Date: Sun, 18 Nov 2018 11:55:58 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r340566 - in stable/11/sys: net netpfil/pf Message-ID: <201811181155.wAIBtw3q042997@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Sun Nov 18 11:55:58 2018 New Revision: 340566 URL: https://svnweb.freebsd.org/changeset/base/340566 Log: MFC r340065: pfsync: Make pfsync callbacks per-vnet The callbacks are installed and removed depending on the state of the pfsync device, which is per-vnet. The callbacks must also be per-vnet. Sponsored by: Orange Business Services Modified: stable/11/sys/net/pfvar.h stable/11/sys/netpfil/pf/if_pfsync.c stable/11/sys/netpfil/pf/pf.c stable/11/sys/netpfil/pf/pf_ioctl.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/net/pfvar.h ============================================================================== --- stable/11/sys/net/pfvar.h Sun Nov 18 11:55:56 2018 (r340565) +++ stable/11/sys/net/pfvar.h Sun Nov 18 11:55:58 2018 (r340566) @@ -821,12 +821,18 @@ typedef void pfsync_delete_state_t(struct pf_state *) typedef void pfsync_clear_states_t(u_int32_t, const char *); typedef int pfsync_defer_t(struct pf_state *, struct mbuf *); -extern pfsync_state_import_t *pfsync_state_import_ptr; -extern pfsync_insert_state_t *pfsync_insert_state_ptr; -extern pfsync_update_state_t *pfsync_update_state_ptr; -extern pfsync_delete_state_t *pfsync_delete_state_ptr; -extern pfsync_clear_states_t *pfsync_clear_states_ptr; -extern pfsync_defer_t *pfsync_defer_ptr; +VNET_DECLARE(pfsync_state_import_t *, pfsync_state_import_ptr); +#define V_pfsync_state_import_ptr VNET(pfsync_state_import_ptr) +VNET_DECLARE(pfsync_insert_state_t *, pfsync_insert_state_ptr); +#define V_pfsync_insert_state_ptr VNET(pfsync_insert_state_ptr) +VNET_DECLARE(pfsync_update_state_t *, pfsync_update_state_ptr); +#define V_pfsync_update_state_ptr VNET(pfsync_update_state_ptr) +VNET_DECLARE(pfsync_delete_state_t *, pfsync_delete_state_ptr); +#define V_pfsync_delete_state_ptr VNET(pfsync_delete_state_ptr) +VNET_DECLARE(pfsync_clear_states_t *, pfsync_clear_states_ptr); +#define V_pfsync_clear_states_ptr VNET(pfsync_clear_states_ptr) +VNET_DECLARE(pfsync_defer_t *, pfsync_defer_ptr); +#define V_pfsync_defer_ptr VNET(pfsync_defer_ptr) void pfsync_state_export(struct pfsync_state *, struct pf_state *); Modified: stable/11/sys/netpfil/pf/if_pfsync.c ============================================================================== --- stable/11/sys/netpfil/pf/if_pfsync.c Sun Nov 18 11:55:56 2018 (r340565) +++ stable/11/sys/netpfil/pf/if_pfsync.c Sun Nov 18 11:55:58 2018 (r340566) @@ -1360,10 +1360,10 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t dat sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates; if (pfsyncr.pfsyncr_defer) { sc->sc_flags |= PFSYNCF_DEFER; - pfsync_defer_ptr = pfsync_defer; + V_pfsync_defer_ptr = pfsync_defer; } else { sc->sc_flags &= ~PFSYNCF_DEFER; - pfsync_defer_ptr = NULL; + V_pfsync_defer_ptr = NULL; } if (sifp == NULL) { @@ -2309,12 +2309,12 @@ pfsync_pointers_init() { PF_RULES_WLOCK(); - pfsync_state_import_ptr = pfsync_state_import; - pfsync_insert_state_ptr = pfsync_insert_state; - pfsync_update_state_ptr = pfsync_update_state; - pfsync_delete_state_ptr = pfsync_delete_state; - pfsync_clear_states_ptr = pfsync_clear_states; - pfsync_defer_ptr = pfsync_defer; + V_pfsync_state_import_ptr = pfsync_state_import; + V_pfsync_insert_state_ptr = pfsync_insert_state; + V_pfsync_update_state_ptr = pfsync_update_state; + V_pfsync_delete_state_ptr = pfsync_delete_state; + V_pfsync_clear_states_ptr = pfsync_clear_states; + V_pfsync_defer_ptr = pfsync_defer; PF_RULES_WUNLOCK(); } @@ -2323,12 +2323,12 @@ pfsync_pointers_uninit() { PF_RULES_WLOCK(); - pfsync_state_import_ptr = NULL; - pfsync_insert_state_ptr = NULL; - pfsync_update_state_ptr = NULL; - pfsync_delete_state_ptr = NULL; - pfsync_clear_states_ptr = NULL; - pfsync_defer_ptr = NULL; + V_pfsync_state_import_ptr = NULL; + V_pfsync_insert_state_ptr = NULL; + V_pfsync_update_state_ptr = NULL; + V_pfsync_delete_state_ptr = NULL; + V_pfsync_clear_states_ptr = NULL; + V_pfsync_defer_ptr = NULL; PF_RULES_WUNLOCK(); } @@ -2345,6 +2345,8 @@ vnet_pfsync_init(const void *unused __unused) if_clone_detach(V_pfsync_cloner); log(LOG_INFO, "swi_add() failed in %s\n", __func__); } + + pfsync_pointers_init(); } VNET_SYSINIT(vnet_pfsync_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_ANY, vnet_pfsync_init, NULL); @@ -2353,6 +2355,8 @@ static void vnet_pfsync_uninit(const void *unused __unused) { + pfsync_pointers_uninit(); + if_clone_detach(V_pfsync_cloner); swi_remove(V_pfsync_swi_cookie); } @@ -2378,7 +2382,6 @@ pfsync_init() return (error); } #endif - pfsync_pointers_init(); return (0); } @@ -2386,8 +2389,6 @@ pfsync_init() static void pfsync_uninit() { - - pfsync_pointers_uninit(); #ifdef INET ipproto_unregister(IPPROTO_PFSYNC); Modified: stable/11/sys/netpfil/pf/pf.c ============================================================================== --- stable/11/sys/netpfil/pf/pf.c Sun Nov 18 11:55:56 2018 (r340565) +++ stable/11/sys/netpfil/pf/pf.c Sun Nov 18 11:55:58 2018 (r340566) @@ -1259,8 +1259,8 @@ pf_state_insert(struct pfi_kif *kif, struct pf_state_k refcount_init(&s->refs, 2); counter_u64_add(V_pf_status.fcounters[FCNT_STATE_INSERT], 1); - if (pfsync_insert_state_ptr != NULL) - pfsync_insert_state_ptr(s); + if (V_pfsync_insert_state_ptr != NULL) + V_pfsync_insert_state_ptr(s); /* Returns locked. */ return (0); @@ -1662,8 +1662,8 @@ pf_unlink_state(struct pf_state *s, u_int flags) LIST_REMOVE(s, entry); pf_src_tree_remove_state(s); - if (pfsync_delete_state_ptr != NULL) - pfsync_delete_state_ptr(s); + if (V_pfsync_delete_state_ptr != NULL) + V_pfsync_delete_state_ptr(s); STATE_DEC_COUNTERS(s); @@ -3570,7 +3570,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) && direction == PF_OUT && - pfsync_defer_ptr != NULL && pfsync_defer_ptr(*sm, m)) + V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, m)) /* * We want the state created, but we dont * want to send this in case a partner @@ -6012,8 +6012,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6041,8 +6041,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct } action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6064,8 +6064,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6087,8 +6087,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct default: action = pf_test_state_other(&s, dir, kif, m, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6451,8 +6451,8 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struc action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6480,8 +6480,8 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struc } action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6510,8 +6510,8 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struc action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6524,8 +6524,8 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struc default: action = pf_test_state_other(&s, dir, kif, m, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; Modified: stable/11/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- stable/11/sys/netpfil/pf/pf_ioctl.c Sun Nov 18 11:55:56 2018 (r340565) +++ stable/11/sys/netpfil/pf/pf_ioctl.c Sun Nov 18 11:55:58 2018 (r340566) @@ -204,12 +204,13 @@ struct rmlock pf_rules_lock; struct sx pf_ioctl_lock; /* pfsync */ -pfsync_state_import_t *pfsync_state_import_ptr = NULL; -pfsync_insert_state_t *pfsync_insert_state_ptr = NULL; -pfsync_update_state_t *pfsync_update_state_ptr = NULL; -pfsync_delete_state_t *pfsync_delete_state_ptr = NULL; -pfsync_clear_states_t *pfsync_clear_states_ptr = NULL; -pfsync_defer_t *pfsync_defer_ptr = NULL; +VNET_DEFINE(pfsync_state_import_t *, pfsync_state_import_ptr); +VNET_DEFINE(pfsync_insert_state_t *, pfsync_insert_state_ptr); +VNET_DEFINE(pfsync_update_state_t *, pfsync_update_state_ptr); +VNET_DEFINE(pfsync_delete_state_t *, pfsync_delete_state_ptr); +VNET_DEFINE(pfsync_clear_states_t *, pfsync_clear_states_ptr); +VNET_DEFINE(pfsync_defer_t *, pfsync_defer_ptr); + /* pflog */ pflog_packet_t *pflog_packet_ptr = NULL; @@ -1639,8 +1640,8 @@ relock_DIOCCLRSTATES: PF_HASHROW_UNLOCK(ih); } psk->psk_killed = killed; - if (pfsync_clear_states_ptr != NULL) - pfsync_clear_states_ptr(V_pf_status.hostid, psk->psk_ifname); + if (V_pfsync_clear_states_ptr != NULL) + V_pfsync_clear_states_ptr(V_pf_status.hostid, psk->psk_ifname); break; } @@ -1727,9 +1728,9 @@ relock_DIOCKILLSTATES: error = EINVAL; break; } - if (pfsync_state_import_ptr != NULL) { + if (V_pfsync_state_import_ptr != NULL) { PF_RULES_RLOCK(); - error = pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL); + error = V_pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL); PF_RULES_RUNLOCK(); } else error = EOPNOTSUPP;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811181155.wAIBtw3q042997>