Date: Wed, 14 Oct 2009 21:34:52 +0000 (UTC) From: Ermal Luçi <eri@FreeBSD.org> To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r198100 - in user/eri/pf45/head/sys: contrib/pf/net netinet netinet6 netipsec sys Message-ID: <200910142134.n9ELYqUo049280@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: eri Date: Wed Oct 14 21:34:52 2009 New Revision: 198100 URL: http://svn.freebsd.org/changeset/base/198100 Log: Pf(4) needs a mechanism to be notified that the destination address changed after pf(4) has seen the packet on input path and might see it again in the output pathi(state match optimization). Since this needs to touch many subsystems implement a wrapper that will call all callbacks for other subsystems that might see this information useful. Basically they just place the callback in this wrapper rather than go through all the sources that this function will be. Idea and basic template from mlaier@. NOTE: With this commit pf 4.5 can be considered ported to FreeBSD with all its features. Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c user/eri/pf45/head/sys/netinet/in_gif.c user/eri/pf45/head/sys/netinet/ip_icmp.c user/eri/pf45/head/sys/netinet/raw_ip.c user/eri/pf45/head/sys/netinet6/icmp6.c user/eri/pf45/head/sys/netinet6/in6_gif.c user/eri/pf45/head/sys/netipsec/ipsec_input.c user/eri/pf45/head/sys/netipsec/ipsec_output.c user/eri/pf45/head/sys/netipsec/xform_ipip.c user/eri/pf45/head/sys/sys/mbuf.h Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c ============================================================================== --- user/eri/pf45/head/sys/contrib/pf/net/pf.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/contrib/pf/net/pf.c Wed Oct 14 21:34:52 2009 (r198100) @@ -7391,7 +7391,6 @@ pf_check_congestion(struct ifqueue *ifq) #endif } -#ifdef notyet /* * must be called whenever any addressing information such as * address, port, protocol has changed @@ -7399,6 +7398,12 @@ pf_check_congestion(struct ifqueue *ifq) void pf_pkt_addr_changed(struct mbuf *m) { +#ifdef __FreeBSD__ + struct pf_mtag *pf_tag; + + if ((pf_tag = pf_find_mtag(m)) != NULL) + pf_tag->statekey = NULL; +#else m->m_pkthdr.pf.statekey = NULL; -} #endif +} Modified: user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c ============================================================================== --- user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Wed Oct 14 21:34:52 2009 (r198100) @@ -438,6 +438,9 @@ pfattach(void) if (kproc_create(pf_purge_thread, NULL, NULL, 0, 0, "pfpurge")) return (ENXIO); +#ifdef __FreeBSD__ + m_addr_chg_pf_p = pf_pkt_addr_changed; +#endif return (error); } #else /* !__FreeBSD__ */ Modified: user/eri/pf45/head/sys/netinet/in_gif.c ============================================================================== --- user/eri/pf45/head/sys/netinet/in_gif.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/netinet/in_gif.c Wed Oct 14 21:34:52 2009 (r198100) @@ -254,6 +254,8 @@ in_gif_output(struct ifnet *ifp, int fam #endif } + m_addr_changed(m); + error = ip_output(m, NULL, &sc->gif_ro, 0, NULL, NULL); if (!(GIF2IFP(sc)->if_flags & IFF_LINK0) && Modified: user/eri/pf45/head/sys/netinet/ip_icmp.c ============================================================================== --- user/eri/pf45/head/sys/netinet/ip_icmp.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/netinet/ip_icmp.c Wed Oct 14 21:34:52 2009 (r198100) @@ -689,6 +689,8 @@ icmp_reflect(struct mbuf *m) goto done; /* Ip_output() will check for broadcast */ } + m_addr_changed(m); + t = ip->ip_dst; ip->ip_dst = ip->ip_src; Modified: user/eri/pf45/head/sys/netinet/raw_ip.c ============================================================================== --- user/eri/pf45/head/sys/netinet/raw_ip.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/netinet/raw_ip.c Wed Oct 14 21:34:52 2009 (r198100) @@ -89,6 +89,9 @@ VNET_DEFINE(ip_fw_ctl_ptr_t, ip_fw_ctl_p int (*ip_dn_ctl_ptr)(struct sockopt *) = NULL; int (*ip_dn_io_ptr)(struct mbuf **m, int dir, struct ip_fw_args *fwa) = NULL; +/* Hook for telling pf that the destination address changed */ +void (*m_addr_chg_pf_p)(struct mbuf *m); + /* * Hooks for multicast routing. They all default to NULL, so leave them not * initialized and rely on BSS being set to 0. Modified: user/eri/pf45/head/sys/netinet6/icmp6.c ============================================================================== --- user/eri/pf45/head/sys/netinet6/icmp6.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/netinet6/icmp6.c Wed Oct 14 21:34:52 2009 (r198100) @@ -1105,6 +1105,8 @@ icmp6_notify_error(struct mbuf **mp, int ip6cp.ip6c_src = &icmp6src; ip6cp.ip6c_nxt = nxt; + m_addr_changed(m); + if (icmp6type == ICMP6_PACKET_TOO_BIG) { notifymtu = ntohl(icmp6->icmp6_mtu); ip6cp.ip6c_cmdarg = (void *)¬ifymtu; @@ -2227,6 +2229,8 @@ icmp6_reflect(struct mbuf *m, size_t off m->m_flags &= ~(M_BCAST|M_MCAST); + m_addr_changed(m); + ip6_output(m, NULL, NULL, 0, NULL, &outif, NULL); if (outif) icmp6_ifoutstat_inc(outif, type, code); Modified: user/eri/pf45/head/sys/netinet6/in6_gif.c ============================================================================== --- user/eri/pf45/head/sys/netinet6/in6_gif.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/netinet6/in6_gif.c Wed Oct 14 21:34:52 2009 (r198100) @@ -253,6 +253,8 @@ in6_gif_output(struct ifnet *ifp, #endif } + m_addr_changed(m); + #ifdef IPV6_MINMTU /* * force fragmentation to minimum MTU, to avoid path MTU discovery. Modified: user/eri/pf45/head/sys/netipsec/ipsec_input.c ============================================================================== --- user/eri/pf45/head/sys/netipsec/ipsec_input.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/netipsec/ipsec_input.c Wed Oct 14 21:34:52 2009 (r198100) @@ -471,6 +471,7 @@ ipsec4_common_input_cb(struct mbuf *m, s key_sa_recordxfer(sav, m); /* record data transfer */ + m_addr_changed(m); #ifdef DEV_ENC encif->if_ipackets++; encif->if_ibytes += m->m_pkthdr.len; Modified: user/eri/pf45/head/sys/netipsec/ipsec_output.c ============================================================================== --- user/eri/pf45/head/sys/netipsec/ipsec_output.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/netipsec/ipsec_output.c Wed Oct 14 21:34:52 2009 (r198100) @@ -169,6 +169,8 @@ ipsec_process_done(struct mbuf *m, struc } key_sa_recordxfer(sav, m); /* record data transfer */ + m_addr_changed(m); + /* * We're done with IPsec processing, transmit the packet using the * appropriate network protocol (IP or IPv6). SPD lookup will be Modified: user/eri/pf45/head/sys/netipsec/xform_ipip.c ============================================================================== --- user/eri/pf45/head/sys/netipsec/xform_ipip.c Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/netipsec/xform_ipip.c Wed Oct 14 21:34:52 2009 (r198100) @@ -392,6 +392,8 @@ _ipip_input(struct mbuf *m, int iphlen, panic("%s: bogus ip version %u", __func__, v>>4); } + m_addr_changed(m); + if (netisr_queue(isr, m)) { /* (0) on success. */ V_ipipstat.ipips_qfull++; DPRINTF(("%s: packet dropped because of full queue\n", Modified: user/eri/pf45/head/sys/sys/mbuf.h ============================================================================== --- user/eri/pf45/head/sys/sys/mbuf.h Wed Oct 14 20:30:27 2009 (r198099) +++ user/eri/pf45/head/sys/sys/mbuf.h Wed Oct 14 21:34:52 2009 (r198100) @@ -656,6 +656,14 @@ m_last(struct mbuf *m) return (m); } +extern void (*m_addr_chg_pf_p)(struct mbuf *m); + +static __inline void +m_addr_changed(struct mbuf *m) { + if (m_addr_chg_pf_p) + m_addr_chg_pf_p(m); +} + /* * mbuf, cluster, and external object allocation macros (for compatibility * purposes).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200910142134.n9ELYqUo049280>