2093 lines
57 KiB
C
Raw Normal View History

/*
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
2002-06-27 23:02:18 +00:00
* Copyright (c) 1998-2002 Luigi Rizzo, Universita` di Pisa
* Portions Copyright (c) 2000 Akamba Corp.
* All rights reserved
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
1999-08-28 01:08:13 +00:00
* $FreeBSD$
*/
#define DUMMYNET_DEBUG
/*
* This module implements IP dummynet, a bandwidth limiter/delay emulator
* used in conjunction with the ipfw package.
* Description of the data structures used is in ip_dummynet.h
* Here you mainly find the following blocks of code:
* + variable declarations;
* + heap management functions;
* + scheduler and dummynet functions;
* + configuration and initialization.
*
* NOTA BENE: critical sections are protected by the "dummynet lock".
*
* Most important Changes:
*
* 011004: KLDable
* 010124: Fixed WF2Q behaviour
* 010122: Fixed spl protection.
* 000601: WF2Q support
* 000106: large rewrite, use heaps to handle very many pipes.
* 980513: initial release
*
* include files marked with XXX are probably not needed
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/kernel.h>
#include <sys/module.h>
#include <sys/proc.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/time.h>
#include <sys/sysctl.h>
#include <net/if.h>
#include <net/route.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/ip_fw.h>
#include <netinet/ip_dummynet.h>
#include <netinet/ip_var.h>
#include <netinet/if_ether.h> /* for struct arpcom */
#include <net/bridge.h>
/*
2000-06-08 09:45:23 +00:00
* We keep a private variable for the simulation time, but we could
* probably use an existing one ("softticks" in sys/kern/kern_timeout.c)
*/
static dn_key curr_time = 0 ; /* current simulation time */
static int dn_hash_size = 64 ; /* default hash size */
/* statistics on number of queue searches and search steps */
static int searches, search_steps ;
static int pipe_expire = 1 ; /* expire queue if empty */
2000-06-08 09:45:23 +00:00
static int dn_max_ratio = 16 ; /* max queues/buckets ratio */
2000-06-08 09:45:23 +00:00
static int red_lookup_depth = 256; /* RED - default lookup table depth */
static int red_avg_pkt_size = 512; /* RED - default medium packet size */
static int red_max_pkt_size = 1500; /* RED - default max packet size */
/*
* Three heaps contain queues and pipes that the scheduler handles:
*
* ready_heap contains all dn_flow_queue related to fixed-rate pipes.
*
* wfq_ready_heap contains the pipes associated with WF2Q flows
*
* extract_heap contains pipes associated with delay lines.
*
2000-06-08 09:45:23 +00:00
*/
MALLOC_DEFINE(M_DUMMYNET, "dummynet", "dummynet heap");
2000-06-08 09:45:23 +00:00
static struct dn_heap ready_heap, extract_heap, wfq_ready_heap ;
static int heap_init(struct dn_heap *h, int size) ;
static int heap_insert (struct dn_heap *h, dn_key key1, void *p);
2000-06-08 09:45:23 +00:00
static void heap_extract(struct dn_heap *h, void *obj);
static void transmit_event(struct dn_pipe *pipe);
static void ready_event(struct dn_flow_queue *q);
static struct dn_pipe *all_pipes = NULL ; /* list of all pipes */
2000-06-08 09:45:23 +00:00
static struct dn_flow_set *all_flow_sets = NULL ;/* list of all flow_sets */
static struct callout dn_timeout;
#ifdef SYSCTL_NODE
SYSCTL_NODE(_net_inet_ip, OID_AUTO, dummynet,
CTLFLAG_RW, 0, "Dummynet");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, hash_size,
CTLFLAG_RW, &dn_hash_size, 0, "Default hash table size");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, curr_time,
CTLFLAG_RD, &curr_time, 0, "Current tick");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, ready_heap,
CTLFLAG_RD, &ready_heap.size, 0, "Size of ready heap");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, extract_heap,
CTLFLAG_RD, &extract_heap.size, 0, "Size of extract heap");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, searches,
CTLFLAG_RD, &searches, 0, "Number of queue searches");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, search_steps,
CTLFLAG_RD, &search_steps, 0, "Number of queue search steps");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, expire,
CTLFLAG_RW, &pipe_expire, 0, "Expire queue if empty");
2000-06-08 09:45:23 +00:00
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, max_chain_len,
CTLFLAG_RW, &dn_max_ratio, 0,
2000-06-08 09:45:23 +00:00
"Max ratio between dynamic queues and buckets");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, red_lookup_depth,
CTLFLAG_RD, &red_lookup_depth, 0, "Depth of RED lookup table");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, red_avg_pkt_size,
CTLFLAG_RD, &red_avg_pkt_size, 0, "RED Medium packet size");
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, red_max_pkt_size,
CTLFLAG_RD, &red_max_pkt_size, 0, "RED Max packet size");
#endif
#ifdef DUMMYNET_DEBUG
int dummynet_debug = 0;
#ifdef SYSCTL_NODE
SYSCTL_INT(_net_inet_ip_dummynet, OID_AUTO, debug, CTLFLAG_RW, &dummynet_debug,
0, "control debugging printfs");
#endif
#define DPRINTF(X) if (dummynet_debug) printf X
#else
#define DPRINTF(X)
#endif
static struct mtx dummynet_mtx;
/*
* NB: Recursion is needed to deal with re-entry via ICMP. That is,
* a packet may be dispatched via ip_input from dummynet_io and
* re-enter through ip_output. Yech.
*/
#define DUMMYNET_LOCK_INIT() \
mtx_init(&dummynet_mtx, "dummynet", NULL, MTX_DEF | MTX_RECURSE)
#define DUMMYNET_LOCK_DESTROY() mtx_destroy(&dummynet_mtx)
#define DUMMYNET_LOCK() mtx_lock(&dummynet_mtx)
#define DUMMYNET_UNLOCK() mtx_unlock(&dummynet_mtx)
#define DUMMYNET_LOCK_ASSERT() do { \
mtx_assert(&dummynet_mtx, MA_OWNED); \
NET_ASSERT_GIANT(); \
} while (0)
2000-06-08 09:45:23 +00:00
static int config_pipe(struct dn_pipe *p);
static int ip_dn_ctl(struct sockopt *sopt);
static void dummynet(void *);
static void dummynet_flush(void);
2000-06-08 09:45:23 +00:00
void dummynet_drain(void);
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
static ip_dn_io_t dummynet_io;
static void dn_rule_delete(void *);
int if_tx_rdy(struct ifnet *ifp);
/*
* Heap management functions.
*
* In the heap, first node is element 0. Children of i are 2i+1 and 2i+2.
* Some macros help finding parent/children so we can optimize them.
*
* heap_init() is called to expand the heap when needed.
2000-06-08 09:45:23 +00:00
* Increment size in blocks of 16 entries.
* XXX failure to allocate a new element is a pretty bad failure
* as we basically stall a whole queue forever!!
* Returns 1 on error, 0 on success
*/
#define HEAP_FATHER(x) ( ( (x) - 1 ) / 2 )
#define HEAP_LEFT(x) ( 2*(x) + 1 )
#define HEAP_IS_LEFT(x) ( (x) & 1 )
2000-06-08 09:45:23 +00:00
#define HEAP_RIGHT(x) ( 2*(x) + 2 )
#define HEAP_SWAP(a, b, buffer) { buffer = a ; a = b ; b = buffer ; }
2000-06-08 09:45:23 +00:00
#define HEAP_INCREMENT 15
static int
heap_init(struct dn_heap *h, int new_size)
{
struct dn_heap_entry *p;
if (h->size >= new_size ) {
printf("dummynet: %s, Bogus call, have %d want %d\n", __func__,
h->size, new_size);
return 0 ;
}
new_size = (new_size + HEAP_INCREMENT ) & ~HEAP_INCREMENT ;
p = malloc(new_size * sizeof(*p), M_DUMMYNET, M_NOWAIT);
if (p == NULL) {
printf("dummynet: %s, resize %d failed\n", __func__, new_size );
return 1 ; /* error */
}
if (h->size > 0) {
bcopy(h->p, p, h->size * sizeof(*p) );
free(h->p, M_DUMMYNET);
}
h->p = p ;
h->size = new_size ;
return 0 ;
}
/*
* Insert element in heap. Normally, p != NULL, we insert p in
* a new position and bubble up. If p == NULL, then the element is
* already in place, and key is the position where to start the
* bubble-up.
* Returns 1 on failure (cannot allocate new heap entry)
2000-06-08 09:45:23 +00:00
*
* If offset > 0 the position (index, int) of the element in the heap is
* also stored in the element itself at the given offset in bytes.
*/
2000-06-08 09:45:23 +00:00
#define SET_OFFSET(heap, node) \
if (heap->offset > 0) \
*((int *)((char *)(heap->p[node].object) + heap->offset)) = node ;
/*
* RESET_OFFSET is used for sanity checks. It sets offset to an invalid value.
*/
#define RESET_OFFSET(heap, node) \
if (heap->offset > 0) \
*((int *)((char *)(heap->p[node].object) + heap->offset)) = -1 ;
static int
heap_insert(struct dn_heap *h, dn_key key1, void *p)
{
int son = h->elements ;
if (p == NULL) /* data already there, set starting point */
son = key1 ;
else { /* insert new element at the end, possibly resize */
son = h->elements ;
if (son == h->size) /* need resize... */
if (heap_init(h, h->elements+1) )
return 1 ; /* failure... */
h->p[son].object = p ;
h->p[son].key = key1 ;
h->elements++ ;
}
while (son > 0) { /* bubble up */
int father = HEAP_FATHER(son) ;
struct dn_heap_entry tmp ;
if (DN_KEY_LT( h->p[father].key, h->p[son].key ) )
break ; /* found right position */
2000-06-08 09:45:23 +00:00
/* son smaller than father, swap and repeat */
HEAP_SWAP(h->p[son], h->p[father], tmp) ;
2000-06-08 09:45:23 +00:00
SET_OFFSET(h, son);
son = father ;
}
2000-06-08 09:45:23 +00:00
SET_OFFSET(h, son);
return 0 ;
}
/*
2000-06-08 09:45:23 +00:00
* remove top element from heap, or obj if obj != NULL
*/
static void
2000-06-08 09:45:23 +00:00
heap_extract(struct dn_heap *h, void *obj)
{
int child, father, max = h->elements - 1 ;
2000-06-08 09:45:23 +00:00
if (max < 0) {
printf("dummynet: warning, extract from empty heap 0x%p\n", h);
return ;
}
2000-06-08 09:45:23 +00:00
father = 0 ; /* default: move up smallest child */
if (obj != NULL) { /* extract specific element, index is at offset */
if (h->offset <= 0)
panic("dummynet: heap_extract from middle not supported on this heap!!!\n");
2000-06-08 09:45:23 +00:00
father = *((int *)((char *)obj + h->offset)) ;
if (father < 0 || father >= h->elements) {
printf("dummynet: heap_extract, father %d out of bound 0..%d\n",
father, h->elements);
panic("dummynet: heap_extract");
}
2000-06-08 09:45:23 +00:00
}
RESET_OFFSET(h, father);
child = HEAP_LEFT(father) ; /* left child */
while (child <= max) { /* valid entry */
if (child != max && DN_KEY_LT(h->p[child+1].key, h->p[child].key) )
child = child+1 ; /* take right child, otherwise left */
h->p[father] = h->p[child] ;
2000-06-08 09:45:23 +00:00
SET_OFFSET(h, father);
father = child ;
child = HEAP_LEFT(child) ; /* left child for next loop */
}
h->elements-- ;
if (father != max) {
/*
* Fill hole with last entry and bubble up, reusing the insert code
*/
h->p[father] = h->p[max] ;
heap_insert(h, father, NULL); /* this one cannot fail */
}
}
#if 0
2000-06-08 09:45:23 +00:00
/*
* change object position and update references
* XXX this one is never used!
2000-06-08 09:45:23 +00:00
*/
static void
heap_move(struct dn_heap *h, dn_key new_key, void *object)
{
int temp;
int i ;
int max = h->elements-1 ;
struct dn_heap_entry buf ;
if (h->offset <= 0)
panic("cannot move items on this heap");
i = *((int *)((char *)object + h->offset));
if (DN_KEY_LT(new_key, h->p[i].key) ) { /* must move up */
h->p[i].key = new_key ;
for (; i>0 && DN_KEY_LT(new_key, h->p[(temp = HEAP_FATHER(i))].key) ;
i = temp ) { /* bubble up */
HEAP_SWAP(h->p[i], h->p[temp], buf) ;
SET_OFFSET(h, i);
}
} else { /* must move down */
h->p[i].key = new_key ;
while ( (temp = HEAP_LEFT(i)) <= max ) { /* found left child */
if ((temp != max) && DN_KEY_GT(h->p[temp].key, h->p[temp+1].key))
temp++ ; /* select child with min key */
if (DN_KEY_GT(new_key, h->p[temp].key)) { /* go down */
HEAP_SWAP(h->p[i], h->p[temp], buf) ;
SET_OFFSET(h, i);
} else
break ;
i = temp ;
}
}
SET_OFFSET(h, i);
}
#endif /* heap_move, unused */
2000-06-08 09:45:23 +00:00
/*
* heapify() will reorganize data inside an array to maintain the
* heap property. It is needed when we delete a bunch of entries.
*/
static void
heapify(struct dn_heap *h)
{
2000-06-08 09:45:23 +00:00
int i ;
2000-06-08 09:45:23 +00:00
for (i = 0 ; i < h->elements ; i++ )
heap_insert(h, i , NULL) ;
}
2000-06-08 09:45:23 +00:00
/*
* cleanup the heap and free data structure
*/
static void
heap_free(struct dn_heap *h)
{
if (h->size >0 )
free(h->p, M_DUMMYNET);
bzero(h, sizeof(*h) );
}
2000-06-08 09:45:23 +00:00
/*
* --- end of heap management functions ---
*/
/*
* Return the mbuf tag holding the dummynet state. As an optimization
* this is assumed to be the first tag on the list. If this turns out
* wrong we'll need to search the list.
*/
static struct dn_pkt_tag *
dn_tag_get(struct mbuf *m)
{
struct m_tag *mtag = m_tag_first(m);
KASSERT(mtag != NULL &&
mtag->m_tag_cookie == MTAG_ABI_COMPAT &&
mtag->m_tag_id == PACKET_TAG_DUMMYNET,
("packet on dummynet queue w/o dummynet tag!"));
return (struct dn_pkt_tag *)(mtag+1);
}
/*
2000-06-08 09:45:23 +00:00
* Scheduler functions:
*
* transmit_event() is called when the delay-line needs to enter
* the scheduler, either because of existing pkts getting ready,
* or new packets entering the queue. The event handled is the delivery
* time of the packet.
*
2000-06-08 09:45:23 +00:00
* ready_event() does something similar with fixed-rate queues, and the
* event handled is the finish time of the head pkt.
*
* wfq_ready_event() does something similar with WF2Q queues, and the
2000-06-08 09:45:23 +00:00
* event handled is the start time of the head pkt.
*
* In all cases, we make sure that the data structures are consistent
* before passing pkts out, because this might trigger recursive
* invocations of the procedures.
*/
static void
transmit_event(struct dn_pipe *pipe)
{
struct mbuf *m ;
struct dn_pkt_tag *pkt ;
Convert ipfw to use PFIL_HOOKS. This is change is transparent to userland and preserves the ipfw ABI. The ipfw core packet inspection and filtering functions have not been changed, only how ipfw is invoked is different. However there are many changes how ipfw is and its add-on's are handled: In general ipfw is now called through the PFIL_HOOKS and most associated magic, that was in ip_input() or ip_output() previously, is now done in ipfw_check_[in|out]() in the ipfw PFIL handler. IPDIVERT is entirely handled within the ipfw PFIL handlers. A packet to be diverted is checked if it is fragmented, if yes, ip_reass() gets in for reassembly. If not, or all fragments arrived and the packet is complete, divert_packet is called directly. For 'tee' no reassembly attempt is made and a copy of the packet is sent to the divert socket unmodified. The original packet continues its way through ip_input/output(). ipfw 'forward' is done via m_tag's. The ipfw PFIL handlers tag the packet with the new destination sockaddr_in. A check if the new destination is a local IP address is made and the m_flags are set appropriately. ip_input() and ip_output() have some more work to do here. For ip_input() the m_flags are checked and a packet for us is directly sent to the 'ours' section for further processing. Destination changes on the input path are only tagged and the 'srcrt' flag to ip_forward() is set to disable destination checks and ICMP replies at this stage. The tag is going to be handled on output. ip_output() again checks for m_flags and the 'ours' tag. If found, the packet will be dropped back to the IP netisr where it is going to be picked up by ip_input() again and the directly sent to the 'ours' section. When only the destination changes, the route's 'dst' is overwritten with the new destination from the forward m_tag. Then it jumps back at the route lookup again and skips the firewall check because it has been marked with M_SKIP_FIREWALL. ipfw 'forward' has to be compiled into the kernel with 'option IPFIREWALL_FORWARD' to enable it. DUMMYNET is entirely handled within the ipfw PFIL handlers. A packet for a dummynet pipe or queue is directly sent to dummynet_io(). Dummynet will then inject it back into ip_input/ip_output() after it has served its time. Dummynet packets are tagged and will continue from the next rule when they hit the ipfw PFIL handlers again after re-injection. BRIDGING and IPFW_ETHER are not changed yet and use ipfw_chk() directly as they did before. Later this will be changed to dedicated ETHER PFIL_HOOKS. More detailed changes to the code: conf/files Add netinet/ip_fw_pfil.c. conf/options Add IPFIREWALL_FORWARD option. modules/ipfw/Makefile Add ip_fw_pfil.c. net/bridge.c Disable PFIL_HOOKS if ipfw for bridging is active. Bridging ipfw is still directly invoked to handle layer2 headers and packets would get a double ipfw when run through PFIL_HOOKS as well. netinet/ip_divert.c Removed divert_clone() function. It is no longer used. netinet/ip_dummynet.[ch] Neither the route 'ro' nor the destination 'dst' need to be stored while in dummynet transit. Structure members and associated macros are removed. netinet/ip_fastfwd.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. netinet/ip_fw.h Removed 'ro' and 'dst' from struct ip_fw_args. netinet/ip_fw2.c (Re)moved some global variables and the module handling. netinet/ip_fw_pfil.c New file containing the ipfw PFIL handlers and module initialization. netinet/ip_input.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. ip_forward() does not longer require the 'next_hop' struct sockaddr_in argument. Disable early checks if 'srcrt' is set. netinet/ip_output.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. netinet/ip_var.h Add ip_reass() as general function. (Used from ipfw PFIL handlers for IPDIVERT.) netinet/raw_ip.c Directly check if ipfw and dummynet control pointers are active. netinet/tcp_input.c Rework the 'ipfw forward' to local code to work with the new way of forward tags. netinet/tcp_sack.c Remove include 'opt_ipfw.h' which is not needed here. sys/mbuf.h Remove m_claim_next() macro which was exclusively for ipfw 'forward' and is no longer needed. Approved by: re (scottl)
2004-08-17 22:05:54 +00:00
struct ip *ip;
DUMMYNET_LOCK_ASSERT();
while ( (m = pipe->head) ) {
pkt = dn_tag_get(m);
if ( !DN_KEY_LEQ(pkt->output_time, curr_time) )
break;
/*
* first unlink, then call procedures, since ip_input() can invoke
* ip_output() and viceversa, thus causing nested calls
*/
pipe->head = m->m_nextpkt ;
m->m_nextpkt = NULL;
/* XXX: drop the lock for now to avoid LOR's */
DUMMYNET_UNLOCK();
switch (pkt->dn_dir) {
case DN_TO_IP_OUT:
(void)ip_output(m, NULL, NULL, pkt->flags, NULL, NULL);
break ;
case DN_TO_IP_IN :
Convert ipfw to use PFIL_HOOKS. This is change is transparent to userland and preserves the ipfw ABI. The ipfw core packet inspection and filtering functions have not been changed, only how ipfw is invoked is different. However there are many changes how ipfw is and its add-on's are handled: In general ipfw is now called through the PFIL_HOOKS and most associated magic, that was in ip_input() or ip_output() previously, is now done in ipfw_check_[in|out]() in the ipfw PFIL handler. IPDIVERT is entirely handled within the ipfw PFIL handlers. A packet to be diverted is checked if it is fragmented, if yes, ip_reass() gets in for reassembly. If not, or all fragments arrived and the packet is complete, divert_packet is called directly. For 'tee' no reassembly attempt is made and a copy of the packet is sent to the divert socket unmodified. The original packet continues its way through ip_input/output(). ipfw 'forward' is done via m_tag's. The ipfw PFIL handlers tag the packet with the new destination sockaddr_in. A check if the new destination is a local IP address is made and the m_flags are set appropriately. ip_input() and ip_output() have some more work to do here. For ip_input() the m_flags are checked and a packet for us is directly sent to the 'ours' section for further processing. Destination changes on the input path are only tagged and the 'srcrt' flag to ip_forward() is set to disable destination checks and ICMP replies at this stage. The tag is going to be handled on output. ip_output() again checks for m_flags and the 'ours' tag. If found, the packet will be dropped back to the IP netisr where it is going to be picked up by ip_input() again and the directly sent to the 'ours' section. When only the destination changes, the route's 'dst' is overwritten with the new destination from the forward m_tag. Then it jumps back at the route lookup again and skips the firewall check because it has been marked with M_SKIP_FIREWALL. ipfw 'forward' has to be compiled into the kernel with 'option IPFIREWALL_FORWARD' to enable it. DUMMYNET is entirely handled within the ipfw PFIL handlers. A packet for a dummynet pipe or queue is directly sent to dummynet_io(). Dummynet will then inject it back into ip_input/ip_output() after it has served its time. Dummynet packets are tagged and will continue from the next rule when they hit the ipfw PFIL handlers again after re-injection. BRIDGING and IPFW_ETHER are not changed yet and use ipfw_chk() directly as they did before. Later this will be changed to dedicated ETHER PFIL_HOOKS. More detailed changes to the code: conf/files Add netinet/ip_fw_pfil.c. conf/options Add IPFIREWALL_FORWARD option. modules/ipfw/Makefile Add ip_fw_pfil.c. net/bridge.c Disable PFIL_HOOKS if ipfw for bridging is active. Bridging ipfw is still directly invoked to handle layer2 headers and packets would get a double ipfw when run through PFIL_HOOKS as well. netinet/ip_divert.c Removed divert_clone() function. It is no longer used. netinet/ip_dummynet.[ch] Neither the route 'ro' nor the destination 'dst' need to be stored while in dummynet transit. Structure members and associated macros are removed. netinet/ip_fastfwd.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. netinet/ip_fw.h Removed 'ro' and 'dst' from struct ip_fw_args. netinet/ip_fw2.c (Re)moved some global variables and the module handling. netinet/ip_fw_pfil.c New file containing the ipfw PFIL handlers and module initialization. netinet/ip_input.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. ip_forward() does not longer require the 'next_hop' struct sockaddr_in argument. Disable early checks if 'srcrt' is set. netinet/ip_output.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. netinet/ip_var.h Add ip_reass() as general function. (Used from ipfw PFIL handlers for IPDIVERT.) netinet/raw_ip.c Directly check if ipfw and dummynet control pointers are active. netinet/tcp_input.c Rework the 'ipfw forward' to local code to work with the new way of forward tags. netinet/tcp_sack.c Remove include 'opt_ipfw.h' which is not needed here. sys/mbuf.h Remove m_claim_next() macro which was exclusively for ipfw 'forward' and is no longer needed. Approved by: re (scottl)
2004-08-17 22:05:54 +00:00
ip = mtod(m, struct ip *);
ip->ip_len = htons(ip->ip_len);
ip->ip_off = htons(ip->ip_off);
ip_input(m) ;
break ;
case DN_TO_BDG_FWD :
/*
* The bridge requires/assumes the Ethernet header is
* contiguous in the first mbuf header. Insure this is true.
*/
if (BDG_LOADED) {
if (m->m_len < ETHER_HDR_LEN &&
(m = m_pullup(m, ETHER_HDR_LEN)) == NULL) {
printf("dummynet/bridge: pullup fail, dropping pkt\n");
break;
}
m = bdg_forward_ptr(m, pkt->ifp);
} else {
/* somebody unloaded the bridge module. Drop pkt */
/* XXX rate limit */
printf("dummynet: dropping bridged packet trapped in pipe\n");
}
if (m)
m_freem(m);
break;
case DN_TO_ETH_DEMUX:
/*
* The Ethernet code assumes the Ethernet header is
* contiguous in the first mbuf header. Insure this is true.
*/
if (m->m_len < ETHER_HDR_LEN &&
(m = m_pullup(m, ETHER_HDR_LEN)) == NULL) {
printf("dummynet/ether: pullup fail, dropping pkt\n");
break;
}
ether_demux(m->m_pkthdr.rcvif, m); /* which consumes the mbuf */
break ;
case DN_TO_ETH_OUT:
ether_output_frame(pkt->ifp, m);
break;
default:
printf("dummynet: bad switch %d!\n", pkt->dn_dir);
m_freem(m);
break ;
}
DUMMYNET_LOCK();
}
/* if there are leftover packets, put into the heap for next event */
if ( (m = pipe->head) ) {
pkt = dn_tag_get(m) ;
/* XXX should check errors on heap_insert, by draining the
* whole pipe p and hoping in the future we are more successful
*/
heap_insert(&extract_heap, pkt->output_time, pipe ) ;
}
}
2000-06-08 09:45:23 +00:00
/*
* the following macro computes how many ticks we have to wait
* before being able to transmit a packet. The credit is taken from
* either a pipe (WF2Q) or a flow_queue (per-flow queueing)
*/
#define SET_TICKS(_m, q, p) \
((_m)->m_pkthdr.len*8*hz - (q)->numbytes + p->bandwidth - 1 ) / \
2000-06-08 09:45:23 +00:00
p->bandwidth ;
/*
* extract pkt from queue, compute output time (could be now)
* and put into delay line (p_queue)
*/
static void
move_pkt(struct mbuf *pkt, struct dn_flow_queue *q,
2000-06-08 09:45:23 +00:00
struct dn_pipe *p, int len)
{
struct dn_pkt_tag *dt = dn_tag_get(pkt);
q->head = pkt->m_nextpkt ;
2000-06-08 09:45:23 +00:00
q->len-- ;
q->len_bytes -= len ;
dt->output_time = curr_time + p->delay ;
2000-06-08 09:45:23 +00:00
if (p->head == NULL)
p->head = pkt;
else
p->tail->m_nextpkt = pkt;
2000-06-08 09:45:23 +00:00
p->tail = pkt;
p->tail->m_nextpkt = NULL;
2000-06-08 09:45:23 +00:00
}
/*
* ready_event() is invoked every time the queue must enter the
* scheduler, either because the first packet arrives, or because
* a previously scheduled event fired.
* On invokation, drain as many pkts as possible (could be 0) and then
* if there are leftover packets reinsert the pkt in the scheduler.
*/
static void
ready_event(struct dn_flow_queue *q)
{
struct mbuf *pkt;
2000-06-08 09:45:23 +00:00
struct dn_pipe *p = q->fs->pipe ;
int p_was_empty ;
DUMMYNET_LOCK_ASSERT();
2000-06-08 09:45:23 +00:00
if (p == NULL) {
printf("dummynet: ready_event- pipe is gone\n");
2000-06-08 09:45:23 +00:00
return ;
}
p_was_empty = (p->head == NULL) ;
/*
2000-06-08 09:45:23 +00:00
* schedule fixed-rate queues linked to this pipe:
* Account for the bw accumulated since last scheduling, then
* drain as many pkts as allowed by q->numbytes and move to
* the delay line (in p) computing output time.
* bandwidth==0 (no limit) means we can drain the whole queue,
* setting len_scaled = 0 does the job.
*/
2000-06-08 09:45:23 +00:00
q->numbytes += ( curr_time - q->sched_time ) * p->bandwidth;
while ( (pkt = q->head) != NULL ) {
int len = pkt->m_pkthdr.len;
2000-06-08 09:45:23 +00:00
int len_scaled = p->bandwidth ? len*8*hz : 0 ;
if (len_scaled > q->numbytes )
break ;
q->numbytes -= len_scaled ;
2000-06-08 09:45:23 +00:00
move_pkt(pkt, q, p, len);
}
/*
* If we have more packets queued, schedule next ready event
* (can only occur when bandwidth != 0, otherwise we would have
* flushed the whole queue in the previous loop).
2000-06-08 09:45:23 +00:00
* To this purpose we record the current time and compute how many
* ticks to go for the finish time of the packet.
*/
2000-06-08 09:45:23 +00:00
if ( (pkt = q->head) != NULL ) { /* this implies bandwidth != 0 */
dn_key t = SET_TICKS(pkt, q, p); /* ticks i have to wait */
q->sched_time = curr_time ;
heap_insert(&ready_heap, curr_time + t, (void *)q );
/* XXX should check errors on heap_insert, and drain the whole
* queue on error hoping next time we are luckier.
*/
} else { /* RED needs to know when the queue becomes empty */
2000-06-08 09:45:23 +00:00
q->q_time = curr_time;
q->numbytes = 0;
}
2000-06-08 09:45:23 +00:00
/*
* If the delay line was empty call transmit_event(p) now.
* Otherwise, the scheduler will take care of it.
*/
if (p_was_empty)
transmit_event(p);
}
/*
* Called when we can transmit packets on WF2Q queues. Take pkts out of
* the queues at their start time, and enqueue into the delay line.
* Packets are drained until p->numbytes < 0. As long as
* len_scaled >= p->numbytes, the packet goes into the delay line
* with a deadline p->delay. For the last packet, if p->numbytes<0,
* there is an additional delay.
*/
static void
ready_event_wfq(struct dn_pipe *p)
{
int p_was_empty = (p->head == NULL) ;
struct dn_heap *sch = &(p->scheduler_heap);
struct dn_heap *neh = &(p->not_eligible_heap) ;
2000-06-08 09:45:23 +00:00
DUMMYNET_LOCK_ASSERT();
2000-06-08 09:45:23 +00:00
if (p->if_name[0] == 0) /* tx clock is simulated */
p->numbytes += ( curr_time - p->sched_time ) * p->bandwidth;
else { /* tx clock is for real, the ifq must be empty or this is a NOP */
if (p->ifp && p->ifp->if_snd.ifq_head != NULL)
return ;
else {
DPRINTF(("dummynet: pipe %d ready from %s --\n",
p->pipe_nr, p->if_name));
2000-06-08 09:45:23 +00:00
}
}
/*
* While we have backlogged traffic AND credit, we need to do
* something on the queue.
*/
while ( p->numbytes >=0 && (sch->elements>0 || neh->elements >0) ) {
if (sch->elements > 0) { /* have some eligible pkts to send out */
struct dn_flow_queue *q = sch->p[0].object ;
struct mbuf *pkt = q->head;
struct dn_flow_set *fs = q->fs;
u_int64_t len = pkt->m_pkthdr.len;
int len_scaled = p->bandwidth ? len*8*hz : 0 ;
heap_extract(sch, NULL); /* remove queue from heap */
p->numbytes -= len_scaled ;
move_pkt(pkt, q, p, len);
p->V += (len<<MY_M) / p->sum ; /* update V */
q->S = q->F ; /* update start time */
if (q->len == 0) { /* Flow not backlogged any more */
fs->backlogged-- ;
heap_insert(&(p->idle_heap), q->F, q);
} else { /* still backlogged */
/*
* update F and position in backlogged queue, then
* put flow in not_eligible_heap (we will fix this later).
*/
len = (q->head)->m_pkthdr.len;
q->F += (len<<MY_M)/(u_int64_t) fs->weight ;
if (DN_KEY_LEQ(q->S, p->V))
heap_insert(neh, q->S, q);
else
heap_insert(sch, q->F, q);
}
2000-06-08 09:45:23 +00:00
}
/*
* now compute V = max(V, min(S_i)). Remember that all elements in sch
* have by definition S_i <= V so if sch is not empty, V is surely
* the max and we must not update it. Conversely, if sch is empty
* we only need to look at neh.
*/
if (sch->elements == 0 && neh->elements > 0)
p->V = MAX64 ( p->V, neh->p[0].key );
/* move from neh to sch any packets that have become eligible */
2000-06-08 09:45:23 +00:00
while (neh->elements > 0 && DN_KEY_LEQ(neh->p[0].key, p->V) ) {
struct dn_flow_queue *q = neh->p[0].object ;
2000-06-08 09:45:23 +00:00
heap_extract(neh, NULL);
heap_insert(sch, q->F, q);
2000-06-08 09:45:23 +00:00
}
if (p->if_name[0] != '\0') {/* tx clock is from a real thing */
p->numbytes = -1 ; /* mark not ready for I/O */
break ;
}
}
if (sch->elements == 0 && neh->elements == 0 && p->numbytes >= 0
&& p->idle_heap.elements > 0) {
/*
* no traffic and no events scheduled. We can get rid of idle-heap.
*/
int i ;
for (i = 0 ; i < p->idle_heap.elements ; i++) {
struct dn_flow_queue *q = p->idle_heap.p[i].object ;
q->F = 0 ;
q->S = q->F + 1 ;
}
p->sum = 0 ;
p->V = 0 ;
p->idle_heap.elements = 0 ;
}
2000-06-08 09:45:23 +00:00
/*
* If we are getting clocks from dummynet (not a real interface) and
* If we are under credit, schedule the next ready event.
* Also fix the delivery time of the last packet.
*/
if (p->if_name[0]==0 && p->numbytes < 0) { /* this implies bandwidth >0 */
dn_key t=0 ; /* number of ticks i have to wait */
if (p->bandwidth > 0)
t = ( p->bandwidth -1 - p->numbytes) / p->bandwidth ;
dn_tag_get(p->tail)->output_time += t ;
2000-06-08 09:45:23 +00:00
p->sched_time = curr_time ;
heap_insert(&wfq_ready_heap, curr_time + t, (void *)p);
/* XXX should check errors on heap_insert, and drain the whole
* queue on error hoping next time we are luckier.
*/
}
/*
* If the delay line was empty call transmit_event(p) now.
* Otherwise, the scheduler will take care of it.
*/
if (p_was_empty)
transmit_event(p);
}
/*
2000-06-08 09:45:23 +00:00
* This is called once per tick, or HZ times per second. It is used to
* increment the current tick counter and schedule expired events.
*/
static void
dummynet(void * __unused unused)
{
void *p ; /* generic parameter to handler */
struct dn_heap *h ;
2000-06-08 09:45:23 +00:00
struct dn_heap *heaps[3];
int i;
struct dn_pipe *pe ;
2000-06-08 09:45:23 +00:00
heaps[0] = &ready_heap ; /* fixed-rate queues */
heaps[1] = &wfq_ready_heap ; /* wfq queues */
heaps[2] = &extract_heap ; /* delay line */
DUMMYNET_LOCK();
curr_time++ ;
2000-06-08 09:45:23 +00:00
for (i=0; i < 3 ; i++) {
h = heaps[i];
while (h->elements > 0 && DN_KEY_LEQ(h->p[0].key, curr_time) ) {
if (h->p[0].key > curr_time)
printf("dummynet: warning, heap %d is %d ticks late\n",
i, (int)(curr_time - h->p[0].key));
2000-06-08 09:45:23 +00:00
p = h->p[0].object ; /* store a copy before heap_extract */
heap_extract(h, NULL); /* need to extract before processing */
if (i == 0)
ready_event(p) ;
2000-06-08 09:45:23 +00:00
else if (i == 1) {
struct dn_pipe *pipe = p;
if (pipe->if_name[0] != '\0')
printf("dummynet: bad ready_event_wfq for pipe %s\n",
2000-06-08 09:45:23 +00:00
pipe->if_name);
else
ready_event_wfq(p) ;
} else
transmit_event(p);
}
2000-06-08 09:45:23 +00:00
}
/* sweep pipes trying to expire idle flow_queues */
for (pe = all_pipes; pe ; pe = pe->next )
if (pe->idle_heap.elements > 0 &&
DN_KEY_LT(pe->idle_heap.p[0].key, pe->V) ) {
struct dn_flow_queue *q = pe->idle_heap.p[0].object ;
heap_extract(&(pe->idle_heap), NULL);
q->S = q->F + 1 ; /* mark timestamp as invalid */
pe->sum -= q->fs->weight ;
}
DUMMYNET_UNLOCK();
callout_reset(&dn_timeout, 1, dummynet, NULL);
}
/*
2000-06-08 09:45:23 +00:00
* called by an interface when tx_rdy occurs.
*/
int
if_tx_rdy(struct ifnet *ifp)
{
struct dn_pipe *p;
DUMMYNET_LOCK();
2000-06-08 09:45:23 +00:00
for (p = all_pipes; p ; p = p->next )
if (p->ifp == ifp)
break ;
if (p == NULL) {
for (p = all_pipes; p ; p = p->next )
if (!strcmp(p->if_name, ifp->if_xname) ) {
2000-06-08 09:45:23 +00:00
p->ifp = ifp ;
DPRINTF(("dummynet: ++ tx rdy from %s (now found)\n",
ifp->if_xname));
2000-06-08 09:45:23 +00:00
break ;
}
}
if (p != NULL) {
DPRINTF(("dummynet: ++ tx rdy from %s - qlen %d\n", ifp->if_xname,
ifp->if_snd.ifq_len));
2000-06-08 09:45:23 +00:00
p->numbytes = 0 ; /* mark ready for I/O */
ready_event_wfq(p);
}
DUMMYNET_UNLOCK();
return 0;
2000-06-08 09:45:23 +00:00
}
/*
* Unconditionally expire empty queues in case of shortage.
* Returns the number of queues freed.
*/
static int
expire_queues(struct dn_flow_set *fs)
{
struct dn_flow_queue *q, *prev ;
int i, initial_elements = fs->rq_elements ;
if (fs->last_expired == time_second)
return 0 ;
fs->last_expired = time_second ;
for (i = 0 ; i <= fs->rq_size ; i++) /* last one is overflow */
for (prev=NULL, q = fs->rq[i] ; q != NULL ; )
if (q->head != NULL || q->S != q->F+1) {
2000-06-08 09:45:23 +00:00
prev = q ;
q = q->next ;
} else { /* entry is idle, expire it */
struct dn_flow_queue *old_q = q ;
if (prev != NULL)
prev->next = q = q->next ;
else
fs->rq[i] = q = q->next ;
fs->rq_elements-- ;
free(old_q, M_DUMMYNET);
2000-06-08 09:45:23 +00:00
}
return initial_elements - fs->rq_elements ;
}
/*
* If room, create a new queue and put at head of slot i;
* otherwise, create or use the default queue.
*/
static struct dn_flow_queue *
create_queue(struct dn_flow_set *fs, int i)
{
struct dn_flow_queue *q ;
if (fs->rq_elements > fs->rq_size * dn_max_ratio &&
expire_queues(fs) == 0) {
/*
* No way to get room, use or create overflow queue.
*/
i = fs->rq_size ;
if ( fs->rq[i] != NULL )
return fs->rq[i] ;
}
q = malloc(sizeof(*q), M_DUMMYNET, M_NOWAIT | M_ZERO);
2000-06-08 09:45:23 +00:00
if (q == NULL) {
printf("dummynet: sorry, cannot allocate queue for new flow\n");
2000-06-08 09:45:23 +00:00
return NULL ;
}
q->fs = fs ;
q->hash_slot = i ;
q->next = fs->rq[i] ;
q->S = q->F + 1; /* hack - mark timestamp as invalid */
2000-06-08 09:45:23 +00:00
fs->rq[i] = q ;
fs->rq_elements++ ;
return q ;
}
/*
* Given a flow_set and a pkt in last_pkt, find a matching queue
* after appropriate masking. The queue is moved to front
* so that further searches take less time.
*/
static struct dn_flow_queue *
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
find_queue(struct dn_flow_set *fs, struct ipfw_flow_id *id)
{
int i = 0 ; /* we need i and q for new allocations */
struct dn_flow_queue *q, *prev;
2000-06-08 09:45:23 +00:00
if ( !(fs->flags_fs & DN_HAVE_FLOW_MASK) )
q = fs->rq[0] ;
else {
/* first, do the masking */
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
id->dst_ip &= fs->flow_mask.dst_ip ;
id->src_ip &= fs->flow_mask.src_ip ;
id->dst_port &= fs->flow_mask.dst_port ;
id->src_port &= fs->flow_mask.src_port ;
id->proto &= fs->flow_mask.proto ;
id->flags = 0 ; /* we don't care about this one */
/* then, hash function */
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
i = ( (id->dst_ip) & 0xffff ) ^
( (id->dst_ip >> 15) & 0xffff ) ^
( (id->src_ip << 1) & 0xffff ) ^
( (id->src_ip >> 16 ) & 0xffff ) ^
(id->dst_port << 1) ^ (id->src_port) ^
(id->proto );
2000-06-08 09:45:23 +00:00
i = i % fs->rq_size ;
/* finally, scan the current list for a match */
searches++ ;
2000-06-08 09:45:23 +00:00
for (prev=NULL, q = fs->rq[i] ; q ; ) {
search_steps++;
if (id->dst_ip == q->id.dst_ip &&
id->src_ip == q->id.src_ip &&
id->dst_port == q->id.dst_port &&
id->src_port == q->id.src_port &&
id->proto == q->id.proto &&
id->flags == q->id.flags)
break ; /* found */
else if (pipe_expire && q->head == NULL && q->S == q->F+1 ) {
/* entry is idle and not in any heap, expire it */
struct dn_flow_queue *old_q = q ;
if (prev != NULL)
prev->next = q = q->next ;
else
2000-06-08 09:45:23 +00:00
fs->rq[i] = q = q->next ;
fs->rq_elements-- ;
free(old_q, M_DUMMYNET);
continue ;
}
prev = q ;
q = q->next ;
}
if (q && prev != NULL) { /* found and not in front */
prev->next = q->next ;
2000-06-08 09:45:23 +00:00
q->next = fs->rq[i] ;
fs->rq[i] = q ;
}
}
if (q == NULL) { /* no match, need to allocate a new entry */
2000-06-08 09:45:23 +00:00
q = create_queue(fs, i);
if (q != NULL)
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
q->id = *id ;
}
return q ;
}
2000-06-08 09:45:23 +00:00
static int
red_drops(struct dn_flow_set *fs, struct dn_flow_queue *q, int len)
{
/*
* RED algorithm
*
2000-06-08 09:45:23 +00:00
* RED calculates the average queue size (avg) using a low-pass filter
* with an exponential weighted (w_q) moving average:
* avg <- (1-w_q) * avg + w_q * q_size
* where q_size is the queue length (measured in bytes or * packets).
*
2000-06-08 09:45:23 +00:00
* If q_size == 0, we compute the idle time for the link, and set
* avg = (1 - w_q)^(idle/s)
* where s is the time needed for transmitting a medium-sized packet.
*
2000-06-08 09:45:23 +00:00
* Now, if avg < min_th the packet is enqueued.
* If avg > max_th the packet is dropped. Otherwise, the packet is
* dropped with probability P function of avg.
*
2000-06-08 09:45:23 +00:00
*/
int64_t p_b = 0;
/* queue in bytes or packets ? */
u_int q_size = (fs->flags_fs & DN_QSIZE_IS_BYTES) ? q->len_bytes : q->len;
DPRINTF(("\ndummynet: %d q: %2u ", (int) curr_time, q_size));
2000-06-08 09:45:23 +00:00
/* average queue size estimation */
if (q_size != 0) {
/*
* queue is not empty, avg <- avg + (q_size - avg) * w_q
*/
int diff = SCALE(q_size) - q->avg;
int64_t v = SCALE_MUL((int64_t) diff, (int64_t) fs->w_q);
q->avg += (int) v;
} else {
/*
* queue is empty, find for how long the queue has been
* empty and use a lookup table for computing
* (1 - * w_q)^(idle_time/s) where s is the time to send a
* (small) packet.
* XXX check wraps...
*/
if (q->avg) {
u_int t = (curr_time - q->q_time) / fs->lookup_step;
q->avg = (t < fs->lookup_depth) ?
SCALE_MUL(q->avg, fs->w_q_lookup[t]) : 0;
}
}
DPRINTF(("dummynet: avg: %u ", SCALE_VAL(q->avg)));
2000-06-08 09:45:23 +00:00
/* should i drop ? */
if (q->avg < fs->min_th) {
q->count = -1;
return 0; /* accept packet ; */
}
if (q->avg >= fs->max_th) { /* average queue >= max threshold */
if (fs->flags_fs & DN_IS_GENTLE_RED) {
/*
* According to Gentle-RED, if avg is greater than max_th the
* packet is dropped with a probability
* p_b = c_3 * avg - c_4
* where c_3 = (1 - max_p) / max_th, and c_4 = 1 - 2 * max_p
*/
p_b = SCALE_MUL((int64_t) fs->c_3, (int64_t) q->avg) - fs->c_4;
} else {
q->count = -1;
DPRINTF(("dummynet: - drop"));
2000-06-08 09:45:23 +00:00
return 1 ;
}
} else if (q->avg > fs->min_th) {
/*
* we compute p_b using the linear dropping function p_b = c_1 *
* avg - c_2, where c_1 = max_p / (max_th - min_th), and c_2 =
* max_p * min_th / (max_th - min_th)
*/
p_b = SCALE_MUL((int64_t) fs->c_1, (int64_t) q->avg) - fs->c_2;
}
if (fs->flags_fs & DN_QSIZE_IS_BYTES)
p_b = (p_b * len) / fs->max_pkt_size;
if (++q->count == 0)
q->random = random() & 0xffff;
else {
/*
* q->count counts packets arrived since last drop, so a greater
* value of q->count means a greater packet drop probability.
*/
if (SCALE_MUL(p_b, SCALE((int64_t) q->count)) > q->random) {
q->count = 0;
DPRINTF(("dummynet: - red drop"));
2000-06-08 09:45:23 +00:00
/* after a drop we calculate a new random value */
q->random = random() & 0xffff;
return 1; /* drop */
}
}
/* end of RED algorithm */
return 0 ; /* accept */
}
static __inline
struct dn_flow_set *
locate_flowset(int pipe_nr, struct ip_fw *rule)
2000-06-08 09:45:23 +00:00
{
#if IPFW2
struct dn_flow_set *fs;
ipfw_insn *cmd = rule->cmd + rule->act_ofs;
if (cmd->opcode == O_LOG)
cmd += F_LEN(cmd);
#ifdef __i386__
fs = ((ipfw_insn_pipe *)cmd)->pipe_ptr;
#else
bcopy(& ((ipfw_insn_pipe *)cmd)->pipe_ptr, &fs, sizeof(fs));
#endif
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
2002-06-27 23:02:18 +00:00
if (fs != NULL)
return fs;
2000-06-08 09:45:23 +00:00
if (cmd->opcode == O_QUEUE)
#else /* !IPFW2 */
struct dn_flow_set *fs = NULL ;
if ( (rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_QUEUE )
#endif /* !IPFW2 */
2000-06-08 09:45:23 +00:00
for (fs=all_flow_sets; fs && fs->fs_nr != pipe_nr; fs=fs->next)
;
else {
struct dn_pipe *p1;
for (p1 = all_pipes; p1 && p1->pipe_nr != pipe_nr; p1 = p1->next)
;
if (p1 != NULL)
fs = &(p1->fs) ;
}
/* record for the future */
#if IPFW2
#ifdef __i386__
((ipfw_insn_pipe *)cmd)->pipe_ptr = fs;
#else
bcopy(&fs, & ((ipfw_insn_pipe *)cmd)->pipe_ptr, sizeof(fs));
#endif
#else
if (fs != NULL)
rule->pipe_ptr = fs;
#endif
2000-06-08 09:45:23 +00:00
return fs ;
}
/*
2000-06-08 09:45:23 +00:00
* dummynet hook for packets. Below 'pipe' is a pipe or a queue
* depending on whether WF2Q or fixed bw is used.
*
* pipe_nr pipe or queue the packet is destined for.
* dir where shall we send the packet after dummynet.
* m the mbuf with the packet
* ifp the 'ifp' parameter from the caller.
* NULL in ip_input, destination interface in ip_output,
* real_dst in bdg_forward
* rule matching rule, in case of multiple passes
* flags flags from the caller, only used in ip_output
*
*/
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
static int
dummynet_io(struct mbuf *m, int pipe_nr, int dir, struct ip_fw_args *fwa)
{
struct dn_pkt_tag *pkt;
struct m_tag *mtag;
2000-06-08 09:45:23 +00:00
struct dn_flow_set *fs;
struct dn_pipe *pipe ;
u_int64_t len = m->m_pkthdr.len ;
struct dn_flow_queue *q = NULL ;
int is_pipe;
#if IPFW2
ipfw_insn *cmd = fwa->rule->cmd + fwa->rule->act_ofs;
#endif
KASSERT(m->m_nextpkt == NULL,
("dummynet_io: mbuf queue passed to dummynet"));
#if IPFW2
if (cmd->opcode == O_LOG)
cmd += F_LEN(cmd);
is_pipe = (cmd->opcode == O_PIPE);
#else
is_pipe = (fwa->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_PIPE;
#endif
pipe_nr &= 0xffff ;
DUMMYNET_LOCK();
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
2002-06-27 23:02:18 +00:00
/*
* This is a dummynet rule, so we expect an O_PIPE or O_QUEUE rule.
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
2002-06-27 23:02:18 +00:00
*/
fs = locate_flowset(pipe_nr, fwa->rule);
if (fs == NULL)
goto dropit ; /* this queue/pipe does not exist! */
2000-06-08 09:45:23 +00:00
pipe = fs->pipe ;
if (pipe == NULL) { /* must be a queue, try find a matching pipe */
for (pipe = all_pipes; pipe && pipe->pipe_nr != fs->parent_nr;
pipe = pipe->next)
;
2000-06-08 09:45:23 +00:00
if (pipe != NULL)
fs->pipe = pipe ;
else {
printf("dummynet: no pipe %d for queue %d, drop pkt\n",
2000-06-08 09:45:23 +00:00
fs->parent_nr, fs->fs_nr);
goto dropit ;
}
2000-06-08 09:45:23 +00:00
}
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
q = find_queue(fs, &(fwa->f_id));
if ( q == NULL )
goto dropit ; /* cannot allocate queue */
2000-06-08 09:45:23 +00:00
/*
* update statistics, then check reasons to drop pkt
*/
q->tot_bytes += len ;
q->tot_pkts++ ;
2000-06-08 09:45:23 +00:00
if ( fs->plr && random() < fs->plr )
goto dropit ; /* random pkt drop */
2000-06-08 09:45:23 +00:00
if ( fs->flags_fs & DN_QSIZE_IS_BYTES) {
if (q->len_bytes > fs->qsize)
goto dropit ; /* queue size overflow */
2000-06-08 09:45:23 +00:00
} else {
if (q->len >= fs->qsize)
goto dropit ; /* queue count overflow */
}
if ( fs->flags_fs & DN_IS_RED && red_drops(fs, q, len) )
goto dropit ;
/* XXX expensive to zero, see if we can remove it*/
mtag = m_tag_get(PACKET_TAG_DUMMYNET,
sizeof(struct dn_pkt_tag), M_NOWAIT|M_ZERO);
if ( mtag == NULL )
goto dropit ; /* cannot allocate packet header */
m_tag_prepend(m, mtag); /* attach to mbuf chain */
pkt = (struct dn_pkt_tag *)(mtag+1);
/* ok, i can handle the pkt now... */
/* build and enqueue packet + parameters */
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
pkt->rule = fwa->rule ;
pkt->dn_dir = dir ;
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
pkt->ifp = fwa->oif;
Convert ipfw to use PFIL_HOOKS. This is change is transparent to userland and preserves the ipfw ABI. The ipfw core packet inspection and filtering functions have not been changed, only how ipfw is invoked is different. However there are many changes how ipfw is and its add-on's are handled: In general ipfw is now called through the PFIL_HOOKS and most associated magic, that was in ip_input() or ip_output() previously, is now done in ipfw_check_[in|out]() in the ipfw PFIL handler. IPDIVERT is entirely handled within the ipfw PFIL handlers. A packet to be diverted is checked if it is fragmented, if yes, ip_reass() gets in for reassembly. If not, or all fragments arrived and the packet is complete, divert_packet is called directly. For 'tee' no reassembly attempt is made and a copy of the packet is sent to the divert socket unmodified. The original packet continues its way through ip_input/output(). ipfw 'forward' is done via m_tag's. The ipfw PFIL handlers tag the packet with the new destination sockaddr_in. A check if the new destination is a local IP address is made and the m_flags are set appropriately. ip_input() and ip_output() have some more work to do here. For ip_input() the m_flags are checked and a packet for us is directly sent to the 'ours' section for further processing. Destination changes on the input path are only tagged and the 'srcrt' flag to ip_forward() is set to disable destination checks and ICMP replies at this stage. The tag is going to be handled on output. ip_output() again checks for m_flags and the 'ours' tag. If found, the packet will be dropped back to the IP netisr where it is going to be picked up by ip_input() again and the directly sent to the 'ours' section. When only the destination changes, the route's 'dst' is overwritten with the new destination from the forward m_tag. Then it jumps back at the route lookup again and skips the firewall check because it has been marked with M_SKIP_FIREWALL. ipfw 'forward' has to be compiled into the kernel with 'option IPFIREWALL_FORWARD' to enable it. DUMMYNET is entirely handled within the ipfw PFIL handlers. A packet for a dummynet pipe or queue is directly sent to dummynet_io(). Dummynet will then inject it back into ip_input/ip_output() after it has served its time. Dummynet packets are tagged and will continue from the next rule when they hit the ipfw PFIL handlers again after re-injection. BRIDGING and IPFW_ETHER are not changed yet and use ipfw_chk() directly as they did before. Later this will be changed to dedicated ETHER PFIL_HOOKS. More detailed changes to the code: conf/files Add netinet/ip_fw_pfil.c. conf/options Add IPFIREWALL_FORWARD option. modules/ipfw/Makefile Add ip_fw_pfil.c. net/bridge.c Disable PFIL_HOOKS if ipfw for bridging is active. Bridging ipfw is still directly invoked to handle layer2 headers and packets would get a double ipfw when run through PFIL_HOOKS as well. netinet/ip_divert.c Removed divert_clone() function. It is no longer used. netinet/ip_dummynet.[ch] Neither the route 'ro' nor the destination 'dst' need to be stored while in dummynet transit. Structure members and associated macros are removed. netinet/ip_fastfwd.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. netinet/ip_fw.h Removed 'ro' and 'dst' from struct ip_fw_args. netinet/ip_fw2.c (Re)moved some global variables and the module handling. netinet/ip_fw_pfil.c New file containing the ipfw PFIL handlers and module initialization. netinet/ip_input.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. ip_forward() does not longer require the 'next_hop' struct sockaddr_in argument. Disable early checks if 'srcrt' is set. netinet/ip_output.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. netinet/ip_var.h Add ip_reass() as general function. (Used from ipfw PFIL handlers for IPDIVERT.) netinet/raw_ip.c Directly check if ipfw and dummynet control pointers are active. netinet/tcp_input.c Rework the 'ipfw forward' to local code to work with the new way of forward tags. netinet/tcp_sack.c Remove include 'opt_ipfw.h' which is not needed here. sys/mbuf.h Remove m_claim_next() macro which was exclusively for ipfw 'forward' and is no longer needed. Approved by: re (scottl)
2004-08-17 22:05:54 +00:00
if (dir == DN_TO_IP_OUT)
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
pkt->flags = fwa->flags;
2000-06-08 09:45:23 +00:00
if (q->head == NULL)
q->head = m;
else
q->tail->m_nextpkt = m;
q->tail = m;
q->len++;
q->len_bytes += len ;
if ( q->head != m ) /* flow was not idle, we are done */
goto done;
/*
* If we reach this point the flow was previously idle, so we need
* to schedule it. This involves different actions for fixed-rate or
* WF2Q queues.
*/
if (is_pipe) {
/*
* Fixed-rate queue: just insert into the ready_heap.
*/
2000-06-08 09:45:23 +00:00
dn_key t = 0 ;
if (pipe->bandwidth)
t = SET_TICKS(m, q, pipe);
2000-06-08 09:45:23 +00:00
q->sched_time = curr_time ;
if (t == 0) /* must process it now */
ready_event( q );
2000-06-08 09:45:23 +00:00
else
heap_insert(&ready_heap, curr_time + t , q );
} else {
/*
* WF2Q. First, compute start time S: if the flow was idle (S=F+1)
* set S to the virtual time V for the controlling pipe, and update
* the sum of weights for the pipe; otherwise, remove flow from
* idle_heap and set S to max(F,V).
* Second, compute finish time F = S + len/weight.
* Third, if pipe was idle, update V=max(S, V).
* Fourth, count one more backlogged flow.
2000-06-08 09:45:23 +00:00
*/
if (DN_KEY_GT(q->S, q->F)) { /* means timestamps are invalid */
q->S = pipe->V ;
pipe->sum += fs->weight ; /* add weight of new queue */
} else {
heap_extract(&(pipe->idle_heap), q);
q->S = MAX64(q->F, pipe->V ) ;
}
2000-06-08 09:45:23 +00:00
q->F = q->S + ( len<<MY_M )/(u_int64_t) fs->weight;
if (pipe->not_eligible_heap.elements == 0 &&
pipe->scheduler_heap.elements == 0)
pipe->V = MAX64 ( q->S, pipe->V );
fs->backlogged++ ;
/*
* Look at eligibility. A flow is not eligibile if S>V (when
* this happens, it means that there is some other flow already
* scheduled for the same pipe, so the scheduler_heap cannot be
* empty). If the flow is not eligible we just store it in the
* not_eligible_heap. Otherwise, we store in the scheduler_heap
* and possibly invoke ready_event_wfq() right now if there is
* leftover credit.
* Note that for all flows in scheduler_heap (SCH), S_i <= V,
* and for all flows in not_eligible_heap (NEH), S_i > V .
* So when we need to compute max( V, min(S_i) ) forall i in SCH+NEH,
* we only need to look into NEH.
*/
2000-06-08 09:45:23 +00:00
if (DN_KEY_GT(q->S, pipe->V) ) { /* not eligible */
if (pipe->scheduler_heap.elements == 0)
printf("dummynet: ++ ouch! not eligible but empty scheduler!\n");
2000-06-08 09:45:23 +00:00
heap_insert(&(pipe->not_eligible_heap), q->S, q);
} else {
heap_insert(&(pipe->scheduler_heap), q->F, q);
if (pipe->numbytes >= 0) { /* pipe is idle */
if (pipe->scheduler_heap.elements != 1)
printf("dummynet: OUCH! pipe should have been idle!\n");
DPRINTF(("dummynet: waking up pipe %d at %d\n",
pipe->pipe_nr, (int)(q->F >> MY_M)));
2000-06-08 09:45:23 +00:00
pipe->sched_time = curr_time ;
ready_event_wfq(pipe);
}
}
}
done:
DUMMYNET_UNLOCK();
return 0;
dropit:
if (q)
q->drops++ ;
DUMMYNET_UNLOCK();
m_freem(m);
return ( (fs && (fs->flags_fs & DN_NOERROR)) ? 0 : ENOBUFS);
}
/*
2000-06-08 09:45:23 +00:00
* Below, the rt_unref is only needed when (pkt->dn_dir == DN_TO_IP_OUT)
* Doing this would probably save us the initial bzero of dn_pkt
*/
#define DN_FREE_PKT(_m) do { \
m_freem(_m); \
} while (0)
2000-06-08 09:45:23 +00:00
/*
2000-06-08 09:45:23 +00:00
* Dispose all packets and flow_queues on a flow_set.
* If all=1, also remove red lookup table and other storage,
* including the descriptor itself.
* For the one in dn_pipe MUST also cleanup ready_heap...
*/
static void
2000-06-08 09:45:23 +00:00
purge_flow_set(struct dn_flow_set *fs, int all)
{
struct dn_flow_queue *q, *qn ;
int i ;
DUMMYNET_LOCK_ASSERT();
2000-06-08 09:45:23 +00:00
for (i = 0 ; i <= fs->rq_size ; i++ ) {
for (q = fs->rq[i] ; q ; q = qn ) {
struct mbuf *m, *mnext;
mnext = q->head;
while ((m = mnext) != NULL) {
mnext = m->m_nextpkt;
DN_FREE_PKT(m);
}
qn = q->next ;
free(q, M_DUMMYNET);
}
2000-06-08 09:45:23 +00:00
fs->rq[i] = NULL ;
}
fs->rq_elements = 0 ;
if (all) {
/* RED - free lookup table */
if (fs->w_q_lookup)
free(fs->w_q_lookup, M_DUMMYNET);
2000-06-08 09:45:23 +00:00
if (fs->rq)
free(fs->rq, M_DUMMYNET);
2000-06-08 09:45:23 +00:00
/* if this fs is not part of a pipe, free it */
if (fs->pipe && fs != &(fs->pipe->fs) )
free(fs, M_DUMMYNET);
2000-06-08 09:45:23 +00:00
}
}
/*
* Dispose all packets queued on a pipe (not a flow_set).
* Also free all resources associated to a pipe, which is about
* to be deleted.
*/
static void
purge_pipe(struct dn_pipe *pipe)
{
struct mbuf *m, *mnext;
2000-06-08 09:45:23 +00:00
purge_flow_set( &(pipe->fs), 1 );
mnext = pipe->head;
while ((m = mnext) != NULL) {
mnext = m->m_nextpkt;
DN_FREE_PKT(m);
}
2000-06-08 09:45:23 +00:00
heap_free( &(pipe->scheduler_heap) );
heap_free( &(pipe->not_eligible_heap) );
heap_free( &(pipe->idle_heap) );
}
/*
* Delete all pipes and heaps returning memory. Must also
* remove references from all ipfw rules to all pipes.
*/
static void
dummynet_flush()
{
struct dn_pipe *curr_p, *p ;
2000-06-08 09:45:23 +00:00
struct dn_flow_set *fs, *curr_fs;
DUMMYNET_LOCK();
/* remove all references to pipes ...*/
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
2002-06-27 23:02:18 +00:00
flush_pipe_ptrs(NULL);
/* prevent future matches... */
p = all_pipes ;
all_pipes = NULL ;
2000-06-08 09:45:23 +00:00
fs = all_flow_sets ;
all_flow_sets = NULL ;
/* and free heaps so we don't have unwanted events */
2000-06-08 09:45:23 +00:00
heap_free(&ready_heap);
heap_free(&wfq_ready_heap);
heap_free(&extract_heap);
/*
* Now purge all queued pkts and delete all pipes
*/
2000-06-08 09:45:23 +00:00
/* scan and purge all flow_sets. */
for ( ; fs ; ) {
curr_fs = fs ;
fs = fs->next ;
purge_flow_set(curr_fs, 1);
}
for ( ; p ; ) {
purge_pipe(p);
curr_p = p ;
p = p->next ;
free(curr_p, M_DUMMYNET);
}
DUMMYNET_UNLOCK();
}
2000-06-08 09:45:23 +00:00
extern struct ip_fw *ip_fw_default_rule ;
2000-06-08 09:45:23 +00:00
static void
dn_rule_delete_fs(struct dn_flow_set *fs, void *r)
{
int i ;
struct dn_flow_queue *q ;
struct mbuf *m ;
2000-06-08 09:45:23 +00:00
for (i = 0 ; i <= fs->rq_size ; i++) /* last one is ovflow */
for (q = fs->rq[i] ; q ; q = q->next )
for (m = q->head ; m ; m = m->m_nextpkt ) {
struct dn_pkt_tag *pkt = dn_tag_get(m) ;
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now. The variables removed by this change are: ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output(). On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide. Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations. option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code. NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed. * I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary * this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack. * despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code). MFC after: 10 days
2002-06-22 11:51:02 +00:00
if (pkt->rule == r)
pkt->rule = ip_fw_default_rule ;
}
2000-06-08 09:45:23 +00:00
}
/*
* when a firewall rule is deleted, scan all queues and remove the flow-id
* from packets matching this rule.
*/
void
dn_rule_delete(void *r)
{
struct dn_pipe *p ;
2000-06-08 09:45:23 +00:00
struct dn_flow_set *fs ;
struct dn_pkt_tag *pkt ;
struct mbuf *m ;
DUMMYNET_LOCK();
2000-06-08 09:45:23 +00:00
/*
* If the rule references a queue (dn_flow_set), then scan
* the flow set, otherwise scan pipes. Should do either, but doing
* both does not harm.
*/
for ( fs = all_flow_sets ; fs ; fs = fs->next )
dn_rule_delete_fs(fs, r);
for ( p = all_pipes ; p ; p = p->next ) {
2000-06-08 09:45:23 +00:00
fs = &(p->fs) ;
dn_rule_delete_fs(fs, r);
for (m = p->head ; m ; m = m->m_nextpkt ) {
pkt = dn_tag_get(m) ;
if (pkt->rule == r)
pkt->rule = ip_fw_default_rule ;
}
}
DUMMYNET_UNLOCK();
}
/*
2000-06-08 09:45:23 +00:00
* setup RED parameters
*/
static int
config_red(struct dn_flow_set *p, struct dn_flow_set * x)
{
2000-06-08 09:45:23 +00:00
int i;
x->w_q = p->w_q;
x->min_th = SCALE(p->min_th);
x->max_th = SCALE(p->max_th);
x->max_p = p->max_p;
x->c_1 = p->max_p / (p->max_th - p->min_th);
x->c_2 = SCALE_MUL(x->c_1, SCALE(p->min_th));
if (x->flags_fs & DN_IS_GENTLE_RED) {
x->c_3 = (SCALE(1) - p->max_p) / p->max_th;
x->c_4 = (SCALE(1) - 2 * p->max_p);
}
2000-06-08 09:45:23 +00:00
/* if the lookup table already exist, free and create it again */
if (x->w_q_lookup) {
free(x->w_q_lookup, M_DUMMYNET);
x->w_q_lookup = NULL ;
}
2000-06-08 09:45:23 +00:00
if (red_lookup_depth == 0) {
printf("\ndummynet: net.inet.ip.dummynet.red_lookup_depth must be > 0\n");
free(x, M_DUMMYNET);
2000-06-08 09:45:23 +00:00
return EINVAL;
}
x->lookup_depth = red_lookup_depth;
x->w_q_lookup = (u_int *) malloc(x->lookup_depth * sizeof(int),
M_DUMMYNET, M_NOWAIT);
2000-06-08 09:45:23 +00:00
if (x->w_q_lookup == NULL) {
printf("dummynet: sorry, cannot allocate red lookup table\n");
free(x, M_DUMMYNET);
2000-06-08 09:45:23 +00:00
return ENOSPC;
}
2000-06-08 09:45:23 +00:00
/* fill the lookup table with (1 - w_q)^x */
x->lookup_step = p->lookup_step ;
x->lookup_weight = p->lookup_weight ;
x->w_q_lookup[0] = SCALE(1) - x->w_q;
for (i = 1; i < x->lookup_depth; i++)
x->w_q_lookup[i] = SCALE_MUL(x->w_q_lookup[i - 1], x->lookup_weight);
if (red_avg_pkt_size < 1)
red_avg_pkt_size = 512 ;
x->avg_pkt_size = red_avg_pkt_size ;
if (red_max_pkt_size < 1)
red_max_pkt_size = 1500 ;
x->max_pkt_size = red_max_pkt_size ;
return 0 ;
}
2000-06-08 09:45:23 +00:00
static int
alloc_hash(struct dn_flow_set *x, struct dn_flow_set *pfs)
{
if (x->flags_fs & DN_HAVE_FLOW_MASK) { /* allocate some slots */
int l = pfs->rq_size;
if (l == 0)
l = dn_hash_size;
if (l < 4)
l = 4;
else if (l > DN_MAX_HASH_SIZE)
l = DN_MAX_HASH_SIZE;
2000-06-08 09:45:23 +00:00
x->rq_size = l;
} else /* one is enough for null mask */
x->rq_size = 1;
x->rq = malloc((1 + x->rq_size) * sizeof(struct dn_flow_queue *),
M_DUMMYNET, M_NOWAIT | M_ZERO);
2000-06-08 09:45:23 +00:00
if (x->rq == NULL) {
printf("dummynet: sorry, cannot allocate queue\n");
2000-06-08 09:45:23 +00:00
return ENOSPC;
}
x->rq_elements = 0;
return 0 ;
}
2000-06-08 09:45:23 +00:00
static void
set_fs_parms(struct dn_flow_set *x, struct dn_flow_set *src)
{
x->flags_fs = src->flags_fs;
x->qsize = src->qsize;
x->plr = src->plr;
x->flow_mask = src->flow_mask;
if (x->flags_fs & DN_QSIZE_IS_BYTES) {
if (x->qsize > 1024*1024)
x->qsize = 1024*1024 ;
} else {
if (x->qsize == 0)
x->qsize = 50 ;
if (x->qsize > 100)
x->qsize = 50 ;
}
/* configuring RED */
if ( x->flags_fs & DN_IS_RED )
config_red(src, x) ; /* XXX should check errors */
}
/*
2000-06-08 09:45:23 +00:00
* setup pipe or queue parameters.
*/
static int
2000-06-08 09:45:23 +00:00
config_pipe(struct dn_pipe *p)
{
int i, r;
2000-06-08 09:45:23 +00:00
struct dn_flow_set *pfs = &(p->fs);
struct dn_flow_queue *q;
/*
* The config program passes parameters as follows:
2000-06-08 09:45:23 +00:00
* bw = bits/second (0 means no limits),
* delay = ms, must be translated into ticks.
* qsize = slots/bytes
*/
p->delay = ( p->delay * hz ) / 1000 ;
2000-06-08 09:45:23 +00:00
/* We need either a pipe number or a flow_set number */
if (p->pipe_nr == 0 && pfs->fs_nr == 0)
return EINVAL ;
if (p->pipe_nr != 0 && pfs->fs_nr != 0)
return EINVAL ;
if (p->pipe_nr != 0) { /* this is a pipe */
struct dn_pipe *x, *a, *b;
DUMMYNET_LOCK();
2000-06-08 09:45:23 +00:00
/* locate pipe */
for (a = NULL , b = all_pipes ; b && b->pipe_nr < p->pipe_nr ;
a = b , b = b->next) ;
2000-06-08 09:45:23 +00:00
if (b == NULL || b->pipe_nr != p->pipe_nr) { /* new pipe */
x = malloc(sizeof(struct dn_pipe), M_DUMMYNET, M_NOWAIT | M_ZERO);
if (x == NULL) {
DUMMYNET_UNLOCK();
printf("dummynet: no memory for new pipe\n");
2000-06-08 09:45:23 +00:00
return ENOSPC;
}
2000-06-08 09:45:23 +00:00
x->pipe_nr = p->pipe_nr;
x->fs.pipe = x ;
/* idle_heap is the only one from which we extract from the middle.
*/
x->idle_heap.size = x->idle_heap.elements = 0 ;
x->idle_heap.offset=OFFSET_OF(struct dn_flow_queue, heap_pos);
} else {
2000-06-08 09:45:23 +00:00
x = b;
/* Flush accumulated credit for all queues */
for (i = 0; i <= x->fs.rq_size; i++)
for (q = x->fs.rq[i]; q; q = q->next)
q->numbytes = 0;
}
2000-06-08 09:45:23 +00:00
2003-03-27 15:00:10 +00:00
x->bandwidth = p->bandwidth ;
2000-06-08 09:45:23 +00:00
x->numbytes = 0; /* just in case... */
bcopy(p->if_name, x->if_name, sizeof(p->if_name) );
x->ifp = NULL ; /* reset interface ptr */
2003-03-27 15:00:10 +00:00
x->delay = p->delay ;
2000-06-08 09:45:23 +00:00
set_fs_parms(&(x->fs), pfs);
if ( x->fs.rq == NULL ) { /* a new pipe */
r = alloc_hash(&(x->fs), pfs) ;
if (r) {
DUMMYNET_UNLOCK();
free(x, M_DUMMYNET);
return r ;
}
x->next = b ;
if (a == NULL)
all_pipes = x ;
else
a->next = x ;
}
DUMMYNET_UNLOCK();
2000-06-08 09:45:23 +00:00
} else { /* config queue */
struct dn_flow_set *x, *a, *b ;
DUMMYNET_LOCK();
2000-06-08 09:45:23 +00:00
/* locate flow_set */
for (a=NULL, b=all_flow_sets ; b && b->fs_nr < pfs->fs_nr ;
a = b , b = b->next) ;
2000-06-08 09:45:23 +00:00
if (b == NULL || b->fs_nr != pfs->fs_nr) { /* new */
if (pfs->parent_nr == 0) { /* need link to a pipe */
DUMMYNET_UNLOCK();
2000-06-08 09:45:23 +00:00
return EINVAL ;
}
x = malloc(sizeof(struct dn_flow_set), M_DUMMYNET, M_NOWAIT|M_ZERO);
2000-06-08 09:45:23 +00:00
if (x == NULL) {
DUMMYNET_UNLOCK();
printf("dummynet: no memory for new flow_set\n");
2000-06-08 09:45:23 +00:00
return ENOSPC;
}
x->fs_nr = pfs->fs_nr;
x->parent_nr = pfs->parent_nr;
x->weight = pfs->weight ;
if (x->weight == 0)
x->weight = 1 ;
else if (x->weight > 100)
x->weight = 100 ;
} else {
/* Change parent pipe not allowed; must delete and recreate */
if (pfs->parent_nr != 0 && b->parent_nr != pfs->parent_nr) {
DUMMYNET_UNLOCK();
2000-06-08 09:45:23 +00:00
return EINVAL ;
}
2000-06-08 09:45:23 +00:00
x = b;
}
set_fs_parms(x, pfs);
2000-06-08 09:45:23 +00:00
if ( x->rq == NULL ) { /* a new flow_set */
r = alloc_hash(x, pfs) ;
2003-07-31 10:24:36 +00:00
if (r) {
DUMMYNET_UNLOCK();
free(x, M_DUMMYNET);
return r ;
2000-06-08 09:45:23 +00:00
}
x->next = b;
if (a == NULL)
2000-06-08 09:45:23 +00:00
all_flow_sets = x;
else
2000-06-08 09:45:23 +00:00
a->next = x;
}
DUMMYNET_UNLOCK();
2000-06-08 09:45:23 +00:00
}
return 0 ;
}
/*
2000-06-08 09:45:23 +00:00
* Helper function to remove from a heap queues which are linked to
* a flow_set about to be deleted.
*/
2000-06-08 09:45:23 +00:00
static void
fs_remove_from_heap(struct dn_heap *h, struct dn_flow_set *fs)
{
int i = 0, found = 0 ;
2000-06-08 09:45:23 +00:00
for (; i < h->elements ;)
if ( ((struct dn_flow_queue *)h->p[i].object)->fs == fs) {
h->elements-- ;
h->p[i] = h->p[h->elements] ;
found++ ;
} else
i++ ;
if (found)
heapify(h);
}
2000-06-08 09:45:23 +00:00
/*
* helper function to remove a pipe from a heap (can be there at most once)
*/
static void
pipe_remove_from_heap(struct dn_heap *h, struct dn_pipe *p)
{
if (h->elements > 0) {
int i = 0 ;
for (i=0; i < h->elements ; i++ ) {
if (h->p[i].object == p) { /* found it */
h->elements-- ;
h->p[i] = h->p[h->elements] ;
heapify(h);
2000-06-08 09:45:23 +00:00
break ;
}
}
}
}
2000-06-08 09:45:23 +00:00
/*
* drain all queues. Called in case of severe mbuf shortage.
*/
void
dummynet_drain()
{
struct dn_flow_set *fs;
struct dn_pipe *p;
struct mbuf *m, *mnext;
2000-06-08 09:45:23 +00:00
DUMMYNET_LOCK_ASSERT();
2000-06-08 09:45:23 +00:00
heap_free(&ready_heap);
heap_free(&wfq_ready_heap);
heap_free(&extract_heap);
/* remove all references to this pipe from flow_sets */
for (fs = all_flow_sets; fs; fs= fs->next )
purge_flow_set(fs, 0);
for (p = all_pipes; p; p= p->next ) {
purge_flow_set(&(p->fs), 0);
mnext = p->head;
while ((m = mnext) != NULL) {
mnext = m->m_nextpkt;
DN_FREE_PKT(m);
}
2000-06-08 09:45:23 +00:00
p->head = p->tail = NULL ;
}
}
/*
* Fully delete a pipe or a queue, cleaning up associated info.
*/
static int
2000-06-08 09:45:23 +00:00
delete_pipe(struct dn_pipe *p)
{
if (p->pipe_nr == 0 && p->fs.fs_nr == 0)
return EINVAL ;
if (p->pipe_nr != 0 && p->fs.fs_nr != 0)
return EINVAL ;
if (p->pipe_nr != 0) { /* this is an old-style pipe */
struct dn_pipe *a, *b;
struct dn_flow_set *fs;
DUMMYNET_LOCK();
2000-06-08 09:45:23 +00:00
/* locate pipe */
for (a = NULL , b = all_pipes ; b && b->pipe_nr < p->pipe_nr ;
a = b , b = b->next) ;
if (b == NULL || (b->pipe_nr != p->pipe_nr) ) {
DUMMYNET_UNLOCK();
2000-06-08 09:45:23 +00:00
return EINVAL ; /* not found */
}
2000-06-08 09:45:23 +00:00
/* unlink from list of pipes */
if (a == NULL)
all_pipes = b->next ;
else
a->next = b->next ;
/* remove references to this pipe from the ip_fw rules. */
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
2002-06-27 23:02:18 +00:00
flush_pipe_ptrs(&(b->fs));
2000-06-08 09:45:23 +00:00
/* remove all references to this pipe from flow_sets */
for (fs = all_flow_sets; fs; fs= fs->next )
if (fs->pipe == b) {
printf("dummynet: ++ ref to pipe %d from fs %d\n",
2000-06-08 09:45:23 +00:00
p->pipe_nr, fs->fs_nr);
fs->pipe = NULL ;
purge_flow_set(fs, 0);
}
fs_remove_from_heap(&ready_heap, &(b->fs));
purge_pipe(b); /* remove all data associated to this pipe */
/* remove reference to here from extract_heap and wfq_ready_heap */
pipe_remove_from_heap(&extract_heap, b);
pipe_remove_from_heap(&wfq_ready_heap, b);
DUMMYNET_UNLOCK();
free(b, M_DUMMYNET);
} else { /* this is a WF2Q queue (dn_flow_set) */
2000-06-08 09:45:23 +00:00
struct dn_flow_set *a, *b;
DUMMYNET_LOCK();
2000-06-08 09:45:23 +00:00
/* locate set */
for (a = NULL, b = all_flow_sets ; b && b->fs_nr < p->fs.fs_nr ;
a = b , b = b->next) ;
if (b == NULL || (b->fs_nr != p->fs.fs_nr) ) {
DUMMYNET_UNLOCK();
2000-06-08 09:45:23 +00:00
return EINVAL ; /* not found */
}
2000-06-08 09:45:23 +00:00
if (a == NULL)
all_flow_sets = b->next ;
else
a->next = b->next ;
/* remove references to this flow_set from the ip_fw rules. */
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
2002-06-27 23:02:18 +00:00
flush_pipe_ptrs(b);
2000-06-08 09:45:23 +00:00
if (b->pipe != NULL) {
/* Update total weight on parent pipe and cleanup parent heaps */
b->pipe->sum -= b->weight * b->backlogged ;
fs_remove_from_heap(&(b->pipe->not_eligible_heap), b);
fs_remove_from_heap(&(b->pipe->scheduler_heap), b);
#if 1 /* XXX should i remove from idle_heap as well ? */
fs_remove_from_heap(&(b->pipe->idle_heap), b);
#endif
2000-06-08 09:45:23 +00:00
}
purge_flow_set(b, 1);
DUMMYNET_UNLOCK();
2000-06-08 09:45:23 +00:00
}
return 0 ;
}
2000-06-08 09:45:23 +00:00
/*
* helper function used to copy data from kernel in DUMMYNET_GET
*/
static char *
dn_copy_set(struct dn_flow_set *set, char *bp)
{
int i, copied = 0 ;
struct dn_flow_queue *q, *qp = (struct dn_flow_queue *)bp;
DUMMYNET_LOCK_ASSERT();
2000-06-08 09:45:23 +00:00
for (i = 0 ; i <= set->rq_size ; i++)
for (q = set->rq[i] ; q ; q = q->next, qp++ ) {
if (q->hash_slot != i)
printf("dummynet: ++ at %d: wrong slot (have %d, "
2000-06-08 09:45:23 +00:00
"should be %d)\n", copied, q->hash_slot, i);
if (q->fs != set)
printf("dummynet: ++ at %d: wrong fs ptr (have %p, should be %p)\n",
2000-06-08 09:45:23 +00:00
i, q->fs, set);
copied++ ;
bcopy(q, qp, sizeof( *q ) );
/* cleanup pointers */
qp->next = NULL ;
qp->head = qp->tail = NULL ;
qp->fs = NULL ;
}
2000-06-08 09:45:23 +00:00
if (copied != set->rq_elements)
printf("dummynet: ++ wrong count, have %d should be %d\n",
2000-06-08 09:45:23 +00:00
copied, set->rq_elements);
return (char *)qp ;
}
static size_t
dn_calc_size(void)
2000-06-08 09:45:23 +00:00
{
struct dn_flow_set *set ;
struct dn_pipe *p ;
size_t size ;
2000-06-08 09:45:23 +00:00
DUMMYNET_LOCK_ASSERT();
2000-06-08 09:45:23 +00:00
/*
* compute size of data structures: list of pipes and flow_sets.
*/
for (p = all_pipes, size = 0 ; p ; p = p->next )
size += sizeof( *p ) +
p->fs.rq_elements * sizeof(struct dn_flow_queue);
for (set = all_flow_sets ; set ; set = set->next )
size += sizeof ( *set ) +
set->rq_elements * sizeof(struct dn_flow_queue);
return size ;
}
static int
dummynet_get(struct sockopt *sopt)
{
char *buf, *bp ; /* bp is the "copy-pointer" */
size_t size ;
struct dn_flow_set *set ;
struct dn_pipe *p ;
int error=0, i ;
/* XXX lock held too long */
DUMMYNET_LOCK();
/*
* XXX: Ugly, but we need to allocate memory with M_WAITOK flag and we
* cannot use this flag while holding a mutex.
*/
for (i = 0; i < 10; i++) {
size = dn_calc_size();
DUMMYNET_UNLOCK();
buf = malloc(size, M_TEMP, M_WAITOK);
DUMMYNET_LOCK();
if (size == dn_calc_size())
break;
free(buf, M_TEMP);
buf = NULL;
}
if (buf == NULL) {
DUMMYNET_UNLOCK();
2000-06-08 09:45:23 +00:00
return ENOBUFS ;
}
for (p = all_pipes, bp = buf ; p ; p = p->next ) {
struct dn_pipe *pipe_bp = (struct dn_pipe *)bp ;
/*
* copy pipe descriptor into *bp, convert delay back to ms,
* then copy the flow_set descriptor(s) one at a time.
* After each flow_set, copy the queue descriptor it owns.
*/
bcopy(p, bp, sizeof( *p ) );
pipe_bp->delay = (pipe_bp->delay * 1000) / hz ;
/*
* XXX the following is a hack based on ->next being the
* first field in dn_pipe and dn_flow_set. The correct
* solution would be to move the dn_flow_set to the beginning
* of struct dn_pipe.
*/
pipe_bp->next = (struct dn_pipe *)DN_IS_PIPE ;
/* clean pointers */
2000-06-08 09:45:23 +00:00
pipe_bp->head = pipe_bp->tail = NULL ;
pipe_bp->fs.next = NULL ;
pipe_bp->fs.pipe = NULL ;
pipe_bp->fs.rq = NULL ;
bp += sizeof( *p ) ;
bp = dn_copy_set( &(p->fs), bp );
}
for (set = all_flow_sets ; set ; set = set->next ) {
struct dn_flow_set *fs_bp = (struct dn_flow_set *)bp ;
bcopy(set, bp, sizeof( *set ) );
/* XXX same hack as above */
fs_bp->next = (struct dn_flow_set *)DN_IS_QUEUE ;
2000-06-08 09:45:23 +00:00
fs_bp->pipe = NULL ;
fs_bp->rq = NULL ;
bp += sizeof( *set ) ;
bp = dn_copy_set( set, bp );
}
DUMMYNET_UNLOCK();
2000-06-08 09:45:23 +00:00
error = sooptcopyout(sopt, buf, size);
free(buf, M_TEMP);
2000-06-08 09:45:23 +00:00
return error ;
}
/*
* Handler for the various dummynet socket options (get, flush, config, del)
*/
static int
ip_dn_ctl(struct sockopt *sopt)
{
int error = 0 ;
struct dn_pipe *p, tmp_pipe;
/* Disallow sets in really-really secure mode. */
if (sopt->sopt_dir == SOPT_SET) {
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
2002-06-27 23:02:18 +00:00
#if __FreeBSD_version >= 500034
error = securelevel_ge(sopt->sopt_td->td_ucred, 3);
if (error)
return (error);
The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
2002-06-27 23:02:18 +00:00
#else
if (securelevel >= 3)
return (EPERM);
#endif
}
2000-06-08 09:45:23 +00:00
switch (sopt->sopt_name) {
default :
printf("dummynet: -- unknown option %d", sopt->sopt_name);
2000-06-08 09:45:23 +00:00
return EINVAL ;
case IP_DUMMYNET_GET :
error = dummynet_get(sopt);
break ;
case IP_DUMMYNET_FLUSH :
dummynet_flush() ;
break ;
case IP_DUMMYNET_CONFIGURE :
p = &tmp_pipe ;
error = sooptcopyin(sopt, p, sizeof *p, sizeof *p);
if (error)
break ;
error = config_pipe(p);
break ;
case IP_DUMMYNET_DEL : /* remove a pipe or queue */
p = &tmp_pipe ;
error = sooptcopyin(sopt, p, sizeof *p, sizeof *p);
if (error)
break ;
error = delete_pipe(p);
break ;
}
return error ;
}
static void
ip_dn_init(void)
{
if (bootverbose)
printf("DUMMYNET initialized (011031)\n");
DUMMYNET_LOCK_INIT();
all_pipes = NULL ;
2000-06-08 09:45:23 +00:00
all_flow_sets = NULL ;
ready_heap.size = ready_heap.elements = 0 ;
ready_heap.offset = 0 ;
2000-06-08 09:45:23 +00:00
wfq_ready_heap.size = wfq_ready_heap.elements = 0 ;
wfq_ready_heap.offset = 0 ;
2000-06-08 09:45:23 +00:00
extract_heap.size = extract_heap.elements = 0 ;
2000-06-08 09:45:23 +00:00
extract_heap.offset = 0 ;
ip_dn_ctl_ptr = ip_dn_ctl;
ip_dn_io_ptr = dummynet_io;
ip_dn_ruledel_ptr = dn_rule_delete;
callout_init(&dn_timeout, debug_mpsafenet ? CALLOUT_MPSAFE : 0);
callout_reset(&dn_timeout, 1, dummynet, NULL);
}
#ifdef KLD_MODULE
static void
ip_dn_destroy(void)
{
ip_dn_ctl_ptr = NULL;
ip_dn_io_ptr = NULL;
ip_dn_ruledel_ptr = NULL;
callout_stop(&dn_timeout);
dummynet_flush();
DUMMYNET_LOCK_DESTROY();
}
#endif /* KLD_MODULE */
static int
dummynet_modevent(module_t mod, int type, void *data)
{
switch (type) {
case MOD_LOAD:
if (DUMMYNET_LOADED) {
printf("DUMMYNET already loaded\n");
return EEXIST ;
}
ip_dn_init();
break;
case MOD_UNLOAD:
#if !defined(KLD_MODULE)
printf("dummynet statically compiled, cannot unload\n");
return EINVAL ;
#else
ip_dn_destroy();
#endif
break ;
default:
return EOPNOTSUPP;
break ;
}
return 0 ;
}
static moduledata_t dummynet_mod = {
"dummynet",
dummynet_modevent,
NULL
};
Convert ipfw to use PFIL_HOOKS. This is change is transparent to userland and preserves the ipfw ABI. The ipfw core packet inspection and filtering functions have not been changed, only how ipfw is invoked is different. However there are many changes how ipfw is and its add-on's are handled: In general ipfw is now called through the PFIL_HOOKS and most associated magic, that was in ip_input() or ip_output() previously, is now done in ipfw_check_[in|out]() in the ipfw PFIL handler. IPDIVERT is entirely handled within the ipfw PFIL handlers. A packet to be diverted is checked if it is fragmented, if yes, ip_reass() gets in for reassembly. If not, or all fragments arrived and the packet is complete, divert_packet is called directly. For 'tee' no reassembly attempt is made and a copy of the packet is sent to the divert socket unmodified. The original packet continues its way through ip_input/output(). ipfw 'forward' is done via m_tag's. The ipfw PFIL handlers tag the packet with the new destination sockaddr_in. A check if the new destination is a local IP address is made and the m_flags are set appropriately. ip_input() and ip_output() have some more work to do here. For ip_input() the m_flags are checked and a packet for us is directly sent to the 'ours' section for further processing. Destination changes on the input path are only tagged and the 'srcrt' flag to ip_forward() is set to disable destination checks and ICMP replies at this stage. The tag is going to be handled on output. ip_output() again checks for m_flags and the 'ours' tag. If found, the packet will be dropped back to the IP netisr where it is going to be picked up by ip_input() again and the directly sent to the 'ours' section. When only the destination changes, the route's 'dst' is overwritten with the new destination from the forward m_tag. Then it jumps back at the route lookup again and skips the firewall check because it has been marked with M_SKIP_FIREWALL. ipfw 'forward' has to be compiled into the kernel with 'option IPFIREWALL_FORWARD' to enable it. DUMMYNET is entirely handled within the ipfw PFIL handlers. A packet for a dummynet pipe or queue is directly sent to dummynet_io(). Dummynet will then inject it back into ip_input/ip_output() after it has served its time. Dummynet packets are tagged and will continue from the next rule when they hit the ipfw PFIL handlers again after re-injection. BRIDGING and IPFW_ETHER are not changed yet and use ipfw_chk() directly as they did before. Later this will be changed to dedicated ETHER PFIL_HOOKS. More detailed changes to the code: conf/files Add netinet/ip_fw_pfil.c. conf/options Add IPFIREWALL_FORWARD option. modules/ipfw/Makefile Add ip_fw_pfil.c. net/bridge.c Disable PFIL_HOOKS if ipfw for bridging is active. Bridging ipfw is still directly invoked to handle layer2 headers and packets would get a double ipfw when run through PFIL_HOOKS as well. netinet/ip_divert.c Removed divert_clone() function. It is no longer used. netinet/ip_dummynet.[ch] Neither the route 'ro' nor the destination 'dst' need to be stored while in dummynet transit. Structure members and associated macros are removed. netinet/ip_fastfwd.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. netinet/ip_fw.h Removed 'ro' and 'dst' from struct ip_fw_args. netinet/ip_fw2.c (Re)moved some global variables and the module handling. netinet/ip_fw_pfil.c New file containing the ipfw PFIL handlers and module initialization. netinet/ip_input.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. ip_forward() does not longer require the 'next_hop' struct sockaddr_in argument. Disable early checks if 'srcrt' is set. netinet/ip_output.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. netinet/ip_var.h Add ip_reass() as general function. (Used from ipfw PFIL handlers for IPDIVERT.) netinet/raw_ip.c Directly check if ipfw and dummynet control pointers are active. netinet/tcp_input.c Rework the 'ipfw forward' to local code to work with the new way of forward tags. netinet/tcp_sack.c Remove include 'opt_ipfw.h' which is not needed here. sys/mbuf.h Remove m_claim_next() macro which was exclusively for ipfw 'forward' and is no longer needed. Approved by: re (scottl)
2004-08-17 22:05:54 +00:00
DECLARE_MODULE(dummynet, dummynet_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
MODULE_DEPEND(dummynet, ipfw, 2, 2, 2);
MODULE_VERSION(dummynet, 1);