When enabling or disabling SIFTR with a VIMAGE kernel, ensure we add or remove

the SIFTR pfil(9) hook functions to or from all network stacks. This patch allows packets inbound or outbound from a vnet to be "seen" by SIFTR. Additional work is required to allow SIFTR to actually generate log messages for all vnet related packets because the siftr_findinpcb() function does not yet search for inpcbs across all vnets. This issue will be fixed separately. Reported and tested by: David Hayes <dahayes at swin edu au> MFC after: 3 days
2010-11-20 07:36:43 +00:00 · 2010-11-20 07:36:43 +00:00 · 052aec123c
commit 052aec123c
parent 4fadeef03f
1 changed files with 24 additions and 12 deletions
--- a/sys/netinet/siftr.c
+++ b/sys/netinet/siftr.c
@ -1109,26 +1109,38 @@ siftr_chkpkt6(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
 static int
 siftr_pfil(int action)
 {
-	struct pfil_head *pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
+	struct pfil_head *pfh_inet;
 #ifdef SIFTR_IPV6
-	struct pfil_head *pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
+	struct pfil_head *pfh_inet6;
+#endif
+	VNET_ITERATOR_DECL(vnet_iter);
+
+	VNET_LIST_RLOCK();
+	VNET_FOREACH(vnet_iter) {
+		CURVNET_SET(vnet_iter);
+		pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
+#ifdef SIFTR_IPV6
+		pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
 #endif

-	if (action == HOOK) {
-		pfil_add_hook(siftr_chkpkt, NULL,
-		    PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet);
+		if (action == HOOK) {
+			pfil_add_hook(siftr_chkpkt, NULL,
+			    PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet);
 #ifdef SIFTR_IPV6
-		pfil_add_hook(siftr_chkpkt6, NULL,
-		    PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet6);
+			pfil_add_hook(siftr_chkpkt6, NULL,
+			    PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet6);
 #endif
-	} else if (action == UNHOOK) {
-		pfil_remove_hook(siftr_chkpkt, NULL,
-		    PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet);
+		} else if (action == UNHOOK) {
+			pfil_remove_hook(siftr_chkpkt, NULL,
+			    PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet);
 #ifdef SIFTR_IPV6
-		pfil_remove_hook(siftr_chkpkt6, NULL,
-		    PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet6);
+			pfil_remove_hook(siftr_chkpkt6, NULL,
+			    PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet6);
 #endif
+		}
+		CURVNET_RESTORE();
 	}
+	VNET_LIST_RUNLOCK();

 	return (0);
 }