From owner-svn-src-projects@FreeBSD.ORG Thu Apr 12 19:56:31 2012 Return-Path: Delivered-To: svn-src-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2ECE8106564A; Thu, 12 Apr 2012 19:56:31 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id CCFD28FC0A; Thu, 12 Apr 2012 19:56:30 +0000 (UTC) Received: by iahk25 with SMTP id k25so4183685iah.13 for ; Thu, 12 Apr 2012 12:56:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=y+TiRcNFq4NheyfTcK+LRR4q/4o3s5Hkuq5OtcPLINA=; b=R9XcwTqc8sfxIMLoVJd4lYZPDg97dnDbwEh3Te5DYEydG4fvJiEvZoqmzMlh34cQTU j8bRadk5tpGDwcnpUSWmccEQAPMXU0bqFOjskQjm5KEpp7+xMSwVuW+C6Ib5bXzKg7uL Av+8qV06fGr/Z71C6GG4+7iiv27NSWDlGJoGKJW5U77GhsvsFZnEJWghqp0uDM+wTflB s75DRp0Zaw5pXxk7jMM1Umi2xnKiKzKw6+fRexAsjpCB4Ytd6T9uilNEh7bSa8FZvMT7 X4htw7OcO9ZLLQMV9KW6ZzJR9yCAgx/D9ln8L7j037Rg8Q0RyWY8VzCtb68QzxUySv5M vc9w== MIME-Version: 1.0 Received: by 10.50.237.65 with SMTP id va1mr7400480igc.17.1334260590298; Thu, 12 Apr 2012 12:56:30 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.204.15 with HTTP; Thu, 12 Apr 2012 12:56:30 -0700 (PDT) In-Reply-To: <201204121556.q3CFu4nH035176@svn.freebsd.org> References: <201204121556.q3CFu4nH035176@svn.freebsd.org> Date: Thu, 12 Apr 2012 21:56:30 +0200 X-Google-Sender-Auth: OU8E0UX0zpw1ddXsHHhdEQ7dppU Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Gleb Smirnoff Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: svn-src-projects@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r234187 - projects/pf/head/sys/contrib/pf/net X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2012 19:56:31 -0000 You do understand that some of these function are part of core functionality of pf(4) as synproxy etc?! On Thu, Apr 12, 2012 at 5:56 PM, Gleb Smirnoff wrote: > Author: glebius > Date: Thu Apr 12 15:56:04 2012 > New Revision: 234187 > URL: http://svn.freebsd.org/changeset/base/234187 > > Log: > =A0To avoid unsafe lock dropping and decouple stack in pf_send_tcp() > =A0and pf_send_icmp() create a queue for pf-generated packets and > =A0an swi, that would service them. > > Modified: > =A0projects/pf/head/sys/contrib/pf/net/pf.c > =A0projects/pf/head/sys/contrib/pf/net/pf_ioctl.c > =A0projects/pf/head/sys/contrib/pf/net/pfvar.h > > Modified: projects/pf/head/sys/contrib/pf/net/pf.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- projects/pf/head/sys/contrib/pf/net/pf.c =A0 =A0Thu Apr 12 14:49:25 2= 012 =A0 =A0 =A0 =A0(r234186) > +++ projects/pf/head/sys/contrib/pf/net/pf.c =A0 =A0Thu Apr 12 15:56:04 2= 012 =A0 =A0 =A0 =A0(r234187) > @@ -53,7 +53,9 @@ __FBSDID("$FreeBSD$"); > > =A0#include > =A0#include > +#include > =A0#include > +#include > =A0#include > =A0#include > =A0#include > @@ -114,8 +116,6 @@ __FBSDID("$FreeBSD$"); > =A0#include > =A0#include > > -extern int ip_optcopy(struct ip *, struct ip *); > - > =A0#define =A0 =A0 =A0 =A0DPFPRINTF(n, x) if (V_pf_status.debug >=3D (n))= printf x > > =A0/* > @@ -152,6 +152,41 @@ struct pf_anchor_stackframe { > =A0VNET_DEFINE(struct pf_anchor_stackframe, pf_anchor_stack[64]); > =A0#define =A0 =A0 =A0 =A0V_pf_anchor_stack =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0VNET(pf_anchor_stack) > > +/* > + * Queue for pf_intr() sends. > + */ > +MALLOC_DEFINE(M_PFTEMP, "pf temp", "pf(4) temporary allocations"); > +struct pf_send_entry { > + =A0 =A0 =A0 STAILQ_ENTRY(pf_send_entry) =A0 =A0 pfse_next; > + =A0 =A0 =A0 struct mbuf =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 *pfse_m= ; > + =A0 =A0 =A0 enum { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 PFSE_IP, > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 PFSE_IP6, > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 PFSE_ICMP, > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 PFSE_ICMP6, > + =A0 =A0 =A0 } =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 pfse_type; > + =A0 =A0 =A0 union { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 struct route =A0 =A0 =A0 =A0 =A0 =A0ro; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 struct { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 int =A0 =A0 =A0 =A0 =A0 =A0= type; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 int =A0 =A0 =A0 =A0 =A0 =A0= code; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 int =A0 =A0 =A0 =A0 =A0 =A0= mtu; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 } icmpopts; > + =A0 =A0 =A0 } u; > +#define =A0 =A0 =A0 =A0pfse_ro =A0 =A0 =A0 =A0 u.ro > +#define =A0 =A0 =A0 =A0pfse_icmp_type =A0u.icmpopts.type > +#define =A0 =A0 =A0 =A0pfse_icmp_code =A0u.icmpopts.code > +#define =A0 =A0 =A0 =A0pfse_icmp_mtu =A0 u.icmpopts.mtu > +}; > + > +STAILQ_HEAD(pf_send_head, pf_send_entry); > +static VNET_DEFINE(struct pf_send_head, pf_sendqueue); > +#define =A0 =A0 =A0 =A0V_pf_sendqueue =A0VNET(pf_sendqueue) > + > +static struct mtx pf_sendqueue_mtx; > +#define =A0 =A0 =A0 =A0PF_QUEUE_LOCK() =A0 =A0 =A0 =A0 mtx_lock(&pf_send= queue_mtx); > +#define =A0 =A0 =A0 =A0PF_QUEUE_UNLOCK() =A0 =A0 =A0 mtx_unlock(&pf_send= queue_mtx); > + > =A0VNET_DEFINE(uma_zone_t, =A0 =A0 =A0 =A0 pf_src_tree_z); > =A0VNET_DEFINE(uma_zone_t, =A0 =A0 =A0 =A0 pf_rule_z); > =A0VNET_DEFINE(uma_zone_t, =A0 =A0 =A0 =A0 pf_pooladdr_z); > @@ -321,6 +356,8 @@ VNET_DEFINE(struct pf_keyhash *, pf_keyh > =A0VNET_DEFINE(struct pf_idhash *, pf_idhash); > =A0VNET_DEFINE(u_long, pf_hashmask); > > +VNET_DEFINE(void *, pf_swi_cookie); > + > =A0RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); > > =A0static __inline int > @@ -684,6 +721,10 @@ pf_initialize() > =A0 =A0 =A0 =A0V_pf_altqs_active =3D &V_pf_altqs[0]; > =A0 =A0 =A0 =A0V_pf_altqs_inactive =3D &V_pf_altqs[1]; > > + =A0 =A0 =A0 /* Send queue. */ > + =A0 =A0 =A0 STAILQ_INIT(&V_pf_sendqueue); > + =A0 =A0 =A0 mtx_init(&pf_sendqueue_mtx, "pf send queue", NULL, MTX_DEF)= ; > + > =A0 =A0 =A0 =A0/* XXXGL: sort this out */ > =A0 =A0 =A0 =A0V_pf_rule_z =3D uma_zcreate("pf rules", sizeof(struct pf_r= ule), > =A0 =A0 =A0 =A0 =A0 =A0NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); > @@ -707,6 +748,7 @@ pf_cleanup() > =A0{ > =A0 =A0 =A0 =A0struct pf_keyhash =A0 =A0 =A0 *kh; > =A0 =A0 =A0 =A0struct pf_idhash =A0 =A0 =A0 =A0*ih; > + =A0 =A0 =A0 struct pf_send_entry =A0 =A0*pfse, *next; > =A0 =A0 =A0 =A0u_int i; > > =A0 =A0 =A0 =A0for (i =3D 0, kh =3D V_pf_keyhash, ih =3D V_pf_idhash; i <= =3D V_pf_hashmask; > @@ -721,6 +763,12 @@ pf_cleanup() > =A0 =A0 =A0 =A0free(V_pf_keyhash, M_PFHASH); > =A0 =A0 =A0 =A0free(V_pf_idhash, M_PFHASH); > > + =A0 =A0 =A0 STAILQ_FOREACH_SAFE(pfse, &V_pf_sendqueue, pfse_next, next)= { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 m_freem(pfse->pfse_m); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 free(pfse, M_PFTEMP); > + =A0 =A0 =A0 } > + =A0 =A0 =A0 mtx_destroy(&pf_sendqueue_mtx); > + > =A0 =A0 =A0 =A0uma_zdestroy(V_pf_src_tree_z); > =A0 =A0 =A0 =A0uma_zdestroy(V_pf_rule_z); > =A0 =A0 =A0 =A0uma_zdestroy(V_pf_state_z); > @@ -1185,6 +1233,55 @@ second_run: > > =A0/* END state table stuff */ > > +static void > +pf_send(struct pf_send_entry *pfse) > +{ > + > + =A0 =A0 =A0 PF_QUEUE_LOCK(); > + =A0 =A0 =A0 STAILQ_INSERT_TAIL(&V_pf_sendqueue, pfse, pfse_next); > + =A0 =A0 =A0 PF_QUEUE_UNLOCK(); > + =A0 =A0 =A0 swi_sched(V_pf_swi_cookie, 0); > +} > + > +void > +pf_intr(void *v) > +{ > + =A0 =A0 =A0 struct pf_send_head queue; > + =A0 =A0 =A0 struct pf_send_entry *pfse, *next; > + =A0 =A0 =A0 struct pf_sen > + > + =A0 =A0 =A0 CURVNET_SET((struct vnet *)v); > + > + =A0 =A0 =A0 PF_QUEUE_LOCK(); > + =A0 =A0 =A0 queue =3D V_pf_sendqueue; > + =A0 =A0 =A0 STAILQ_INIT(&V_pf_sendqueue); > + =A0 =A0 =A0 PF_QUEUE_UNLOCK(); > + > + =A0 =A0 =A0 STAILQ_FOREACH_SAFE(pfse, &queue, pfse_next, next) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 switch (pfse->pfse_type) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 case PFSE_IP: > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ip_output(pfse->pfse_m, NUL= L, NULL, 0, NULL, NULL); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 case PFSE_IP6: > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ip6_output(pfse->pfse_m, NU= LL, NULL, 0, NULL, NULL, > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 NULL); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 case PFSE_ICMP: > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 icmp_error(pfse->pfse_m, pf= se->pfse_icmp_type, > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 pfse->pfse_icmp_cod= e, 0, pfse->pfse_icmp_mtu); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 case PFSE_ICMP6: > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 icmp6_error(pfse->pfse_m, p= fse->pfse_icmp_type, > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 pfse->pfse_icmp_cod= e, pfse->pfse_icmp_mtu); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 break; > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 default: > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 panic("%s: unknown type", _= _func__); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 } > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 free(pfse, M_PFTEMP); > + =A0 =A0 =A0 } > + > + =A0 =A0 =A0 CURVNET_RESTORE(); > +} > > =A0void > =A0pf_purge_thread(void *v) > @@ -1951,6 +2048,7 @@ pf_send_tcp(struct mbuf *replyto, const > =A0 =A0 u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int t= ag, > =A0 =A0 u_int16_t rtag, struct ifnet *ifp) > =A0{ > + =A0 =A0 =A0 struct pf_send_entry *pfse; > =A0 =A0 =A0 =A0struct mbuf =A0 =A0 *m; > =A0 =A0 =A0 =A0int =A0 =A0 =A0 =A0 =A0 =A0 =A0len, tlen; > =A0#ifdef INET > @@ -1963,27 +2061,8 @@ pf_send_tcp(struct mbuf *replyto, const > =A0 =A0 =A0 =A0char =A0 =A0 =A0 =A0 =A0 =A0*opt; > =A0 =A0 =A0 =A0struct pf_mtag =A0*pf_mtag; > > - =A0 =A0 =A0 KASSERT( > -#ifdef INET > - =A0 =A0 =A0 =A0 =A0 af =3D=3D AF_INET > -#else > - =A0 =A0 =A0 =A0 =A0 0 > -#endif > - =A0 =A0 =A0 =A0 =A0 || > -#ifdef INET6 > - =A0 =A0 =A0 =A0 =A0 af =3D=3D AF_INET6 > -#else > - =A0 =A0 =A0 =A0 =A0 0 > -#endif > - =A0 =A0 =A0 =A0 =A0 , ("Unsupported AF %d", af)); > =A0 =A0 =A0 =A0len =3D 0; > =A0 =A0 =A0 =A0th =3D NULL; > -#ifdef INET > - =A0 =A0 =A0 h =3D NULL; > -#endif > -#ifdef INET6 > - =A0 =A0 =A0 h6 =3D NULL; > -#endif > > =A0 =A0 =A0 =A0/* maximum segment size tcp option */ > =A0 =A0 =A0 =A0tlen =3D sizeof(struct tcphdr); > @@ -2001,16 +2080,24 @@ pf_send_tcp(struct mbuf *replyto, const > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0len =3D sizeof(struct ip6_hdr) + tlen; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > =A0#endif /* INET6 */ > + =A0 =A0 =A0 default: > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 panic("%s: unsupported af %d", __func__, af= ); > =A0 =A0 =A0 =A0} > > - =A0 =A0 =A0 /* create outgoing mbuf */ > + =A0 =A0 =A0 /* Allocate outgoing queue entry, mbuf and mbuf tag. */ > + =A0 =A0 =A0 pfse =3D malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT); > + =A0 =A0 =A0 if (pfse =3D=3D NULL) > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 return; > =A0 =A0 =A0 =A0m =3D m_gethdr(M_NOWAIT, MT_HEADER); > - =A0 =A0 =A0 if (m =3D=3D NULL) > + =A0 =A0 =A0 if (m =3D=3D NULL) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 free(pfse, M_PFTEMP); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; > + =A0 =A0 =A0 } > =A0#ifdef MAC > =A0 =A0 =A0 =A0mac_netinet_firewall_send(m); > =A0#endif > =A0 =A0 =A0 =A0if ((pf_mtag =3D pf_get_mtag(m)) =3D=3D NULL) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 free(pfse, M_PFTEMP); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0m_freem(m); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; > =A0 =A0 =A0 =A0} > @@ -2096,9 +2183,8 @@ pf_send_tcp(struct mbuf *replyto, const > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0h->ip_len =3D len; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0h->ip_ttl =3D ttl ? ttl : V_ip_defttl; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0h->ip_sum =3D 0; > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 PF_UNLOCK(); > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 ip_output(m, NULL, NULL, 0, NULL, NULL); > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 PF_LOCK(); > + > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 pfse->pfse_type =3D PFSE_IP; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > =A0#endif /* INET */ > =A0#ifdef INET6 > @@ -2110,29 +2196,36 @@ pf_send_tcp(struct mbuf *replyto, const > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0h6->ip6_vfc |=3D IPV6_VERSION; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0h6->ip6_hlim =3D IPV6_DEFHLIM; > > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 PF_UNLOCK(); > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 ip6_output(m, NULL, NULL, 0, NULL, NULL, NU= LL); > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 PF_LOCK(); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 pfse->pfse_type =3D PFSE_IP6; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > =A0#endif /* INET6 */ > =A0 =A0 =A0 =A0} > + =A0 =A0 =A0 pfse->pfse_m =3D m; > + =A0 =A0 =A0 pf_send(pfse); > =A0} > > =A0static void > =A0pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t= af, > =A0 =A0 struct pf_rule *r) > =A0{ > - =A0 =A0 =A0 struct mbuf =A0 =A0 *m0; > -#ifdef INET > - =A0 =A0 =A0 struct ip *ip; > -#endif > + =A0 =A0 =A0 struct pf_send_entry *pfse; > + =A0 =A0 =A0 struct mbuf *m0; > =A0 =A0 =A0 =A0struct pf_mtag *pf_mtag; > > - =A0 =A0 =A0 if ((m0 =3D m_copypacket(m, M_NOWAIT)) =3D=3D NULL) > + =A0 =A0 =A0 /* Allocate outgoing queue entry, mbuf and mbuf tag. */ > + =A0 =A0 =A0 pfse =3D malloc(sizeof(*pfse), M_PFTEMP, M_NOWAIT); > + =A0 =A0 =A0 if (pfse =3D=3D NULL) > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 return; > + > + =A0 =A0 =A0 if ((m0 =3D m_copypacket(m, M_NOWAIT)) =3D=3D NULL) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 free(pfse, M_PFTEMP); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; > + =A0 =A0 =A0 } > > - =A0 =A0 =A0 if ((pf_mtag =3D pf_get_mtag(m0)) =3D=3D NULL) > + =A0 =A0 =A0 if ((pf_mtag =3D pf_get_mtag(m0)) =3D=3D NULL) { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 free(pfse, M_PFTEMP); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return; > + =A0 =A0 =A0 } > =A0 =A0 =A0 =A0/* XXX: revisit */ > =A0 =A0 =A0 =A0m0->m_flags |=3D M_SKIP_FIREWALL; > > @@ -2153,23 +2246,28 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty > =A0 =A0 =A0 =A0switch (af) { > =A0#ifdef INET > =A0 =A0 =A0 =A0case AF_INET: > + =A0 =A0 =A0 =A0 =A0 { > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 struct ip *ip; > + > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* icmp_error() expects host byte ordering= */ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0ip =3D mtod(m0, struct ip *); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(ip->ip_len); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0NTOHS(ip->ip_off); > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 PF_UNLOCK(); > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 icmp_error(m0, type, code, 0, 0); > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 PF_LOCK(); > + > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 pfse->pfse_type =3D PFSE_ICMP; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > + =A0 =A0 =A0 =A0 =A0 } > =A0#endif /* INET */ > =A0#ifdef INET6 > =A0 =A0 =A0 =A0case AF_INET6: > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 PF_UNLOCK(); > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 icmp6_error(m0, type, code, 0); > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 PF_LOCK(); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 pfse->pfse_type =3D PFSE_ICMP6; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0break; > =A0#endif /* INET6 */ > =A0 =A0 =A0 =A0} > + =A0 =A0 =A0 pfse->pfse_m =3D m0; > + =A0 =A0 =A0 pfse->pfse_icmp_type =3D type; > + =A0 =A0 =A0 pfse->pfse_icmp_code =3D code; > + =A0 =A0 =A0 pf_send(pfse); > =A0} > > =A0/* > > Modified: projects/pf/head/sys/contrib/pf/net/pf_ioctl.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- projects/pf/head/sys/contrib/pf/net/pf_ioctl.c =A0 =A0 =A0Thu Apr 12 = 14:49:25 2012 =A0 =A0 =A0 =A0(r234186) > +++ projects/pf/head/sys/contrib/pf/net/pf_ioctl.c =A0 =A0 =A0Thu Apr 12 = 15:56:04 2012 =A0 =A0 =A0 =A0(r234187) > @@ -52,10 +52,12 @@ __FBSDID("$FreeBSD$"); > > =A0#include > =A0#include > +#include > =A0#include > =A0#include > =A0#include > =A0#include > +#include > =A0#include > =A0#include > =A0#include > @@ -248,6 +250,7 @@ static int > =A0pfattach(void) > =A0{ > =A0 =A0 =A0 =A0u_int32_t *my_timeout =3D V_pf_default_rule.timeout; > + =A0 =A0 =A0 int error; > > =A0 =A0 =A0 =A0pf_initialize(); > =A0 =A0 =A0 =A0pfr_initialize(); > @@ -300,9 +303,14 @@ pfattach(void) > =A0 =A0 =A0 =A0/* XXX do our best to avoid a conflict */ > =A0 =A0 =A0 =A0V_pf_status.hostid =3D arc4random(); > > - =A0 =A0 =A0 if (kproc_create(pf_purge_thread, curvnet, NULL, 0, 0, "pfp= urge")) > + =A0 =A0 =A0 if ((error =3D kproc_create(pf_purge_thread, curvnet, NULL,= 0, 0, > + =A0 =A0 =A0 =A0 =A0 "pf purge")) !=3D 0) > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* XXXGL: leaked all above. */ > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 return (error); > + =A0 =A0 =A0 if ((error =3D swi_add(NULL, "pf send", pf_intr, curvnet, S= WI_NET, > + =A0 =A0 =A0 =A0 =A0 INTR_MPSAFE, &V_pf_swi_cookie)) !=3D 0) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* XXXGL: leaked all above. */ > - =A0 =A0 =A0 =A0 =A0 =A0 =A0 return (ENXIO); > + =A0 =A0 =A0 =A0 =A0 =A0 =A0 return (error); > > =A0 =A0 =A0 =A0m_addr_chg_pf_p =3D pf_pkt_addr_changed; > > @@ -3779,6 +3787,7 @@ pf_unload(void) > =A0 =A0 =A0 =A0V_pf_status.running =3D 0; > =A0 =A0 =A0 =A0PF_UNLOCK(); > =A0 =A0 =A0 =A0m_addr_chg_pf_p =3D NULL; > + =A0 =A0 =A0 swi_remove(V_pf_swi_cookie); > =A0 =A0 =A0 =A0error =3D dehook_pf(); > =A0 =A0 =A0 =A0if (error) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/* > > Modified: projects/pf/head/sys/contrib/pf/net/pfvar.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- projects/pf/head/sys/contrib/pf/net/pfvar.h Thu Apr 12 14:49:25 2012 = =A0 =A0 =A0 =A0(r234186) > +++ projects/pf/head/sys/contrib/pf/net/pfvar.h Thu Apr 12 15:56:04 2012 = =A0 =A0 =A0 =A0(r234187) > @@ -1715,6 +1715,9 @@ VNET_DECLARE(u_long, pf_hashmask); > > =A0#define PF_IDHASH(s) =A0 (be64toh((s)->id) % (V_pf_hashmask + 1)) > > +VNET_DECLARE(void *, pf_swi_cookie); > +#define V_pf_swi_cookie =A0 =A0 =A0 =A0VNET(pf_swi_cookie) > + > =A0TAILQ_HEAD(pf_poolqueue, pf_pool); > =A0VNET_DECLARE(struct pf_poolqueue, =A0 =A0 =A0 pf_pools[2]); > =A0#define =A0 =A0 =A0 =A0V_pf_pools =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 VNET(pf_pools) > @@ -1774,6 +1777,7 @@ VNET_DECLARE(uma_zone_t, =A0 pfi_addr_z); > =A0#define =A0 =A0 =A0 =A0V_pfi_addr_z =A0 =A0 =A0 =A0 =A0 =A0 VNET(pfi_a= ddr_z) > > =A0extern void =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 pf_purge_thread(vo= id *); > +extern void =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 pf_intr(void *); > =A0extern void =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 pf_purge_expired_s= rc_nodes(void); > > =A0extern void =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 pf_unlink_state(st= ruct pf_state *, u_int); --=20 Ermal