Define semantic of M_SKIP_FIREWALL more precisely, i.e. also pass associated
icmp_error() packets. While here retire PACKET_TAG_PF_GENERATED (which served the same purpose) and use M_SKIP_FIREWALL in pf as well. This should speed up things a bit as we get rid of the tag allocations. Discussed with: juli
This commit is contained in:
mlaier
parent
9a49e5ddd3
commit
9220ec9005
@ -1379,7 +1379,9 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,
|
||||
u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl)
|
||||
{
|
||||
struct mbuf *m;
|
||||
#ifdef ALTQ
|
||||
struct m_tag *mtag;
|
||||
#endif
|
||||
int len = 0, tlen; /* make the compiler happy */
|
||||
#ifdef INET
|
||||
struct ip *h = NULL; /* make the compiler happy */
|
||||
@ -1412,6 +1414,12 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,
|
||||
}
|
||||
|
||||
/* create outgoing mbuf */
|
||||
#ifdef __FreeBSD__
|
||||
m = m_gethdr(M_DONTWAIT, MT_HEADER);
|
||||
if (m == NULL)
|
||||
return;
|
||||
m->m_flags |= M_SKIP_FIREWALL;
|
||||
#else
|
||||
mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT);
|
||||
if (mtag == NULL)
|
||||
return;
|
||||
@ -1421,6 +1429,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,
|
||||
return;
|
||||
}
|
||||
m_tag_prepend(m, mtag);
|
||||
#endif
|
||||
#ifdef ALTQ
|
||||
if (r != NULL && r->qid) {
|
||||
struct altq_tag *atag;
|
||||
@ -1542,25 +1551,30 @@ void
|
||||
pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af,
|
||||
struct pf_rule *r)
|
||||
{
|
||||
#ifdef ALTQ
|
||||
struct m_tag *mtag;
|
||||
#endif
|
||||
struct mbuf *m0;
|
||||
#ifdef __FreeBSD__
|
||||
struct ip *ip;
|
||||
#endif
|
||||
|
||||
#ifdef __FreeBSD__
|
||||
m0 = m_copypacket(m, M_DONTWAIT);
|
||||
if (m0 == NULL)
|
||||
return;
|
||||
m0->m_flags |= M_SKIP_FIREWALL;
|
||||
#else
|
||||
mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT);
|
||||
if (mtag == NULL)
|
||||
return;
|
||||
#ifdef __FreeBSD__
|
||||
m0 = m_copypacket(m, M_DONTWAIT);
|
||||
#else
|
||||
m0 = m_copy(m, 0, M_COPYALL);
|
||||
#endif
|
||||
if (m0 == NULL) {
|
||||
m_tag_free(mtag);
|
||||
return;
|
||||
}
|
||||
m_tag_prepend(m0, mtag);
|
||||
#endif
|
||||
|
||||
#ifdef ALTQ
|
||||
if (r->qid) {
|
||||
@ -5436,15 +5450,16 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp,
|
||||
|
||||
/* Cheat. */
|
||||
if (r->rt == PF_FASTROUTE) {
|
||||
mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT);
|
||||
if (mtag == NULL)
|
||||
goto bad;
|
||||
m_tag_prepend(m0, mtag);
|
||||
#ifdef __FreeBSD__
|
||||
m0->m_flags |= M_SKIP_FIREWALL;
|
||||
PF_UNLOCK();
|
||||
ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
|
||||
PF_LOCK();
|
||||
#else
|
||||
mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT);
|
||||
if (mtag == NULL)
|
||||
goto bad;
|
||||
m_tag_prepend(m0, mtag);
|
||||
ip6_output(m0, NULL, NULL, 0, NULL, NULL);
|
||||
#endif
|
||||
return;
|
||||
@ -5788,9 +5803,11 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0)
|
||||
PF_LOCK();
|
||||
#endif
|
||||
if (!pf_status.running ||
|
||||
(m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) {
|
||||
#ifdef __FreeBSD__
|
||||
(m->m_flags & M_SKIP_FIREWALL)) {
|
||||
PF_UNLOCK();
|
||||
#else
|
||||
(m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) {
|
||||
#endif
|
||||
return (PF_PASS);
|
||||
}
|
||||
@ -6113,9 +6130,11 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0)
|
||||
#endif
|
||||
|
||||
if (!pf_status.running ||
|
||||
(m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) {
|
||||
#ifdef __FreeBSD__
|
||||
(m->m_flags & M_SKIP_FIREWALL)) {
|
||||
PF_UNLOCK();
|
||||
#else
|
||||
(m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) {
|
||||
#endif
|
||||
return (PF_PASS);
|
||||
}
|
||||
|
||||
@ -144,7 +144,6 @@ icmp_error(n, type, code, dest, destifp)
|
||||
register unsigned oiplen = oip->ip_hl << 2;
|
||||
register struct icmp *icp;
|
||||
register struct mbuf *m;
|
||||
register struct m_tag *mtag;
|
||||
unsigned icmplen;
|
||||
|
||||
#ifdef ICMPPRINTFS
|
||||
@ -224,6 +223,11 @@ icmp_error(n, type, code, dest, destifp)
|
||||
*/
|
||||
if (m->m_data - sizeof(struct ip) < m->m_pktdat)
|
||||
panic("icmp len");
|
||||
/*
|
||||
* If the original mbuf was meant to bypass the firewall, the error
|
||||
* reply should bypass as well.
|
||||
*/
|
||||
m->m_flags |= n->m_flags & M_SKIP_FIREWALL;
|
||||
m->m_data -= sizeof(struct ip);
|
||||
m->m_len += sizeof(struct ip);
|
||||
m->m_pkthdr.len = m->m_len;
|
||||
@ -235,16 +239,6 @@ icmp_error(n, type, code, dest, destifp)
|
||||
nip->ip_hl = 5;
|
||||
nip->ip_p = IPPROTO_ICMP;
|
||||
nip->ip_tos = 0;
|
||||
/*
|
||||
* XXX: Move PF_GENERATED m_tag to new packet, if it exists.
|
||||
* This should be replaced by unified flags/tags for
|
||||
* pf/ipfw/ipf and future pfil_hook applications.
|
||||
*/
|
||||
mtag = m_tag_find(n, PACKET_TAG_PF_GENERATED, NULL);
|
||||
if (mtag != NULL) {
|
||||
m_tag_unlink(n, mtag);
|
||||
m_tag_prepend(m, mtag);
|
||||
}
|
||||
icmp_reflect(m);
|
||||
|
||||
freeit:
|
||||
|
||||
@ -626,7 +626,6 @@ struct mbuf *m_uiotombuf(struct uio *, int, int);
|
||||
#define PACKET_TAG_DIVERT 17 /* divert info */
|
||||
#define PACKET_TAG_IPFORWARD 18 /* ipforward info */
|
||||
#define PACKET_TAG_MACLABEL (19 | MTAG_PERSISTENT) /* MAC label */
|
||||
#define PACKET_TAG_PF_GENERATED (20 | MTAG_PERSISTENT) /* PF, pass always */
|
||||
#define PACKET_TAG_PF_ROUTED 21 /* PF routed, avoid loops */
|
||||
#define PACKET_TAG_PF_FRAGCACHE 22 /* PF fragment cached */
|
||||
#define PACKET_TAG_PF_QID 23 /* PF ALTQ queue id */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user