nbr, name, \ - CTLFLAG_DYN|CTLTYPE_INT|access, ptr, val, sysctl_ipf_int, "I", descr) -static struct sysctl_ctx_list ipf_clist; + SYSCTL_ADD_OID(&V_ipf_clist, SYSCTL_STATIC_CHILDREN(parent), nbr, name, \ + CTLFLAG_DYN|CTLTYPE_INT|CTLFLAG_VNET|access, ptr, val, sysctl_ipf_int, "I", descr) +static VNET_DEFINE(struct sysctl_ctx_list, ipf_clist); +#define V_ipf_clist VNET(ipf_clist) #define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */ #define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF) SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF"); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipfmain.ipf_flags, 0, "IPF flags"); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipfmain.ipf_pass, 0, "default pass/block"); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipfmain.ipf_active, 0, "IPF is active"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_flags), 0, "IPF flags"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_pass), 0, "default pass/block"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &VNET_NAME(ipfmain.ipf_active), 0, "IPF is active"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO, - &ipfmain.ipf_tcpidletimeout, 0, "TCP idle timeout in seconds"); + &VNET_NAME(ipfmain.ipf_tcpidletimeout), 0, "TCP idle timeout in seconds"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO, - &ipfmain.ipf_tcphalfclosed, 0, "timeout for half closed TCP sessions"); + &VNET_NAME(ipfmain.ipf_tcphalfclosed), 0, "timeout for half closed TCP sessions"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO, - &ipfmain.ipf_tcpclosewait, 0, "timeout for TCP sessions in closewait status"); + &VNET_NAME(ipfmain.ipf_tcpclosewait), 0, "timeout for TCP sessions in closewait status"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO, - &ipfmain.ipf_tcplastack, 0, "timeout for TCP sessions in last ack status"); + &VNET_NAME(ipfmain.ipf_tcplastack), 0, "timeout for TCP sessions in last ack status"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO, - &ipfmain.ipf_tcptimeout, 0, ""); + &VNET_NAME(ipfmain.ipf_tcptimeout), 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO, - &ipfmain.ipf_tcpclosed, 0, ""); + &VNET_NAME(ipfmain.ipf_tcpclosed), 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO, - &ipfmain.ipf_udptimeout, 0, "UDP timeout"); + &VNET_NAME(ipfmain.ipf_udptimeout), 0, "UDP timeout"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO, - &ipfmain.ipf_udpacktimeout, 0, ""); + &VNET_NAME(ipfmain.ipf_udpacktimeout), 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO, - &ipfmain.ipf_icmptimeout, 0, "ICMP timeout"); + &VNET_NAME(ipfmain.ipf_icmptimeout), 0, "ICMP timeout"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, - &ipfmain.ipf_running, 0, "IPF is running"); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &ipfmain.ipf_chksrc, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &ipfmain.ipf_minttl, 0, ""); + &VNET_NAME(ipfmain.ipf_running), 0, "IPF is running"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_chksrc), 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_minttl), 0, ""); #define CDEV_MAJOR 79 #include <sys/poll.h> @@ -178,28 +181,63 @@ ipfilter_modevent(module_t mod, int type } +static void +vnet_ipf_init(void) +{ + char *defpass; + int error; + + if (ipf_create_all(&V_ipfmain) == NULL) + return; + + if (ipf_fbsd_sysctl_create(&V_ipfmain) != 0) { + ipf_destroy_all(&V_ipfmain); + return; + } + + error = ipfattach(&V_ipfmain); + if (error) { + (void)ipf_fbsd_sysctl_destroy(&V_ipfmain); + ipf_destroy_all(&V_ipfmain); + return; + } + + if (FR_ISPASS(V_ipfmain.ipf_pass)) + defpass = "pass"; + else if (FR_ISBLOCK(V_ipfmain.ipf_pass)) + defpass = "block"; + else + defpass = "no-match -> block"; + + if (IS_DEFAULT_VNET(curvnet)) + printf("%s initialized. Default = %s all, Logging = %s%s\n", + ipfilter_version, defpass, +#ifdef IPFILTER_LOG + "enabled", +#else + "disabled", +#endif +#ifdef IPFILTER_COMPILED + " (COMPILED)" +#else + "" +#endif + ); +} +VNET_SYSINIT(vnet_ipf_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD, + vnet_ipf_init, NULL); + static int ipf_modload() { - char *defpass, *c, *str; + char *c, *str; int i, j, error; if (ipf_load_all() != 0) return EIO; - if (ipf_create_all(&ipfmain) == NULL) - return EIO; - - if (ipf_fbsd_sysctl_create(&ipfmain) != 0) - return EIO; - - error = ipfattach(&ipfmain); - if (error) - return error; - for (i = 0; i < IPL_LOGSIZE; i++) ipf_devs[i] = NULL; - for (i = 0; (str = ipf_devfiles[i]); i++) { c = NULL; for(j = strlen(str); j > 0; j--) @@ -217,63 +255,50 @@ ipf_modload() return error; ipf_event_reg(); - if (FR_ISPASS(ipfmain.ipf_pass)) - defpass = "pass"; - else if (FR_ISBLOCK(ipfmain.ipf_pass)) - defpass = "block"; - else - defpass = "no-match -> block"; - - printf("%s initialized. Default = %s all, Logging = %s%s\n", - ipfilter_version, defpass, -#ifdef IPFILTER_LOG - "enabled", -#else - "disabled", -#endif -#ifdef IPFILTER_COMPILED - " (COMPILED)" -#else - "" -#endif - ); return 0; } +static void +vnet_ipf_uninit(void) +{ + + if (V_ipfmain.ipf_refcnt) + return; + + if (ipf_fbsd_sysctl_destroy(&V_ipfmain) != 0) + return; + + if (V_ipfmain.ipf_running >= 0) { + if (ipfdetach(&V_ipfmain) != 0) + return; + + ipf_fbsd_sysctl_destroy(&V_ipfmain); + ipf_destroy_all(&V_ipfmain); + } + + V_ipfmain.ipf_running = -2; +} +VNET_SYSUNINIT(vnet_ipf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD, + vnet_ipf_uninit, NULL); static int ipf_modunload() { int error, i; - if (ipfmain.ipf_refcnt) - return EBUSY; - - if (ipf_fbsd_sysctl_destroy(&ipfmain) != 0) - return EIO; + ipf_event_dereg(); error = ipf_pfil_unhook(); if (error != 0) return error; - if (ipfmain.ipf_running >= 0) { - error = ipfdetach(&ipfmain); - if (error != 0) - return error; - - ipf_fbsd_sysctl_destroy(&ipfmain); - ipf_destroy_all(&ipfmain); - ipf_unload_all(); - } else - error = 0; - - ipfmain.ipf_running = -2; - for (i = 0; ipf_devfiles[i]; i++) { if (ipf_devs[i] != NULL) destroy_dev(ipf_devs[i]); } + ipf_unload_all(); + printf("%s unloaded\n", ipfilter_version); return error; @@ -287,7 +312,7 @@ static moduledata_t ipfiltermod = { }; -DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_FIREWALL, SI_ORDER_ANY); +DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND); #ifdef MODULE_VERSION MODULE_VERSION(ipfilter, 1); #endif @@ -310,7 +335,7 @@ sysctl_ipf_int ( SYSCTL_HANDLER_ARGS ) if (!arg1) error = EPERM; else { - if ((oidp->oid_kind & CTLFLAG_OFF) && (ipfmain.ipf_running > 0)) + if ((oidp->oid_kind & CTLFLAG_OFF) && (V_ipfmain.ipf_running > 0)) error = EBUSY; else error = SYSCTL_IN(req, arg1, sizeof(int)); @@ -335,24 +360,25 @@ ipfpoll(dev_t dev, int events, struct pr revents = 0; + CURVNET_SET(TD_TO_VNET(td)); switch (unit) { case IPL_LOGIPF : case IPL_LOGNAT : case IPL_LOGSTATE : #ifdef IPFILTER_LOG - if ((events & (POLLIN | POLLRDNORM)) && ipf_log_canread(&ipfmain, unit)) + if ((events & (POLLIN | POLLRDNORM)) && ipf_log_canread(&V_ipfmain, unit)) revents |= events & (POLLIN | POLLRDNORM); #endif break; case IPL_LOGAUTH : - if ((events & (POLLIN | POLLRDNORM)) && ipf_auth_waiting(&ipfmain)) + if ((events & (POLLIN | POLLRDNORM)) && ipf_auth_waiting(&V_ipfmain)) revents |= events & (POLLIN | POLLRDNORM); break; case IPL_LOGSYNC : - if ((events & (POLLIN | POLLRDNORM)) && ipf_sync_canread(&ipfmain)) + if ((events & (POLLIN | POLLRDNORM)) && ipf_sync_canread(&V_ipfmain)) revents |= events & (POLLIN | POLLRDNORM); - if ((events & (POLLOUT | POLLWRNORM)) && ipf_sync_canwrite(&ipfmain)) + if ((events & (POLLOUT | POLLWRNORM)) && ipf_sync_canwrite(&V_ipfmain)) revents |= events & (POLLOUT | POLLWRNORM); break; case IPL_LOGSCAN : @@ -362,7 +388,8 @@ ipfpoll(dev_t dev, int events, struct pr } if ((revents == 0) && ((events & (POLLIN|POLLRDNORM)) != 0)) - selrecord(td, &ipfmain.ipf_selwait[unit]); + selrecord(td, &V_ipfmain.ipf_selwait[unit]); + CURVNET_RESTORE(); return revents; } @@ -465,22 +492,31 @@ static int ipfread(dev, uio) #endif struct uio *uio; { + int error; int unit = GET_MINOR(dev); if (unit < 0) return ENXIO; - if (ipfmain.ipf_running < 1) + CURVNET_SET(CRED_TO_VNET(dev->si_cred)); + if (V_ipfmain.ipf_running < 1) { + CURVNET_RESTORE(); return EIO; + } - if (unit == IPL_LOGSYNC) - return ipf_sync_read(&ipfmain, uio); + if (unit == IPL_LOGSYNC) { + error = ipf_sync_read(&V_ipfmain, uio); + CURVNET_RESTORE(); + return error; + } #ifdef IPFILTER_LOG - return ipf_log_read(&ipfmain, unit, uio); + error = ipf_log_read(&V_ipfmain, unit, uio); #else - return ENXIO; + error = ENXIO; #endif + CURVNET_RESTORE(); + return error; } @@ -503,12 +539,19 @@ static int ipfwrite(dev, uio) #endif struct uio *uio; { + int error; - if (ipfmain.ipf_running < 1) + CURVNET_SET(CRED_TO_VNET(dev->si_cred)); + if (V_ipfmain.ipf_running < 1) { + CURVNET_RESTORE(); return EIO; + } - if (GET_MINOR(dev) == IPL_LOGSYNC) - return ipf_sync_write(&ipfmain, uio); + if (GET_MINOR(dev) == IPL_LOGSYNC) { + error = ipf_sync_write(&V_ipfmain, uio); + CURVNET_RESTORE(); + return error; + } return ENXIO; } @@ -526,7 +569,7 @@ ipf_fbsd_sysctl_create(main_softc) auth_softc = main_softc->ipf_auth_soft; frag_softc = main_softc->ipf_frag_soft; - sysctl_ctx_init(&ipf_clist); + sysctl_ctx_init(&V_ipf_clist); SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_defnatage", CTLFLAG_RWO, &nat_softc->ipf_nat_defage, 0, ""); @@ -559,7 +602,7 @@ static int ipf_fbsd_sysctl_destroy(main_softc) ipf_main_softc_t *main_softc; { - if (sysctl_ctx_free(&ipf_clist)) { + if (sysctl_ctx_free(&V_ipf_clist)) { printf("sysctl_ctx_free failed"); return(ENOTEMPTY); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606251414.u5PEEuDv065651>