From owner-svn-src-head@freebsd.org Wed Apr 15 13:00:48 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A3C732B5AB2; Wed, 15 Apr 2020 13:00:48 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 492Msr3vvJz3JVk; Wed, 15 Apr 2020 13:00:48 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8151C1F51A; Wed, 15 Apr 2020 13:00:48 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 03FD0m7b014170; Wed, 15 Apr 2020 13:00:48 GMT (envelope-from melifaro@FreeBSD.org) Received: (from melifaro@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 03FD0mvX014169; Wed, 15 Apr 2020 13:00:48 GMT (envelope-from melifaro@FreeBSD.org) Message-Id: <202004151300.03FD0mvX014169@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: melifaro set sender to melifaro@FreeBSD.org using -f From: "Alexander V. Chernikov" Date: Wed, 15 Apr 2020 13:00:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r359964 - head/sys/netpfil/pf X-SVN-Group: head X-SVN-Commit-Author: melifaro X-SVN-Commit-Paths: head/sys/netpfil/pf X-SVN-Commit-Revision: 359964 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Apr 2020 13:00:48 -0000 Author: melifaro Date: Wed Apr 15 13:00:48 2020 New Revision: 359964 URL: https://svnweb.freebsd.org/changeset/base/359964 Log: Convert pf rtable checks to the new routing KPI. Switch uRPF to use specific fib(9)-provided uRPF. Switch MSS calculation to the latest fib(9) kpi. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D24386 Modified: head/sys/netpfil/pf/pf.c Modified: head/sys/netpfil/pf/pf.c ============================================================================== --- head/sys/netpfil/pf/pf.c Wed Apr 15 12:56:05 2020 (r359963) +++ head/sys/netpfil/pf/pf.c Wed Apr 15 13:00:48 2020 (r359964) @@ -69,7 +69,7 @@ __FBSDID("$FreeBSD$"); #include #include #include -#include +#include #include #include @@ -3176,31 +3176,32 @@ pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, static u_int16_t pf_calc_mss(struct pf_addr *addr, sa_family_t af, int rtableid, u_int16_t offer) { -#ifdef INET - struct nhop4_basic nh4; -#endif /* INET */ + struct nhop_object *nh; #ifdef INET6 - struct nhop6_basic nh6; struct in6_addr dst6; uint32_t scopeid; #endif /* INET6 */ int hlen = 0; uint16_t mss = 0; + NET_EPOCH_ASSERT(); + switch (af) { #ifdef INET case AF_INET: hlen = sizeof(struct ip); - if (fib4_lookup_nh_basic(rtableid, addr->v4, 0, 0, &nh4) == 0) - mss = nh4.nh_mtu - hlen - sizeof(struct tcphdr); + nh = fib4_lookup(rtableid, addr->v4, 0, 0, 0); + if (nh != NULL) + mss = nh->nh_mtu - hlen - sizeof(struct tcphdr); break; #endif /* INET */ #ifdef INET6 case AF_INET6: hlen = sizeof(struct ip6_hdr); in6_splitscope(&addr->v6, &dst6, &scopeid); - if (fib6_lookup_nh_basic(rtableid, &dst6, scopeid, 0,0,&nh6)==0) - mss = nh6.nh_mtu - hlen - sizeof(struct tcphdr); + nh = fib6_lookup(rtableid, &dst6, scopeid, 0, 0); + if (nh != NULL) + mss = nh->nh_mtu - hlen - sizeof(struct tcphdr); break; #endif /* INET6 */ } @@ -5338,122 +5339,12 @@ pf_pull_hdr(struct mbuf *m, int off, void *p, int len, return (p); } -#ifdef RADIX_MPATH -static int -pf_routable_oldmpath(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif, - int rtableid) -{ - struct radix_node_head *rnh; - struct sockaddr_in *dst; - int ret = 1; - int check_mpath; -#ifdef INET6 - struct sockaddr_in6 *dst6; - struct route_in6 ro; -#else - struct route ro; -#endif - struct radix_node *rn; - struct rtentry *rt; - struct ifnet *ifp; - - check_mpath = 0; - /* XXX: stick to table 0 for now */ - rnh = rt_tables_get_rnh(0, af); - if (rnh != NULL && rn_mpath_capable(rnh)) - check_mpath = 1; - bzero(&ro, sizeof(ro)); - switch (af) { - case AF_INET: - dst = satosin(&ro.ro_dst); - dst->sin_family = AF_INET; - dst->sin_len = sizeof(*dst); - dst->sin_addr = addr->v4; - break; -#ifdef INET6 - case AF_INET6: - /* - * Skip check for addresses with embedded interface scope, - * as they would always match anyway. - */ - if (IN6_IS_SCOPE_EMBED(&addr->v6)) - goto out; - dst6 = (struct sockaddr_in6 *)&ro.ro_dst; - dst6->sin6_family = AF_INET6; - dst6->sin6_len = sizeof(*dst6); - dst6->sin6_addr = addr->v6; - break; -#endif /* INET6 */ - default: - return (0); - } - - /* Skip checks for ipsec interfaces */ - if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC) - goto out; - - switch (af) { -#ifdef INET6 - case AF_INET6: - in6_rtalloc_ign(&ro, 0, rtableid); - break; -#endif -#ifdef INET - case AF_INET: - in_rtalloc_ign((struct route *)&ro, 0, rtableid); - break; -#endif - } - - if (ro.ro_rt != NULL) { - /* No interface given, this is a no-route check */ - if (kif == NULL) - goto out; - - if (kif->pfik_ifp == NULL) { - ret = 0; - goto out; - } - - /* Perform uRPF check if passed input interface */ - ret = 0; - rn = (struct radix_node *)ro.ro_rt; - do { - rt = (struct rtentry *)rn; - ifp = rt->rt_ifp; - - if (kif->pfik_ifp == ifp) - ret = 1; - rn = rn_mpath_next(rn); - } while (check_mpath == 1 && rn != NULL && ret == 0); - } else - ret = 0; -out: - if (ro.ro_rt != NULL) - RTFREE(ro.ro_rt); - return (ret); -} -#endif - int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *kif, int rtableid) { -#ifdef INET - struct nhop4_basic nh4; -#endif -#ifdef INET6 - struct nhop6_basic nh6; -#endif struct ifnet *ifp; -#ifdef RADIX_MPATH - struct radix_node_head *rnh; - /* XXX: stick to table 0 for now */ - rnh = rt_tables_get_rnh(0, af); - if (rnh != NULL && rn_mpath_capable(rnh)) - return (pf_routable_oldmpath(addr, af, kif, rtableid)); -#endif /* * Skip check for addresses with embedded interface scope, * as they would always match anyway. @@ -5468,35 +5359,21 @@ pf_routable(struct pf_addr *addr, sa_family_t af, stru if (kif != NULL && kif->pfik_ifp->if_type == IFT_ENC) return (1); - ifp = NULL; + ifp = (kif != NULL) ? kif->pfik_ifp : NULL; switch (af) { #ifdef INET6 case AF_INET6: - if (fib6_lookup_nh_basic(rtableid, &addr->v6, 0, 0, 0, &nh6)!=0) - return (0); - ifp = nh6.nh_ifp; - break; + return (fib6_check_urpf(rtableid, &addr->v6, 0, NHR_NONE, + ifp)); #endif #ifdef INET case AF_INET: - if (fib4_lookup_nh_basic(rtableid, addr->v4, 0, 0, &nh4) != 0) - return (0); - ifp = nh4.nh_ifp; - break; + return (fib4_check_urpf(rtableid, addr->v4, 0, NHR_NONE, + ifp)); #endif } - /* No interface given, this is a no-route check */ - if (kif == NULL) - return (1); - - if (kif->pfik_ifp == NULL) - return (0); - - /* Perform uRPF check if passed input interface */ - if (kif->pfik_ifp == ifp) - return (1); return (0); }