From owner-svn-src-user@FreeBSD.ORG Sat Dec 26 02:36:49 2009 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4064E1065672; Sat, 26 Dec 2009 02:36:49 +0000 (UTC) (envelope-from luigi@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 2EAE98FC1D; Sat, 26 Dec 2009 02:36:49 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id nBQ2anhk078402; Sat, 26 Dec 2009 02:36:49 GMT (envelope-from luigi@svn.freebsd.org) Received: (from luigi@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id nBQ2amC6078392; Sat, 26 Dec 2009 02:36:48 GMT (envelope-from luigi@svn.freebsd.org) Message-Id: <200912260236.nBQ2amC6078392@svn.freebsd.org> From: Luigi Rizzo Date: Sat, 26 Dec 2009 02:36:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r201011 - in user/luigi/ipfw3-head/sys: net netgraph netinet netinet/ipfw X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 02:36:49 -0000 Author: luigi Date: Sat Dec 26 02:36:48 2009 New Revision: 201011 URL: http://svn.freebsd.org/changeset/base/201011 Log: Preparation work to simplify the code used for reinject and ipfilter: - move most of ng_ipfw.h into ip_fw_private.h, as this code is ipfw-specific. This removes a dependency on ng_ipfw.h from some files. - move many equivalent definitions of direction (IN, OUT) for reinjected packets into ip_fw_private.h - document the structure of the packet tags used for dummynet and netgraph; Modified: user/luigi/ipfw3-head/sys/net/if_bridge.c user/luigi/ipfw3-head/sys/net/if_ethersubr.c user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.c user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.h user/luigi/ipfw3-head/sys/netinet/ip_dummynet.h user/luigi/ipfw3-head/sys/netinet/ipfw/ip_dummynet.c user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_sockopt.c Modified: user/luigi/ipfw3-head/sys/net/if_bridge.c ============================================================================== --- user/luigi/ipfw3-head/sys/net/if_bridge.c Sat Dec 26 00:46:05 2009 (r201010) +++ user/luigi/ipfw3-head/sys/net/if_bridge.c Sat Dec 26 02:36:48 2009 (r201011) @@ -3085,7 +3085,7 @@ bridge_pfil(struct mbuf **mp, struct ifn * packet will return to us via bridge_dummynet(). */ args.oif = ifp; - ip_dn_io_ptr(mp, DN_TO_IFB_FWD, &args); + ip_dn_io_ptr(mp, DIR_FWD | PROTO_IFB, &args); return (error); } Modified: user/luigi/ipfw3-head/sys/net/if_ethersubr.c ============================================================================== --- user/luigi/ipfw3-head/sys/net/if_ethersubr.c Sat Dec 26 00:46:05 2009 (r201010) +++ user/luigi/ipfw3-head/sys/net/if_ethersubr.c Sat Dec 26 02:36:48 2009 (r201011) @@ -535,6 +535,7 @@ ether_ipfw_chk(struct mbuf **m0, struct return 1; if (ip_dn_io_ptr && (i == IP_FW_DUMMYNET)) { + int dir; /* * Pass the pkt to dummynet, which consumes it. * If shared, make a copy and keep the original. @@ -550,7 +551,8 @@ ether_ipfw_chk(struct mbuf **m0, struct */ *m0 = NULL ; } - ip_dn_io_ptr(&m, dst ? DN_TO_ETH_OUT: DN_TO_ETH_DEMUX, &args); + dir = PROTO_LAYER2 | (dst ? DIR_OUT : DIR_IN); + ip_dn_io_ptr(&m, dir, &args); return 0; } /* Modified: user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.c ============================================================================== --- user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.c Sat Dec 26 00:46:05 2009 (r201010) +++ user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.c Sat Dec 26 02:36:48 2009 (r201011) @@ -234,7 +234,7 @@ ng_ipfw_rcvdata(hook_p hook, item_p item }; switch (ngit->dir) { - case NG_IPFW_OUT: + case DIR_OUT: { struct ip *ip; @@ -249,7 +249,7 @@ ng_ipfw_rcvdata(hook_p hook, item_p item return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); } - case NG_IPFW_IN: + case DIR_IN: ip_input(m); return (0); default: @@ -298,7 +298,7 @@ ng_ipfw_input(struct mbuf **m0, int dir, ngit->rule_id = fwa->rule_id; ngit->chain_id = fwa->chain_id; ngit->dir = dir; - ngit->ifp = fwa->oif; +// ngit->ifp = fwa->oif; /* XXX do we use it ? */ m_tag_prepend(m, &ngit->mt); } else Modified: user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.h ============================================================================== --- user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.h Sat Dec 26 00:46:05 2009 (r201010) +++ user/luigi/ipfw3-head/sys/netgraph/ng_ipfw.h Sat Dec 26 02:36:48 2009 (r201011) @@ -26,27 +26,7 @@ * $FreeBSD$ */ +#ifndef _NG_IPFW_H +#define _NG_IPFW_H #define NG_IPFW_NODE_TYPE "ipfw" -#define NGM_IPFW_COOKIE 1105988990 - -#ifdef _KERNEL - -typedef int ng_ipfw_input_t(struct mbuf **, int, struct ip_fw_args *, int); -extern ng_ipfw_input_t *ng_ipfw_input_p; -#define NG_IPFW_LOADED (ng_ipfw_input_p != NULL) - -struct ng_ipfw_tag { - struct m_tag mt; /* tag header */ - uint32_t slot; /* slot for next rule */ - uint32_t rulenum; /* matching rule number */ - uint32_t rule_id; /* matching rule id */ - uint32_t chain_id; /* ruleset id */ - struct ifnet *ifp; /* interface, for ip_output */ - int dir; -#define NG_IPFW_OUT 0 -#define NG_IPFW_IN 1 -}; - -#define TAGSIZ (sizeof(struct ng_ipfw_tag) - sizeof(struct m_tag)) - -#endif /* _KERNEL */ +#endif /* _NG_IPFW_H */ Modified: user/luigi/ipfw3-head/sys/netinet/ip_dummynet.h ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/ip_dummynet.h Sat Dec 26 00:46:05 2009 (r201010) +++ user/luigi/ipfw3-head/sys/netinet/ip_dummynet.h Sat Dec 26 02:36:48 2009 (r201011) @@ -110,21 +110,19 @@ struct dn_heap { * them that carries their dummynet state. This is used within * the dummynet code as well as outside when checking for special * processing requirements. + * Note that the first part is the reinject info and is common to + * other forms of packet reinjection. */ struct dn_pkt_tag { + /* first part, reinject info */ uint32_t slot; /* slot of next rule to use */ uint32_t rulenum; /* matching rule number */ uint32_t rule_id; /* matching rule id */ uint32_t chain_id; /* ruleset id */ + + /* second part, dummynet specific */ int dn_dir; /* action when packet comes out. */ -#define DN_TO_IP_OUT 1 -#define DN_TO_IP_IN 2 -/* Obsolete: #define DN_TO_BDG_FWD 3 */ -#define DN_TO_ETH_DEMUX 4 -#define DN_TO_ETH_OUT 5 -#define DN_TO_IP6_IN 6 -#define DN_TO_IP6_OUT 7 -#define DN_TO_IFB_FWD 8 + /* see ip_fw_private.h */ dn_key output_time; /* when the pkt is due for delivery */ struct ifnet *ifp; /* interface, for ip_output */ Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_dummynet.c ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_dummynet.c Sat Dec 26 00:46:05 2009 (r201010) +++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_dummynet.c Sat Dec 26 02:36:48 2009 (r201011) @@ -986,10 +986,10 @@ dummynet_send(struct mbuf *m) } switch (dst) { - case DN_TO_IP_OUT: + case DIR_OUT: ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); break ; - case DN_TO_IP_IN : + case DIR_IN : ip = mtod(m, struct ip *); #ifndef HAVE_NET_IPLEN ip->ip_len = htons(ip->ip_len); @@ -998,22 +998,22 @@ dummynet_send(struct mbuf *m) netisr_dispatch(NETISR_IP, m); break; #ifdef INET6 - case DN_TO_IP6_IN: + case DIR_IN | PROTO_IPV6: netisr_dispatch(NETISR_IPV6, m); break; - case DN_TO_IP6_OUT: + case DIR_OUT | PROTO_IPV6: ip6_output(m, NULL, NULL, IPV6_FORWARDING, NULL, NULL, NULL); break; #endif - case DN_TO_IFB_FWD: + case DIR_FWD | PROTO_IFB: /* DN_TO_IFB_FWD: */ if (bridge_dn_p != NULL) ((*bridge_dn_p)(m, pkt->ifp)); else printf("dummynet: if_bridge not loaded\n"); break; - case DN_TO_ETH_DEMUX: + case DIR_IN | PROTO_LAYER2: /* DN_TO_ETH_DEMUX: */ /* * The Ethernet code assumes the Ethernet header is * contiguous in the first mbuf header. @@ -1027,7 +1027,7 @@ dummynet_send(struct mbuf *m) } ether_demux(m->m_pkthdr.rcvif, m); break; - case DN_TO_ETH_OUT: + case DIR_OUT | PROTO_LAYER2: /* N_TO_ETH_OUT: */ ether_output_frame(pkt->ifp, m); break; @@ -1550,8 +1550,8 @@ dummynet_io(struct mbuf **m0, int dir, s } } done: - if (head == m && dir != DN_TO_IFB_FWD && dir != DN_TO_ETH_DEMUX && - dir != DN_TO_ETH_OUT) { /* Fast io. */ + if (head == m && (dir & PROTO_LAYER2) == 0 ) { + /* Fast io. */ io_pkt_fast++; if (m->m_nextpkt != NULL) printf("dummynet: fast io: pkt chain detected!\n"); Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c Sat Dec 26 00:46:05 2009 (r201010) +++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c Sat Dec 26 02:36:48 2009 (r201011) @@ -64,8 +64,6 @@ __FBSDID("$FreeBSD$"); #include #include -#include - #include static VNET_DEFINE(int, fw_enable) = 1; @@ -86,8 +84,6 @@ ng_ipfw_input_t *ng_ipfw_input_p = NULL; /* Forward declarations. */ static int ipfw_divert(struct mbuf **, int, int); -#define DIV_DIR_IN 1 -#define DIV_DIR_OUT 0 #ifdef SYSCTL_NODE SYSCTL_DECL(_net_inet_ip_fw); @@ -123,7 +119,7 @@ ipfw_check_in(void *arg, struct mbuf **m ng_tag = (struct ng_ipfw_tag *)m_tag_locate(*m0, NGM_IPFW_COOKIE, 0, NULL); if (ng_tag != NULL) { - KASSERT(ng_tag->dir == NG_IPFW_IN, + KASSERT(ng_tag->dir == DIR_IN, ("ng_ipfw tag with wrong direction")); args.slot = ng_tag->slot; args.rulenum = ng_tag->rulenum; @@ -185,9 +181,9 @@ again: if (ip_dn_io_ptr == NULL) goto drop; if (mtod(*m0, struct ip *)->ip_v == 4) - ip_dn_io_ptr(m0, DN_TO_IP_IN, &args); + ip_dn_io_ptr(m0, DIR_IN, &args); else if (mtod(*m0, struct ip *)->ip_v == 6) - ip_dn_io_ptr(m0, DN_TO_IP6_IN, &args); + ip_dn_io_ptr(m0, DIR_IN | PROTO_IPV6, &args); if (*m0 != NULL) goto again; return 0; /* packet consumed */ @@ -197,7 +193,7 @@ again: /* fall through */ case IP_FW_DIVERT: - divert = ipfw_divert(m0, DIV_DIR_IN, tee); + divert = ipfw_divert(m0, DIR_IN, tee); if (divert) { *m0 = NULL; return 0; /* packet consumed */ @@ -209,13 +205,13 @@ again: case IP_FW_NGTEE: if (!NG_IPFW_LOADED) goto drop; - (void)ng_ipfw_input_p(m0, NG_IPFW_IN, &args, 1); + (void)ng_ipfw_input_p(m0, DIR_IN, &args, 1); goto again; /* continue with packet */ case IP_FW_NETGRAPH: if (!NG_IPFW_LOADED) goto drop; - return ng_ipfw_input_p(m0, NG_IPFW_IN, &args, 0); + return ng_ipfw_input_p(m0, DIR_IN, &args, 0); case IP_FW_NAT: goto again; /* continue with packet */ @@ -257,7 +253,7 @@ ipfw_check_out(void *arg, struct mbuf ** ng_tag = (struct ng_ipfw_tag *)m_tag_locate(*m0, NGM_IPFW_COOKIE, 0, NULL); if (ng_tag != NULL) { - KASSERT(ng_tag->dir == NG_IPFW_OUT, + KASSERT(ng_tag->dir == DIR_OUT, ("ng_ipfw tag with wrong direction")); args.slot = ng_tag->slot; args.rulenum = ng_tag->rulenum; @@ -324,9 +320,9 @@ again: if (ip_dn_io_ptr == NULL) break; if (mtod(*m0, struct ip *)->ip_v == 4) - ip_dn_io_ptr(m0, DN_TO_IP_OUT, &args); + ip_dn_io_ptr(m0, DIR_OUT, &args); else if (mtod(*m0, struct ip *)->ip_v == 6) - ip_dn_io_ptr(m0, DN_TO_IP6_OUT, &args); + ip_dn_io_ptr(m0, DIR_OUT | PROTO_IPV6, &args); if (*m0 != NULL) goto again; return 0; /* packet consumed */ @@ -338,7 +334,7 @@ again: /* fall through */ case IP_FW_DIVERT: - divert = ipfw_divert(m0, DIV_DIR_OUT, tee); + divert = ipfw_divert(m0, DIR_OUT, tee); if (divert) { *m0 = NULL; return 0; /* packet consumed */ @@ -350,13 +346,13 @@ again: case IP_FW_NGTEE: if (!NG_IPFW_LOADED) goto drop; - (void)ng_ipfw_input_p(m0, NG_IPFW_OUT, &args, 1); + (void)ng_ipfw_input_p(m0, DIR_OUT, &args, 1); goto again; /* continue with packet */ case IP_FW_NETGRAPH: if (!NG_IPFW_LOADED) goto drop; - return ng_ipfw_input_p(m0, NG_IPFW_OUT, &args, 0); + return ng_ipfw_input_p(m0, DIR_OUT, &args, 0); case IP_FW_NAT: goto again; /* continue with packet */ @@ -584,20 +580,14 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS) return (0); if (arg1 == &VNET_NAME(fw_enable)) { - if (enable) - error = ipfw_hook(); - else - error = ipfw_unhook(); + error = (enable) ? ipfw_hook() : ipfw_unhook(); if (error) return (error); V_fw_enable = enable; } #ifdef INET6 else if (arg1 == &VNET_NAME(fw6_enable)) { - if (enable) - error = ipfw6_hook(); - else - error = ipfw6_unhook(); + error = (enable) ? ipfw6_hook() : ipfw6_unhook(); if (error) return (error); V_fw6_enable = enable; Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h Sat Dec 26 00:46:05 2009 (r201010) +++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h Sat Dec 26 02:36:48 2009 (r201011) @@ -101,11 +101,32 @@ struct ip_fw_args { MALLOC_DECLARE(M_IPFW); /* + * Hooks sometime need to know the direction of the packet + * (divert, dummynet, netgraph, ...) + * We use a generic definition here, with bit0-1 indicating the + * direction, bit 2 indicating layer2 or 3, bit 3-4 indicating the + * specific protocol + * indicating the protocol (if necessary) + */ +enum { + DIR_MASK = 0x3, + DIR_OUT = 0, + DIR_IN = 1, + DIR_FWD = 2, + DIR_DROP = 3, + PROTO_LAYER2 = 0x4, /* set for layer 2 */ + /* PROTO_DEFAULT = 0, */ + PROTO_IPV4 = 0x08, + PROTO_IPV6 = 0x10, + PROTO_IFB = 0x0c, /* layer2 + ifbridge */ + /* PROTO_OLDBDG = 0x14, unused, old bridge */ +}; + +/* * Function definitions. */ /* Firewall hooks */ - int ipfw_check_in(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp); int ipfw_check_out(void *, struct mbuf **, struct ifnet *, @@ -257,5 +278,27 @@ extern ipfw_nat_cfg_t *ipfw_nat_del_ptr; extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; +/* netgraph prototypes */ +#define NGM_IPFW_COOKIE 1105988990 + +typedef int ng_ipfw_input_t(struct mbuf **, int, struct ip_fw_args *, int); +extern ng_ipfw_input_t *ng_ipfw_input_p; +#define NG_IPFW_LOADED (ng_ipfw_input_p != NULL) + +struct ng_ipfw_tag { + struct m_tag mt; /* tag header */ + /* reinject info */ + uint32_t slot; /* slot for next rule */ + uint32_t rulenum; /* matching rule number */ + uint32_t rule_id; /* matching rule id */ + uint32_t chain_id; /* ruleset id */ + int dir; + +// struct ifnet *ifp; /* interface, for ip_output */ +}; + +#define TAGSIZ (sizeof(struct ng_ipfw_tag) - sizeof(struct m_tag)) + + #endif /* _KERNEL */ #endif /* _IPFW2_PRIVATE_H */ Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_sockopt.c ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_sockopt.c Sat Dec 26 00:46:05 2009 (r201010) +++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_sockopt.c Sat Dec 26 02:36:48 2009 (r201011) @@ -67,8 +67,6 @@ __FBSDID("$FreeBSD$"); #include #include -#include - #ifdef MAC #include #endif