From owner-svn-src-user@FreeBSD.ORG Mon Oct 12 16:51:48 2009 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94E73106566B; Mon, 12 Oct 2009 16:51:48 +0000 (UTC) (envelope-from eri@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 8419A8FC18; Mon, 12 Oct 2009 16:51:48 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n9CGpmrX077448; Mon, 12 Oct 2009 16:51:48 GMT (envelope-from eri@svn.freebsd.org) Received: (from eri@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n9CGpm4L077443; Mon, 12 Oct 2009 16:51:48 GMT (envelope-from eri@svn.freebsd.org) Message-Id: <200910121651.n9CGpm4L077443@svn.freebsd.org> From: Ermal Luçi Date: Mon, 12 Oct 2009 16:51:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r197988 - user/eri/pf45/head/sys/contrib/pf/net X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Oct 2009 16:51:48 -0000 Author: eri Date: Mon Oct 12 16:51:48 2009 New Revision: 197988 URL: http://svn.freebsd.org/changeset/base/197988 Log: * First pass at adding virtualization to pf(4). * The rule of V_ is not followed in an attempt to minimize the diff with upstream(hopefully it works). * Fix some whitespaces around. NOTE: The tree might not build now. Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c user/eri/pf45/head/sys/contrib/pf/net/pf_if.c user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c user/eri/pf45/head/sys/contrib/pf/net/pf_lb.c user/eri/pf45/head/sys/contrib/pf/net/pf_norm.c user/eri/pf45/head/sys/contrib/pf/net/pf_osfp.c user/eri/pf45/head/sys/contrib/pf/net/pfvar.h Modified: user/eri/pf45/head/sys/contrib/pf/net/pf.c ============================================================================== --- user/eri/pf45/head/sys/contrib/pf/net/pf.c Mon Oct 12 16:47:55 2009 (r197987) +++ user/eri/pf45/head/sys/contrib/pf/net/pf.c Mon Oct 12 16:51:48 2009 (r197988) @@ -88,20 +88,20 @@ __FBSDID("$FreeBSD$"); #include #include #include - #ifdef __FreeBSD__ - #include - #include - #include - #define betoh64 be64toh - #else +#ifdef __FreeBSD__ +#include +#include +#include +#define betoh64 be64toh +#else #include #endif #include - #ifdef __FreeBSD__ - #include - #include - #include - #else +#ifdef __FreeBSD__ +#include +#include +#include +#else #include #endif @@ -155,21 +155,21 @@ __FBSDID("$FreeBSD$"); #include #include #include - #ifdef __FreeBSD__ - #include - #include - #endif +#ifdef __FreeBSD__ +#include +#include +#endif #endif /* INET6 */ #ifdef __FreeBSD__ - #include - #include - #include - #include +#include +#include +#include +#include - extern int ip_optcopy(struct ip *, struct ip *); - extern int debug_pfugidhack; - #endif +extern int ip_optcopy(struct ip *, struct ip *); +extern int debug_pfugidhack; +#endif #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x @@ -178,6 +178,41 @@ __FBSDID("$FreeBSD$"); */ /* state tables */ +#ifdef __FreeBSD__ +VNET_DEFINE(struct pf_state_tree, pf_statetbl); + +VNET_DEFINE(struct pf_altqqueue, pf_altqs[2]); +VNET_DEFINE(struct pf_palist, pf_pabuf); +VNET_DEFINE(struct pf_altqqueue, *pf_altqs_active); +VNET_DEFINE(struct pf_altqqueue, *pf_altqs_inactive); +VNET_DEFINE(struct pf_status, pf_status); + +VNET_DEFINE(u_int32_t, ticket_altqs_active); +VNET_DEFINE(u_int32_t, ticket_altqs_inactive); +VNET_DEFINE(int, altqs_inactive_open); +VNET_DEFINE(u_int32_t, ticket_pabuf); + +VNET_DEFINE(MD5_CTX, pf_tcp_secret_ctx); +VNET_DEFINE(u_char, pf_tcp_secret[16]); +VNET_DEFINE(int, pf_tcp_secret_init); +VNET_DEFINE(int, pf_tcp_iss_off); + +struct pf_anchor_stackframe { + struct pf_ruleset *rs; + struct pf_rule *r; + struct pf_anchor_node *parent; + struct pf_anchor *child; +}; +VNET_DEFINE(struct pf_anchor_stackframe, pf_anchor_stack[64]); + +VNET_DEFINE(uma_zone_t, pf_src_tree_pl); +VNET_DEFINE(uma_zone_t, pf_rule_pl); +VNET_DEFINE(uma_zone_t, pf_pooladdr_pl); +VNET_DEFINE(uma_zone_t, pf_state_pl); +VNET_DEFINE(uma_zone_t, pf_state_key_pl); +VNET_DEFINE(uma_zone_t, pf_state_item_pl); +VNET_DEFINE(uma_zone_t, pf_altq_pl); +#else struct pf_state_tree pf_statetbl; struct pf_altqqueue pf_altqs[2]; @@ -203,11 +238,6 @@ struct pf_anchor_stackframe { struct pf_anchor *child; } pf_anchor_stack[64]; - #ifdef __FreeBSD__ - uma_zone_t pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl; - uma_zone_t pf_state_pl, pf_state_key_pl, pf_state_item_pl; -uma_zone_t pf_altq_pl; - #else struct pool pf_src_tree_pl, pf_rule_pl, pf_pooladdr_pl; struct pool pf_state_pl, pf_state_key_pl, pf_state_item_pl; struct pool pf_altq_pl; @@ -323,12 +353,12 @@ int pf_src_connlimit(struct pf_state int pf_check_congestion(struct ifqueue *); #ifdef __FreeBSD__ - int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len); +int in4_cksum(struct mbuf *m, u_int8_t nxt, int off, int len); - extern int pf_end_threads; +VNET_DECLARE(int, pf_end_threads); - struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; - #else +VNET_DEFINE(struct pf_pool_limit, pf_pool_limits[PF_LIMIT_MAX]); +#else extern struct pool pfr_ktable_pl; extern struct pool pfr_kentry_pl; @@ -405,10 +435,17 @@ static __inline int pf_state_compare_key static __inline int pf_state_compare_id(struct pf_state *, struct pf_state *); +#ifdef __FreeBSD__ +VNET_DEFINE(struct pf_src_tree, tree_src_tracking); + +VNET_DEFINE(struct pf_state_tree_id, tree_id); +VNET_DEFINE(struct pf_state_queue, state_list); +#else struct pf_src_tree tree_src_tracking; struct pf_state_tree_id tree_id; struct pf_state_queue state_list; +#endif RB_GENERATE(pf_src_tree, pf_src_node, entry, pf_src_compare); RB_GENERATE(pf_state_tree, pf_state_key, entry, pf_state_compare_key); @@ -1233,10 +1270,10 @@ pf_state_expires(const struct pf_state * return (state->expire + timeout); } - #ifdef __FreeBSD__ - int - pf_purge_expired_src_nodes(int waslocked) - #else +#ifdef __FreeBSD__ +int +pf_purge_expired_src_nodes(int waslocked) +#else void pf_purge_expired_src_nodes(int waslocked) #endif @@ -1315,7 +1352,7 @@ pf_src_tree_remove_state(struct pf_state void pf_unlink_state(struct pf_state *cur) { - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ if (cur->local_flags & PFSTATE_EXPIRING) return; cur->local_flags |= PFSTATE_EXPIRING; @@ -1378,10 +1415,10 @@ pf_free_state(struct pf_state *cur) #endif return; #endif - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ KASSERT(cur->timeout == PFTM_UNLINKED, ("pf_free_state: cur->timeout != PFTM_UNLINKED")); - #else +#else KASSERT(cur->timeout == PFTM_UNLINKED); #endif if (--cur->rule.ptr->states_cur <= 0 && @@ -1404,10 +1441,10 @@ pf_free_state(struct pf_state *cur) pf_status.states--; } - #ifdef __FreeBSD__ - int - pf_purge_expired_states(u_int32_t maxcheck, int waslocked) - #else +#ifdef __FreeBSD__ +int +pf_purge_expired_states(u_int32_t maxcheck, int waslocked) +#else void pf_purge_expired_states(u_int32_t maxcheck) #endif @@ -1947,9 +1984,9 @@ pf_modulate_sack(struct mbuf *m, int off struct tcphdr *th, struct pf_state_peer *dst) { int hlen = (th->th_off << 2) - sizeof(*th), thoptlen = hlen; - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ u_int8_t opts[TCP_MAXOLEN], *opt = opts; - #else +#else u_int8_t opts[MAX_TCPOPTLEN], *opt = opts; #endif int copyback = 0, i, olen; @@ -2004,9 +2041,9 @@ pf_modulate_sack(struct mbuf *m, int off } void - #ifdef __FreeBSD__ - pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, - #else +#ifdef __FreeBSD__ +pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, +#else pf_send_tcp(const struct pf_rule *r, sa_family_t af, #endif const struct pf_addr *saddr, const struct pf_addr *daddr, @@ -2245,40 +2282,40 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty struct pf_rule *r) { struct mbuf *m0; - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ struct ip *ip; struct pf_mtag *pf_mtag; - #endif +#endif - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ m0 = m_copypacket(m, M_DONTWAIT); if (m0 == NULL) return; - #else +#else if ((m0 = m_copy(m, 0, M_COPYALL)) == NULL) return; #endif - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ if ((pf_mtag = pf_get_mtag(m0)) == NULL) return; /* XXX: revisit */ m0->m_flags |= M_SKIP_FIREWALL; - #else +#else m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; #endif if (r->rtableid >= 0) - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ { M_SETFIB(m0, r->rtableid); pf_mtag->rtableid = r->rtableid; - #else +#else m0->m_pkthdr.pf.rtableid = r->rtableid; - #endif - #ifdef __FreeBSD__ +#endif +#ifdef __FreeBSD__ } - #endif +#endif #ifdef ALTQ if (r->qid) { @@ -2297,7 +2334,7 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty switch (af) { #ifdef INET case AF_INET: - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ /* icmp_error() expects host byte ordering */ ip = mtod(m0, struct ip *); NTOHS(ip->ip_len); @@ -2305,20 +2342,20 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty PF_UNLOCK(); icmp_error(m0, type, code, 0, 0); PF_LOCK(); - #else +#else icmp_error(m0, type, code, 0, 0); #endif break; #endif /* INET */ #ifdef INET6 case AF_INET6: - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ PF_UNLOCK(); - #endif +#endif icmp6_error(m0, type, code, 0); - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ PF_LOCK(); - #endif +#endif break; #endif /* INET6 */ } @@ -2639,17 +2676,17 @@ pf_addr_inc(struct pf_addr *addr, sa_fam #endif /* INET6 */ int - #ifdef __FreeBSD__ - pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg) - #else +#ifdef __FreeBSD__ +pf_socket_lookup(int direction, struct pf_pdesc *pd, struct inpcb *inp_arg) +#else pf_socket_lookup(int direction, struct pf_pdesc *pd) #endif { struct pf_addr *saddr, *daddr; u_int16_t sport, dport; - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ struct inpcbinfo *pi; - #else +#else struct inpcbtable *tb; #endif struct inpcb *inp; @@ -2763,11 +2800,11 @@ pf_socket_lookup(int direction, struct p default: return (-1); } - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ pd->lookup.uid = inp->inp_cred->cr_uid; pd->lookup.gid = inp->inp_cred->cr_groups[0]; INP_INFO_RUNLOCK(pi); - #else +#else pd->lookup.uid = inp->inp_socket->so_euid; pd->lookup.gid = inp->inp_socket->so_egid; pd->lookup.pid = inp->inp_socket->so_cpid; Modified: user/eri/pf45/head/sys/contrib/pf/net/pf_if.c ============================================================================== --- user/eri/pf45/head/sys/contrib/pf/net/pf_if.c Mon Oct 12 16:47:55 2009 (r197987) +++ user/eri/pf45/head/sys/contrib/pf/net/pf_if.c Mon Oct 12 16:51:48 2009 (r197988) @@ -32,37 +32,37 @@ * POSSIBILITY OF SUCH DAMAGE. */ - #if defined(__FreeBSD__) - #include "opt_inet.h" - #include "opt_inet6.h" +#if defined(__FreeBSD__) +#include "opt_inet.h" +#include "opt_inet6.h" - #include +#include __FBSDID("$FreeBSD$"); - #endif +#endif #include #include - #ifdef __FreeBSD__ - #include - #endif +#ifdef __FreeBSD__ +#include +#endif #include #include #include #include #include - #ifndef __FreeBSD__ +#ifndef __FreeBSD__ #include #endif #include - #ifndef __FreeBSD__ +#ifndef __FreeBSD__ #include #endif #include #include - #ifdef __FreeBSD__ - #include - #endif +#ifdef __FreeBSD__ +#include +#endif #include #include @@ -76,25 +76,36 @@ __FBSDID("$FreeBSD$"); #include #endif /* INET6 */ +#ifdef __FreeBSD__ +VNET_DEFINE(struct pfi_kif, *pfi_all); +VNET_DEFINE(uma_zone_t, pfi_addr_pl); +VNET_DEFINE(struct pfi_ifhead, pfi_ifs); +#define pfi_ifs VNET(pfi_ifs) +VNET_DEFINE(long, pfi_update); +#define pfi_update VNET(pfi_update) +VNET_DEFINE(struct pfr_addr, *pfi_buffer); +#define pfi_buffer VNET(pfi_buffer) +VNET_DEFINE(int, pfi_buffer_cnt); +#define pfi_buffer_cnt VNET(pfi_buffer_cnt) +VNET_DEFINE(int, pfi_buffer_max); +#define pfi_buffer_max VNET(pfi_buffer_max) +#else struct pfi_kif *pfi_all = NULL; - #ifdef __FreeBSD__ - uma_zone_t pfi_addr_pl; - #else struct pool pfi_addr_pl; -#endif struct pfi_ifhead pfi_ifs; long pfi_update = 1; struct pfr_addr *pfi_buffer; int pfi_buffer_cnt; int pfi_buffer_max; - #ifdef __FreeBSD__ - eventhandler_tag pfi_attach_cookie = NULL; - eventhandler_tag pfi_detach_cookie = NULL; - eventhandler_tag pfi_attach_group_cookie = NULL; - eventhandler_tag pfi_change_group_cookie = NULL; - eventhandler_tag pfi_detach_group_cookie = NULL; - eventhandler_tag pfi_ifaddr_event_cookie = NULL; - #endif +#endif +#ifdef __FreeBSD__ +VNET_DEFINE(eventhandler_tag, pfi_attach_cookie); +VNET_DEFINE(eventhandler_tag, pfi_detach_cookie); +VNET_DEFINE(eventhandler_tag, pfi_attach_group_cookie); +VNET_DEFINE(eventhandler_tag, pfi_change_group_cookie); +VNET_DEFINE(eventhandler_tag, pfi_detach_group_cookie); +VNET_DEFINE(eventhandler_tag, pfi_ifaddr_event_cookie); +#endif void pfi_kif_update(struct pfi_kif *); void pfi_dynaddr_update(struct pfi_dynaddr *dyn); @@ -106,15 +117,15 @@ void pfi_address_add(struct sockaddr * int pfi_if_compare(struct pfi_kif *, struct pfi_kif *); int pfi_skip_if(const char *, struct pfi_kif *); int pfi_unmask(void *); - #ifdef __FreeBSD__ - void pfi_attach_ifnet_event(void * __unused, struct ifnet *); - void pfi_detach_ifnet_event(void * __unused, struct ifnet *); - void pfi_attach_group_event(void * __unused, struct ifg_group *); - void pfi_change_group_event(void * __unused, char *); - void pfi_detach_group_event(void * __unused, struct ifg_group *); - void pfi_ifaddr_event(void * __unused, struct ifnet *); +#ifdef __FreeBSD__ +void pfi_attach_ifnet_event(void * __unused, struct ifnet *); +void pfi_detach_ifnet_event(void * __unused, struct ifnet *); +void pfi_attach_group_event(void * __unused, struct ifg_group *); +void pfi_change_group_event(void * __unused, char *); +void pfi_detach_group_event(void * __unused, struct ifg_group *); +void pfi_ifaddr_event(void * __unused, struct ifnet *); - #endif +#endif RB_PROTOTYPE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare); RB_GENERATE(pfi_ifhead, pfi_kif, pfik_tree, pfi_if_compare); Modified: user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c ============================================================================== --- user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Mon Oct 12 16:47:55 2009 (r197987) +++ user/eri/pf45/head/sys/contrib/pf/net/pf_ioctl.c Mon Oct 12 16:51:48 2009 (r197988) @@ -176,24 +176,41 @@ int pf_addr_setup(struct pf_ruleset * struct pf_addr_wrap *, sa_family_t); void pf_addr_copyout(struct pf_addr_wrap *); -struct pf_rule pf_default_rule; +#define TAGID_MAX 50000 #ifdef __FreeBSD__ -struct sx pf_consistency_lock; -SX_SYSINIT(pf_consistency_lock, &pf_consistency_lock, "pf_statetbl_lock"); -#else -struct rwlock pf_consistency_lock = RWLOCK_INITIALIZER("pfcnslk"); +VNET_DEFINE(struct pf_rule, pf_default_rule); +#define pf_default_rule VNET(pf_default_rule); +VNET_DEFINE(struct sx, pf_consistency_lock); +#define pf_consistency_lock VNET(pf_consistency_lock); +SX_SYSINIT(pf_consistency_lock, &pf_consistency_lock, + "pf_statetbl_lock"); +#ifdef ALTQ +static VNET_DEFINE(int, pf_altq_running); +#define pf_altq_running VNET(pf_altq_running) #endif + +TAILQ_HEAD(pf_tags, pf_tagname); + +VNET_DEFINE(struct pf_tags, pf_tags); +#define pf_tags VNET(pf_tags) +VNET_DEFINE(struct pf_tags, pf_qids); +#define pf_qids VNET(pf_qids); + +#else /* !__FreeBSD__ */ +struct pf_rule pf_default_rule; +struct rwlock pf_consistency_lock = RWLOCK_INITIALIZER("pfcnslk"); #ifdef ALTQ -static int pf_altq_running; +static int pf_altq_running; #endif -#define TAGID_MAX 50000 TAILQ_HEAD(pf_tags, pf_tagname) pf_tags = TAILQ_HEAD_INITIALIZER(pf_tags), pf_qids = TAILQ_HEAD_INITIALIZER(pf_qids); +#endif /* __FreeBSD__ */ #if (PF_QNAME_SIZE != PF_TAG_NAME_SIZE) #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE #endif + u_int16_t tagname2tag(struct pf_tags *, char *); void tag2tagname(struct pf_tags *, u_int16_t, char *); void tag_unref(struct pf_tags *, u_int16_t); @@ -204,120 +221,116 @@ void pf_rtlabel_copyout(struct pf_add #define DPFPRINTF(n, x) if (pf_status.debug >= (n)) printf x #ifdef __FreeBSD__ - static struct cdev *pf_dev; - - /* - * XXX - These are new and need to be checked when moveing to a new version - */ - static void pf_clear_states(void); - static int pf_clear_tables(void); - static void pf_clear_srcnodes(void); - /* - * XXX - These are new and need to be checked when moveing to a new version - */ - - /* - * Wrapper functions for pfil(9) hooks - */ - static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir, struct inpcb *inp); - static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir, struct inpcb *inp); - #ifdef INET6 - static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir, struct inpcb *inp); - static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, - int dir, struct inpcb *inp); - #endif - - static int hook_pf(void); - static int dehook_pf(void); - static int shutdown_pf(void); - static int pf_load(void); - static int pf_unload(void); - -static struct cdevsw pf_cdevsw = { - .d_ioctl = pfioctl, - .d_name = PF_NAME, - .d_version = D_VERSION, - }; - - static volatile int pf_pfil_hooked = 0; - int pf_end_threads = 0; - struct mtx pf_task_mtx; - #ifdef __FreeBSD__ - /* pfsync */ - pfsync_state_import_t *pfsync_state_import_ptr = NULL; - pfsync_insert_state_t *pfsync_insert_state_ptr = NULL; - pfsync_update_state_t *pfsync_update_state_ptr = NULL; - pfsync_delete_state_t *pfsync_delete_state_ptr = NULL; - pfsync_clear_states_t *pfsync_clear_states_ptr = NULL; - pfsync_state_in_use_t *pfsync_state_in_use_ptr = NULL; - pfsync_defer_t *pfsync_defer_ptr = NULL; - pfsync_up_t *pfsync_up_ptr = NULL; - /* pflow */ - export_pflow_t *export_pflow_ptr = NULL; - #if NPFLOG >0 - pflog_packet_t *pflog_packet_ptr = NULL; - #endif - #else - pflog_packet_t *pflog_packet_ptr = NULL; - #endif - - int debug_pfugidhack = 0; - SYSCTL_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, &debug_pfugidhack, 0, - "Enable/disable pf user/group rules mpsafe hack"); - - void - init_pf_mutex(void) - { - mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF); - } +static VNET_DEFINE(struct cdev, *pf_dev); - void - destroy_pf_mutex(void) - { - mtx_destroy(&pf_task_mtx); - } - void - init_zone_var(void) - { - pf_src_tree_pl = pf_rule_pl = NULL; - pf_state_pl = pf_state_key_pl = pf_state_item_pl = NULL; +/* + * XXX - These are new and need to be checked when moveing to a new version + */ +static void pf_clear_states(void); +static int pf_clear_tables(void); +static void pf_clear_srcnodes(void); +/* + * XXX - These are new and need to be checked when moveing to a new version + */ + +/* + * Wrapper functions for pfil(9) hooks + */ +static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, + int dir, struct inpcb *inp); +static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, + int dir, struct inpcb *inp); +#ifdef INET6 +static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, + int dir, struct inpcb *inp); +static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, + int dir, struct inpcb *inp); +#endif + +static int hook_pf(void); +static int dehook_pf(void); +static int shutdown_pf(void); +static int pf_load(void); +static int pf_unload(void); + +static VNET_DEFINE(struct cdevsw, pf_cdevsw); +#define pf_cdevsw VNET(pf_cdevsw) + +static volatile VNET_DEFINE(int, pf_pfil_hooked); +#define pf_pfil_hooked VNET(pf_pfil_hooked) +VNET_DEFINE(int, pf_end_threads); +#define pf_end_threads VNET(pf_end_threads) +struct mtx pf_task_mtx; + +/* pfsync */ +VNET_DEFINE(pfsync_state_import_t, *pfsync_state_import_ptr); +VNET_DEFINE(pfsync_insert_state_t, *pfsync_insert_state_ptr); +VNET_DEFINE(pfsync_update_state_t, *pfsync_update_state_ptr); +VNET_DEFINE(pfsync_delete_state_t, *pfsync_delete_state_ptr); +VNET_DEFINE(pfsync_clear_states_t, *pfsync_clear_states_ptr); +VNET_DEFINE(pfsync_state_in_use_t, *pfsync_state_in_use_ptr); +VNET_DEFINE(pfsync_defer_t, *pfsync_defer_ptr); +VNET_DEFINE(pfsync_up_t, *pfsync_up_ptr); +/* pflow */ +VNET_DEFINE(export_pflow_t, *export_pflow_ptr); +/* pflog */ +VNET_DEFINE(pflog_packet_t, *pflog_packet_ptr); + +VNET_DEFINE(int, debug_pfugidhack); +SYSCTL_VNET_INT(_debug, OID_AUTO, pfugidhack, CTLFLAG_RW, + &debug_pfugidhack, 0, + "Enable/disable pf user/group rules mpsafe hack"); + +void +init_pf_mutex(void) +{ + mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF); +} + +void +destroy_pf_mutex(void) +{ + mtx_destroy(&pf_task_mtx); +} +void +init_zone_var(void) +{ + pf_src_tree_pl = pf_rule_pl = NULL; + pf_state_pl = pf_state_key_pl = pf_state_item_pl = NULL; pf_altq_pl = pf_pooladdr_pl = NULL; - pf_frent_pl = pf_frag_pl = pf_cache_pl = pf_cent_pl = NULL; - pf_state_scrub_pl = NULL; - pfr_ktable_pl = pfr_kentry_pl = NULL; - } - - void - cleanup_pf_zone(void) - { - UMA_DESTROY(pf_src_tree_pl); - UMA_DESTROY(pf_rule_pl); - UMA_DESTROY(pf_state_pl); - UMA_DESTROY(pf_state_key_pl); - UMA_DESTROY(pf_state_item_pl); - UMA_DESTROY(pf_altq_pl); - UMA_DESTROY(pf_pooladdr_pl); - UMA_DESTROY(pf_frent_pl); - UMA_DESTROY(pf_frag_pl); - UMA_DESTROY(pf_cache_pl); - UMA_DESTROY(pf_cent_pl); - UMA_DESTROY(pfr_ktable_pl); - UMA_DESTROY(pfr_kentry_pl); - UMA_DESTROY(pf_state_scrub_pl); - UMA_DESTROY(pfi_addr_pl); - } + pf_frent_pl = pf_frag_pl = pf_cache_pl = pf_cent_pl = NULL; + pf_state_scrub_pl = NULL; + pfr_ktable_pl = pfr_kentry_pl = NULL; +} + +void +cleanup_pf_zone(void) +{ + UMA_DESTROY(pf_src_tree_pl); + UMA_DESTROY(pf_rule_pl); + UMA_DESTROY(pf_state_pl); + UMA_DESTROY(pf_state_key_pl); + UMA_DESTROY(pf_state_item_pl); + UMA_DESTROY(pf_altq_pl); + UMA_DESTROY(pf_pooladdr_pl); + UMA_DESTROY(pf_frent_pl); + UMA_DESTROY(pf_frag_pl); + UMA_DESTROY(pf_cache_pl); + UMA_DESTROY(pf_cent_pl); + UMA_DESTROY(pfr_ktable_pl); + UMA_DESTROY(pfr_kentry_pl); + UMA_DESTROY(pf_state_scrub_pl); + UMA_DESTROY(pfi_addr_pl); +} int - pfattach(void) - { - u_int32_t *my_timeout = pf_default_rule.timeout; - int error = 1; - +pfattach(void) +{ + u_int32_t *my_timeout = pf_default_rule.timeout; + int error = 1; + do { - UMA_CREATE(pf_src_tree_pl,struct pf_src_node, "pfsrctrpl"); + UMA_CREATE(pf_src_tree_pl,struct pf_src_node, "pfsrctrpl"); UMA_CREATE(pf_rule_pl, struct pf_rule, "pfrulepl"); UMA_CREATE(pf_state_pl, struct pf_state, "pfstatepl"); UMA_CREATE(pf_state_key_pl, struct pf_state, "pfstatekeypl"); @@ -410,9 +423,9 @@ int if (kproc_create(pf_purge_thread, NULL, NULL, 0, 0, "pfpurge")) return (ENXIO); - return (error); - } - #else /* !__FreeBSD__ */ + return (error); +} +#else /* !__FreeBSD__ */ void pfattach(int num) @@ -3463,7 +3476,7 @@ fail: return (error); } - #ifdef __FreeBSD__ +#ifdef __FreeBSD__ void pfsync_state_export(struct pfsync_state *sp, struct pf_state *st) { @@ -3525,34 +3538,34 @@ pfsync_state_export(struct pfsync_state } - /* - * XXX - Check for version missmatch!!! - */ - static void - pf_clear_states(void) - { +/* + * XXX - Check for version missmatch!!! + */ +static void +pf_clear_states(void) +{ struct pf_state *state; RB_FOREACH(state, pf_state_tree_id, &tree_id) { state->timeout = PFTM_PURGE; - #if NPFSYNC +#if NPFSYNC /* don't send out individual delete messages */ state->sync_state = PFSTATE_NOSYNC; - #endif +#endif pf_unlink_state(state); } #if 0 /* NPFSYNC */ - /* - * XXX This is called on module unload, we do not want to sync that over? */ - */ - pfsync_clear_states(pf_status.hostid, psk->psk_ifname); - #endif - } +/* + * XXX This is called on module unload, we do not want to sync that over? */ + */ + pfsync_clear_states(pf_status.hostid, psk->psk_ifname); +#endif +} - static int - pf_clear_tables(void) - { +static int +pf_clear_tables(void) +{ struct pfioc_table io; int error; @@ -3562,11 +3575,11 @@ pfsync_state_export(struct pfsync_state io.pfrio_flags); return (error); - } +} - static void - pf_clear_srcnodes(void) - { +static void +pf_clear_srcnodes(void) +{ struct pf_src_node *n; struct pf_state *state; @@ -3578,17 +3591,17 @@ pfsync_state_export(struct pfsync_state n->expire = 1; n->states = 0; } - } - /* - * XXX - Check for version missmatch!!! - */ - - /* - * Duplicate pfctl -Fa operation to get rid of as much as we can. - */ - static int - shutdown_pf(void) - { +} +/* + * XXX - Check for version missmatch!!! + */ + +/* + * Duplicate pfctl -Fa operation to get rid of as much as we can. + */ +static int +shutdown_pf(void) +{ int error = 0; u_int32_t t[5]; char nn = '\0'; @@ -3631,13 +3644,13 @@ pfsync_state_export(struct pfsync_state if ((error = pf_clear_tables()) != 0) break; - #ifdef ALTQ +#ifdef ALTQ if ((error = pf_begin_altq(&t[0])) != 0) { DPFPRINTF(PF_DEBUG_MISC, ("shutdown_pf: ALTQ\n")); break; } pf_commit_altq(t[0]); - #endif +#endif pf_clear_states(); @@ -3648,12 +3661,13 @@ pfsync_state_export(struct pfsync_state } while(0); return (error); - } +} - static int - pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, - struct inpcb *inp) - { +#ifdef INET +static int +pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, + struct inpcb *inp) +{ /* * XXX Wed Jul 9 22:03:16 2003 UTC * OpenBSD has changed its byte ordering convention on ip_len/ip_off @@ -3683,12 +3697,12 @@ pfsync_state_export(struct pfsync_state NTOHS(h->ip_off); } return chk; - } +} - static int - pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, - struct inpcb *inp) - { +static int +pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, + struct inpcb *inp) +{ /* * XXX Wed Jul 9 22:03:16 2003 UTC * OpenBSD has changed its byte ordering convention on ip_len/ip_off @@ -3724,12 +3738,13 @@ pfsync_state_export(struct pfsync_state } return chk; } +#endif - #ifdef INET6 - static int - pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, - struct inpcb *inp) - { +#ifdef INET6 +static int +pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, + struct inpcb *inp) +{ /* * IPv6 is not affected by ip_len/ip_off byte order changes. @@ -3748,12 +3763,12 @@ pfsync_state_export(struct pfsync_state *m = NULL; } return chk; - } +} - static int - pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, - struct inpcb *inp) - { +static int +pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, + struct inpcb *inp) +{ /* * IPv6 does not affected ip_len/ip_off byte order changes. */ @@ -3770,28 +3785,32 @@ pfsync_state_export(struct pfsync_state *m = NULL; } return chk; - } - #endif /* INET6 */ +} +#endif /* INET6 */ - static int - hook_pf(void) - { +static int +hook_pf(void) +{ +#ifdef INET struct pfil_head *pfh_inet; - #ifdef INET6 +#endif +#ifdef INET6 struct pfil_head *pfh_inet6; - #endif +#endif PF_ASSERT(MA_NOTOWNED); if (pf_pfil_hooked) return (0); +#ifdef INET pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***