From owner-svn-src-user@FreeBSD.ORG Thu Jan 7 10:06:10 2010 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F9D81065692; Thu, 7 Jan 2010 10:06:10 +0000 (UTC) (envelope-from luigi@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 1DFB18FC17; Thu, 7 Jan 2010 10:06:10 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o07A6ALZ016228; Thu, 7 Jan 2010 10:06:10 GMT (envelope-from luigi@svn.freebsd.org) Received: (from luigi@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o07A69hj016222; Thu, 7 Jan 2010 10:06:09 GMT (envelope-from luigi@svn.freebsd.org) Message-Id: <201001071006.o07A69hj016222@svn.freebsd.org> From: Luigi Rizzo Date: Thu, 7 Jan 2010 10:06:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r201731 - in user/luigi/ipfw3-head/sys/netinet: . ipfw X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 10:06:10 -0000 Author: luigi Date: Thu Jan 7 10:06:09 2010 New Revision: 201731 URL: http://svn.freebsd.org/changeset/base/201731 Log: snapshot to decouple ip_divert from ipfw Modified: user/luigi/ipfw3-head/sys/netinet/ip_divert.c user/luigi/ipfw3-head/sys/netinet/ip_var.h user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h user/luigi/ipfw3-head/sys/netinet/raw_ip.c Modified: user/luigi/ipfw3-head/sys/netinet/ip_divert.c ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/ip_divert.c Thu Jan 7 09:56:07 2010 (r201730) +++ user/luigi/ipfw3-head/sys/netinet/ip_divert.c Thu Jan 7 10:06:09 2010 (r201731) @@ -32,14 +32,10 @@ __FBSDID("$FreeBSD$"); #if !defined(KLD_MODULE) #include "opt_inet.h" -#include "opt_ipfw.h" #include "opt_sctp.h" #ifndef INET #error "IPDIVERT requires INET." #endif -#ifndef IPFIREWALL -#error "IPDIVERT requires IPFIREWALL" -#endif #endif #include @@ -55,10 +51,10 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include -#include #include #include @@ -66,8 +62,6 @@ __FBSDID("$FreeBSD$"); #include #include #include -#include -#include #ifdef SCTP #include #endif @@ -85,27 +79,29 @@ __FBSDID("$FreeBSD$"); #define DIVRCVQ (65536 + 100) /* - * Divert sockets work in conjunction with ipfw, see the divert(4) - * manpage for features. - * Internally, packets selected by ipfw in ip_input() or ip_output(), - * and never diverted before, are passed to the input queue of the - * divert socket with a given 'divert_port' number (as specified in - * the matching ipfw rule), and they are tagged with a 16 bit cookie - * (representing the rule number of the matching ipfw rule), which - * is passed to process reading from the socket. + * Divert sockets work in conjunction with ipfw or other packet filters, + * see the divert(4) manpage for features. + * Packets are selected by the packet filter and tagged with an + * MTAG_IPFW_RULE tag carrying the 'divert port' number (as set by + * the packet filter) and information on the matching filter rule for + * subsequent reinjection. The divert_port is used to put the packet + * on the corresponding divert socket, while the rule number is passed + * up (at least partially) as the sin_port in the struct sockaddr. * - * Packets written to the divert socket are again tagged with a cookie - * (usually the same as above) and a destination address. - * If the destination address is INADDR_ANY then the packet is - * treated as outgoing and sent to ip_output(), otherwise it is - * treated as incoming and sent to ip_input(). - * In both cases, the packet is tagged with the cookie. + * Packets written to the divert socket carry in sin_addr a + * destination address, and in sin_port the number of the filter rule + * after which to continue processing. + * If the destination address is INADDR_ANY, the packet is treated as + * as outgoing and sent to ip_output(); otherwise it is treated as + * incoming and sent to ip_input(). + * Further, sin_zero carries some information on the interface, + * which can be used in the reinject -- see comments in the code. * * On reinjection, processing in ip_input() and ip_output() * will be exactly the same as for the original packet, except that - * ipfw processing will start at the rule number after the one - * written in the cookie (so, tagging a packet with a cookie of 0 - * will cause it to be effectively considered as a standard packet). + * packet filter processing will start at the rule number after the one + * written in the sin_port (ipfw does not allow a rule #0, so sin_port=0 + * will apply the entire ruleset to the packet). */ /* Internal variables. */ Modified: user/luigi/ipfw3-head/sys/netinet/ip_var.h ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/ip_var.h Thu Jan 7 09:56:07 2010 (r201730) +++ user/luigi/ipfw3-head/sys/netinet/ip_var.h Thu Jan 7 10:06:09 2010 (r201731) @@ -249,7 +249,43 @@ VNET_DECLARE(struct pfil_head, inet_pfil void in_delayed_cksum(struct mbuf *m); -/* ipfw and dummynet hooks. Most are declared in raw_ip.c */ +/* Hooks for ipfw, dummynet, divert etc. Most are declared in raw_ip.c */ +/* + * Reference to an ipfw or packet filter rule that can be carried + * outside critical sections. + * A rule is identified by rulenum:rule_id which is ordered. + * In version chain_id the rule can be found in slot 'slot', so + * we don't need a lookup if chain_id == chain->id. + * + * On exit from the firewall this structure refers to the rule after + * the matching one (slot points to the new rule; rulenum:rule_id-1 + * is the matching rule), and additional info (e.g. info often contains + * the insn argument or tablearg in the low 16 bits, in host format). + * On entry, the structure is valid if slot>0, and refers to the starting + * rules. 'info' contains the reason for reinject, e.g. divert port, + * divert direction, and so on. + */ +struct ipfw_rule_ref { + uint32_t slot; /* slot for matching rule */ + uint32_t rulenum; /* matching rule number */ + uint32_t rule_id; /* matching rule id */ + uint32_t chain_id; /* ruleset id */ + uint32_t info; /* see below */ +}; + +enum { + IPFW_INFO_MASK = 0x0000ffff, + IPFW_INFO_OUT = 0x00000000, /* outgoing, just for convenience */ + IPFW_INFO_IN = 0x80000000, /* incoming, overloads dir */ + IPFW_ONEPASS = 0x40000000, /* One-pass, do not reinject */ + IPFW_IS_MASK = 0x30000000, /* which source ? */ + IPFW_IS_DIVERT = 0x20000000, + IPFW_IS_DUMMYNET =0x10000000, + IPFW_IS_PIPE = 0x08000000, /* pip1=1, queue = 0 */ +}; +#define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ +#define MTAG_IPFW_RULE 1262273568 /* rule reference */ + struct ip_fw_args; typedef int (*ip_fw_chk_ptr_t)(struct ip_fw_args *args); typedef int (*ip_fw_ctl_ptr_t)(struct sockopt *); @@ -258,9 +294,14 @@ VNET_DECLARE(ip_fw_ctl_ptr_t, ip_fw_ctl_ #define V_ip_fw_chk_ptr VNET(ip_fw_chk_ptr) #define V_ip_fw_ctl_ptr VNET(ip_fw_ctl_ptr) +/* Divert hooks. */ +extern void (*ip_divert_ptr)(struct mbuf *m, int incoming); +/* ng_ipfw hooks -- XXX make it the same as divert and dummynet */ +extern int (*ng_ipfw_input_p)(struct mbuf **, int, + struct ip_fw_args *, int); + extern int (*ip_dn_ctl_ptr)(struct sockopt *); -extern int (*ip_dn_io_ptr)(struct mbuf **m, int dir, struct ip_fw_args *fwa); -extern void (*ip_dn_ruledel_ptr)(void *); /* in ip_fw2.c */ +extern int (*ip_dn_io_ptr)(struct mbuf **, int, struct ip_fw_args *); VNET_DECLARE(int, ip_do_randomid); #define V_ip_do_randomid VNET(ip_do_randomid) Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c Thu Jan 7 09:56:07 2010 (r201730) +++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_pfil.c Thu Jan 7 10:06:09 2010 (r201731) @@ -73,12 +73,6 @@ static VNET_DEFINE(int, fw6_enable) = 1; int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); -/* Divert hooks. */ -void (*ip_divert_ptr)(struct mbuf *m, int incoming); - -/* ng_ipfw hooks. */ -ng_ipfw_input_t *ng_ipfw_input_p = NULL; - /* Forward declarations. */ static int ipfw_divert(struct mbuf **, int, struct ipfw_rule_ref *, int); @@ -219,7 +213,7 @@ again: case IP_FW_NGTEE: case IP_FW_NETGRAPH: - if (!NG_IPFW_LOADED) { + if (ng_ipfw_input_p == NULL) { ret = EACCES; break; /* i.e. drop */ } Modified: user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h Thu Jan 7 09:56:07 2010 (r201730) +++ user/luigi/ipfw3-head/sys/netinet/ipfw/ip_fw_private.h Thu Jan 7 10:06:09 2010 (r201731) @@ -35,8 +35,6 @@ #ifdef _KERNEL -#define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ -#define MTAG_IPFW_RULE 1262273568 /* rule reference */ /* Return values from ipfw_chk() */ enum { @@ -66,38 +64,6 @@ struct _ip6dn_args { struct route_in6 ro_pmtu_or; }; -/* - * Reference to an ipfw rule that can be carried outside critical sections. - * A rule is identified by rulenum:rule_id which is ordered. - * In version chain_id the rule can be found in slot 'slot', so - * we don't need a lookup if chain_id == chain->id. - * - * On exit from the firewall this structure refers to the rule after - * the matching one (slot points to the new rule; rulenum:rule_id-1 - * is the matching rule), and additional info (e.g. info often contains - * the insn argument or tablearg in the low 16 bits, in host format). - * On entry, the structure is valid if slot>0, and refers to the starting - * rules. 'info' contains the reason for reinject, e.g. divert port, - * divert direction, and so on. - */ -struct ipfw_rule_ref { - uint32_t slot; /* slot for matching rule */ - uint32_t rulenum; /* matching rule number */ - uint32_t rule_id; /* matching rule id */ - uint32_t chain_id; /* ruleset id */ - uint32_t info; /* see below */ -}; - -enum { - IPFW_INFO_MASK = 0x0000ffff, - IPFW_INFO_OUT = 0x00000000, /* outgoing, just for convenience */ - IPFW_INFO_IN = 0x80000000, /* incoming, overloads dir */ - IPFW_ONEPASS = 0x40000000, /* One-pass, do not reinject */ - IPFW_IS_MASK = 0x30000000, /* which source ? */ - IPFW_IS_DIVERT = 0x20000000, - IPFW_IS_DUMMYNET =0x10000000, - IPFW_IS_PIPE = 0x08000000, /* pip1=1, queue = 0 */ -}; /* * Arguments for calling ipfw_chk() and dummynet_io(). We put them @@ -289,10 +255,7 @@ int ipfw_del_table_entry(struct ip_fw_ch int ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt); int ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl); -/* hooks for divert */ -extern void (*ip_divert_ptr)(struct mbuf *m, int incoming); - -/* In ip_fw_nat.c */ +/* In ip_fw_nat.c -- XXX to be moved to ip_var.h */ extern struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); @@ -307,14 +270,5 @@ extern ipfw_nat_cfg_t *ipfw_nat_del_ptr; extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; -/* netgraph prototypes */ - -typedef int ng_ipfw_input_t(struct mbuf **, int, struct ip_fw_args *, int); -extern ng_ipfw_input_t *ng_ipfw_input_p; -#define NG_IPFW_LOADED (ng_ipfw_input_p != NULL) - -#define TAGSIZ (sizeof(struct ng_ipfw_tag) - sizeof(struct m_tag)) - - #endif /* _KERNEL */ #endif /* _IPFW2_PRIVATE_H */ Modified: user/luigi/ipfw3-head/sys/netinet/raw_ip.c ============================================================================== --- user/luigi/ipfw3-head/sys/netinet/raw_ip.c Thu Jan 7 09:56:07 2010 (r201730) +++ user/luigi/ipfw3-head/sys/netinet/raw_ip.c Thu Jan 7 10:06:09 2010 (r201731) @@ -80,14 +80,18 @@ VNET_DEFINE(struct inpcbinfo, ripcbinfo) #define V_ripcbinfo VNET(ripcbinfo) /* - * Control and data hooks for ipfw and dummynet. + * Control and data hooks for ipfw, dummynet, divert and so on. * The data hooks are not used here but it is convenient * to keep them all in one place. */ VNET_DEFINE(ip_fw_chk_ptr_t, ip_fw_chk_ptr) = NULL; VNET_DEFINE(ip_fw_ctl_ptr_t, ip_fw_ctl_ptr) = NULL; -int (*ip_dn_ctl_ptr)(struct sockopt *) = NULL; -int (*ip_dn_io_ptr)(struct mbuf **m, int dir, struct ip_fw_args *fwa) = NULL; + +int (*ip_dn_ctl_ptr)(struct sockopt *); +int (*ip_dn_io_ptr)(struct mbuf **, int, struct ip_fw_args *); +void (*ip_divert_ptr)(struct mbuf *, int); +int (*ng_ipfw_input_p)(struct mbuf **, int, + struct ip_fw_args *, int); /* * Hooks for multicast routing. They all default to NULL, so leave them not