Implement the final missing sysctls by moving ipf_auth_softc_t from

ip_auth.c to ip_auth.h. ip_frag_soft_t moves from ip_frag.c to ip_frag.h. mlfk_ipl.c creates sysctl MIBs that reference control blocks that are dynamically created when IP Filter is loaded. This necessitated creating them on-the-fly rather than statically at compile time. Approved by: glebius (mentor)
2014-04-07 19:32:56 +00:00 · 2014-04-07 19:32:56 +00:00 · 3e6034e2df
commit 3e6034e2df
parent f56cfe8d61
5 changed files with 117 additions and 87 deletions
--- a/sys/contrib/ipfilter/netinet/ip_auth.c
+++ b/sys/contrib/ipfilter/netinet/ip_auth.c
@ -131,33 +131,6 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 #endif


-
-typedef	struct ipf_auth_softc_s {
-#if SOLARIS && defined(_KERNEL)
-	kcondvar_t	ipf_auth_wait;
-#endif /* SOLARIS */
-#if defined(linux) && defined(_KERNEL)
-	wait_queue_head_t ipf_auth_next_linux;
-#endif
-	ipfrwlock_t	ipf_authlk;
-	ipfmutex_t	ipf_auth_mx;
-	int		ipf_auth_size;
-	int		ipf_auth_used;
-	int		ipf_auth_replies;
-	int		ipf_auth_defaultage;
-	int		ipf_auth_lock;
-	ipf_authstat_t	ipf_auth_stats;
-	frauth_t	*ipf_auth;
-	mb_t		**ipf_auth_pkts;
-	int		ipf_auth_start;
-	int		ipf_auth_end;
-	int		ipf_auth_next;
-	frauthent_t	*ipf_auth_entries;
-	frentry_t	*ipf_auth_ip;
-	frentry_t	*ipf_auth_rules;
-} ipf_auth_softc_t;
-
-
 static void ipf_auth_deref __P((frauthent_t **));
 static void ipf_auth_deref_unlocked __P((ipf_auth_softc_t *, frauthent_t **));
 static int ipf_auth_geniter __P((ipf_main_softc_t *, ipftoken_t *,
--- a/sys/contrib/ipfilter/netinet/ip_auth.h
+++ b/sys/contrib/ipfilter/netinet/ip_auth.h
@ -49,6 +49,24 @@ typedef struct  ipf_authstat {
 	frauthent_t	*fas_faelist;
 } ipf_authstat_t;

+typedef	struct ipf_auth_softc_s {
+	ipfrwlock_t	ipf_authlk;
+	ipfmutex_t	ipf_auth_mx;
+	int		ipf_auth_size;
+	int		ipf_auth_used;
+	int		ipf_auth_replies;
+	int		ipf_auth_defaultage;
+	int		ipf_auth_lock;
+	ipf_authstat_t	ipf_auth_stats;
+	frauth_t	*ipf_auth;
+	mb_t		**ipf_auth_pkts;
+	int		ipf_auth_start;
+	int		ipf_auth_end;
+	int		ipf_auth_next;
+	frauthent_t	*ipf_auth_entries;
+	frentry_t	*ipf_auth_ip;
+	frentry_t	*ipf_auth_rules;
+} ipf_auth_softc_t;

 extern	frentry_t *ipf_auth_check __P((fr_info_t *, u_32_t *));
 extern	void	ipf_auth_expire __P((ipf_main_softc_t *));
--- a/sys/contrib/ipfilter/netinet/ip_frag.c
+++ b/sys/contrib/ipfilter/netinet/ip_frag.c
@ -91,27 +91,6 @@ static const char rcsid[] = "@(#)$FreeBSD$";
 #endif


-typedef struct ipf_frag_softc_s  {
-	ipfrwlock_t	ipfr_ipidfrag;
-	ipfrwlock_t	ipfr_frag;
-	ipfrwlock_t	ipfr_natfrag;
-	int		ipfr_size;
-	int		ipfr_ttl;
-	int		ipfr_lock;
-	int		ipfr_inited;
-	ipfr_t		*ipfr_list;
-	ipfr_t		**ipfr_tail;
-	ipfr_t		*ipfr_natlist;
-	ipfr_t		**ipfr_nattail;
-	ipfr_t		*ipfr_ipidlist;
-	ipfr_t		**ipfr_ipidtail;
-	ipfr_t		**ipfr_heads;
-	ipfr_t		**ipfr_nattab;
-	ipfr_t		**ipfr_ipidtab;
-	ipfrstat_t	ipfr_stats;
-} ipf_frag_softc_t;
-
-
 #ifdef USE_MUTEXES
 static ipfr_t *ipfr_frag_new __P((ipf_main_softc_t *, ipf_frag_softc_t *,
 				  fr_info_t *, u_32_t, ipfr_t **,
--- a/sys/contrib/ipfilter/netinet/ip_frag.h
+++ b/sys/contrib/ipfilter/netinet/ip_frag.h
@ -70,6 +70,26 @@ typedef	struct	ipfrstat {
 	struct	ipfr	**ifs_nattab;
 } ipfrstat_t;

+typedef struct ipf_frag_softc_s  {
+	ipfrwlock_t	ipfr_ipidfrag;
+	ipfrwlock_t	ipfr_frag;
+	ipfrwlock_t	ipfr_natfrag;
+	int		ipfr_size;
+	int		ipfr_ttl;
+	int		ipfr_lock;
+	int		ipfr_inited;
+	ipfr_t		*ipfr_list;
+	ipfr_t		**ipfr_tail;
+	ipfr_t		*ipfr_natlist;
+	ipfr_t		**ipfr_nattail;
+	ipfr_t		*ipfr_ipidlist;
+	ipfr_t		**ipfr_ipidtail;
+	ipfr_t		**ipfr_heads;
+	ipfr_t		**ipfr_nattab;
+	ipfr_t		**ipfr_ipidtab;
+	ipfrstat_t	ipfr_stats;
+} ipf_frag_softc_t;
+
 #define	IPFR_CMPSZ	(offsetof(ipfr_t, ipfr_pass) - \
 			 offsetof(ipfr_t, ipfr_ifp))

--- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c
+++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c
@ -44,6 +44,8 @@ static dev_t ipf_devs[IPL_LOGSIZE];
 static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS );
 static int ipf_modload(void);
 static int ipf_modunload(void);
+static int ipf_fbsd_sysctl_create(ipf_main_softc_t*);
+static int ipf_fbsd_sysctl_destroy(ipf_main_softc_t*);

 #if (__FreeBSD_version >= 500024)
 # if (__FreeBSD_version >= 502116)
@ -70,59 +72,36 @@ SYSCTL_DECL(_net_inet);
 #define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \
 	SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \
 		   ptr, val, sysctl_ipf_int, "I", descr);
+#define SYSCTL_DYN_IPF(parent, nbr, name, access,ptr, val, descr) \
+	SYSCTL_ADD_OID(&ipf_clist, SYSCTL_STATIC_CHILDREN(parent), nbr, name, \
+	CTLFLAG_DYN|CTLTYPE_INT|access, ptr, val, sysctl_ipf_int, "I", descr)
+static struct sysctl_ctx_list ipf_clist;
 #define	CTLFLAG_OFF	0x00800000	/* IPFilter must be disabled */
 #define	CTLFLAG_RWO	(CTLFLAG_RW|CTLFLAG_OFF)
 SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipfmain.ipf_flags, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipfmain.ipf_pass, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipfmain.ipf_active, 0, "");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipfmain.ipf_flags, 0, "IPF flags");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipfmain.ipf_pass, 0, "default pass/block");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipfmain.ipf_active, 0, "IPF is active");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO,
-	   &ipfmain.ipf_tcpidletimeout, 0, "");
+	   &ipfmain.ipf_tcpidletimeout, 0, "TCP idle timeout in seconds");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO,
-	   &ipfmain.ipf_tcphalfclosed, 0, "");
+	   &ipfmain.ipf_tcphalfclosed, 0, "timeout for half closed TCP sessions");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO,
-	   &ipfmain.ipf_tcpclosewait, 0, "");
+	   &ipfmain.ipf_tcpclosewait, 0, "timeout for TCP sessions in closewait status");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO,
-	   &ipfmain.ipf_tcplastack, 0, "");
+	   &ipfmain.ipf_tcplastack, 0, "timeout for TCP sessions in last ack status");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO,
 	   &ipfmain.ipf_tcptimeout, 0, "");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO,
 	   &ipfmain.ipf_tcpclosed, 0, "");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO,
-	   &ipfmain.ipf_udptimeout, 0, "");
+	   &ipfmain.ipf_udptimeout, 0, "UDP timeout");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO,
 	   &ipfmain.ipf_udpacktimeout, 0, "");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO,
-	   &ipfmain.ipf_icmptimeout, 0, "");
-#if 0
-/* this needs to be resolved at compile time */
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO,
-	   &((ipf_nat_softc_t *)ipfmain.ipf_nat_soft)->ipf_nat_defage, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW,
-	   &ipf_ipfrttl, 0, "");
-#endif
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_running, CTLFLAG_RD,
-	   &ipfmain.ipf_running, 0, "");
-#if 0
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO,
-	   &ipfmain.ipf_state_soft)->ipf_state_size, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO,
-	   &(ipfmain.ipf_state_soft)->ipf_state_max, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_nattable_sz, CTLFLAG_RWO,
-	   &(ipfmain.ipf_nat_soft)->ipf_nat_table_sz, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_natrules_sz, CTLFLAG_RWO,
-	   &(ipfmain.ipf_nat_soft)->ipf_nat_maprules_sz, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_rdrrules_sz, CTLFLAG_RWO,
-	   &(ipfmain.ipf_nat_soft)->ipf_nat_rdrrules_sz, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_hostmap_sz, CTLFLAG_RWO,
-	   &(ipfmain.ipf_nat_soft)->ipf_nat_hostmap_sz, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO,
-	   &ipf_auth_size, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
-	   &ipf_auth_used, 0, "");
-SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
-	   &ipf_auth_defaultage, 0, "");
-#endif
+	   &ipfmain.ipf_icmptimeout, 0, "ICMP timeout");
+SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD,
+	   &ipfmain.ipf_running, 0, "IPF is running");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &ipfmain.ipf_chksrc, 0, "");
 SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &ipfmain.ipf_minttl, 0, "");

@ -177,7 +156,6 @@ static struct cdevsw ipf_cdevsw = {
 static char *ipf_devfiles[] = {	IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME,
 				IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL };

-
 static int
 ipfilter_modevent(module_t mod, int type, void *unused)
 {
@ -212,6 +190,9 @@ ipf_modload()
 	if (ipf_create_all(&ipfmain) == NULL)
 		return EIO;

+	if (ipf_fbsd_sysctl_create(&ipfmain) != 0)
+		return EIO;
+
 	error = ipfattach(&ipfmain);
 	if (error)
 		return error;
@ -268,6 +249,9 @@ ipf_modunload()
 	if (ipfmain.ipf_refcnt)
 		return EBUSY;

+	if (ipf_fbsd_sysctl_destroy(&ipfmain) != 0)
+		return EIO;
+
 	error = ipf_pfil_unhook();
 	if (error != 0)
 		return error;
@ -277,6 +261,7 @@ ipf_modunload()
 		if (error != 0)
 			return error;

+		ipf_fbsd_sysctl_destroy(&ipfmain);
 		ipf_destroy_all(&ipfmain);
 		ipf_unload_all();
 	} else
@ -526,3 +511,58 @@ static int ipfwrite(dev, uio)
 		return ipf_sync_write(&ipfmain, uio);
 	return ENXIO;
 }
+
+static int
+ipf_fbsd_sysctl_create(main_softc)
+	ipf_main_softc_t *main_softc;
+{
+	ipf_nat_softc_t	*nat_softc;
+	ipf_state_softc_t *state_softc;
+	ipf_auth_softc_t *auth_softc;
+	ipf_frag_softc_t *frag_softc;
+
+	nat_softc = main_softc->ipf_nat_soft;
+	state_softc = main_softc->ipf_state_soft;
+	auth_softc = main_softc->ipf_auth_soft;
+	frag_softc = main_softc->ipf_frag_soft;
+
+	sysctl_ctx_init(&ipf_clist);
+
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_defnatage", CTLFLAG_RWO,
+	    &nat_softc->ipf_nat_defage, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_statesize", CTLFLAG_RWO,
+	    &state_softc->ipf_state_size, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_statemax", CTLFLAG_RWO,
+	    &state_softc->ipf_state_max, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_nattable_max", CTLFLAG_RWO,
+	    &nat_softc->ipf_nat_table_max, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_nattable_sz", CTLFLAG_RWO,
+	    &nat_softc->ipf_nat_table_sz, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_natrules_sz", CTLFLAG_RWO,
+	    &nat_softc->ipf_nat_maprules_sz, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_rdrrules_sz", CTLFLAG_RWO,
+	    &nat_softc->ipf_nat_rdrrules_sz, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_hostmap_sz", CTLFLAG_RWO,
+	    &nat_softc->ipf_nat_hostmap_sz, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_authsize", CTLFLAG_RWO,
+	   &auth_softc->ipf_auth_size, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_authused", CTLFLAG_RD,
+	   &auth_softc->ipf_auth_used, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_defaultauthage", CTLFLAG_RW,
+	   &auth_softc->ipf_auth_defaultage, 0, "");
+	SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_ipfrttl", CTLFLAG_RW,
+	   &frag_softc->ipfr_ttl, 0, "");
+	return 0;
+}
+
+static int
+ipf_fbsd_sysctl_destroy(main_softc)
+	ipf_main_softc_t *main_softc;
+{
+	if (sysctl_ctx_free(&ipf_clist)) {
+		printf("sysctl_ctx_free failed");
+		return(ENOTEMPTY);
+	}
+	return 0;
+}
+