Remove the recently added sysctl variable net.pfil.forward.
Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set. Suggested by: andre
This commit is contained in:
parent
99cf02c7fd
commit
4354018055
5
UPDATING
5
UPDATING
@ -24,10 +24,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10.x IS SLOW:
|
||||
disable the most expensive debugging functionality run
|
||||
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
|
||||
|
||||
20121025:
|
||||
20121102:
|
||||
The IPFIREWALL_FORWARD kernel option has been removed. Its
|
||||
functionality now can be turned on using the net.pfil.forward
|
||||
sysctl variable.
|
||||
functionality now turned on by default.
|
||||
|
||||
20121023:
|
||||
The ZERO_COPY_SOCKET kernel option has been removed and
|
||||
|
@ -774,14 +774,6 @@ This makes the
|
||||
.Xr netstat 1
|
||||
entry look rather weird but is intended for
|
||||
use with transparent proxy servers.
|
||||
.Pp
|
||||
To enable
|
||||
.Cm fwd
|
||||
the
|
||||
.Xr sysctl 8
|
||||
variable
|
||||
.Va net.pfil.forward
|
||||
should be set to 1.
|
||||
.It Cm nat Ar nat_nr | tablearg
|
||||
Pass packet to a
|
||||
nat instance
|
||||
|
@ -37,7 +37,6 @@
|
||||
#include <sys/rmlock.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/socketvar.h>
|
||||
#include <sys/sysctl.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/condvar.h>
|
||||
#include <sys/lock.h>
|
||||
@ -65,11 +64,6 @@ VNET_DEFINE(struct pfilheadhead, pfil_head_list);
|
||||
VNET_DEFINE(struct rmlock, pfil_lock);
|
||||
#define V_pfil_lock VNET(pfil_lock)
|
||||
|
||||
VNET_DEFINE(int, pfilforward) = 0;
|
||||
SYSCTL_NODE(_net, OID_AUTO, pfil, CTLFLAG_RW, 0, "Packer filter interface");
|
||||
SYSCTL_VNET_INT(_net_pfil, OID_AUTO, forward, CTLFLAG_RW,
|
||||
&VNET_NAME(pfilforward), 0,
|
||||
"Enable forwarding performed by packet filters");
|
||||
/*
|
||||
* pfil_run_hooks() runs the specified packet filter hooks.
|
||||
*/
|
||||
|
@ -38,14 +38,11 @@
|
||||
#include <sys/_mutex.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/rmlock.h>
|
||||
#include <net/vnet.h>
|
||||
|
||||
struct mbuf;
|
||||
struct ifnet;
|
||||
struct inpcb;
|
||||
|
||||
VNET_DECLARE(int, pfilforward);
|
||||
#define V_pfilforward VNET(pfilforward)
|
||||
/*
|
||||
* The packet filter hooks are designed for anything to call them to
|
||||
* possibly intercept the packet.
|
||||
|
@ -446,7 +446,7 @@ ip_fastforward(struct mbuf *m)
|
||||
/*
|
||||
* Destination address changed?
|
||||
*/
|
||||
if (V_pfilforward != 0)
|
||||
if (m->m_flags & M_IP_NEXTHOP)
|
||||
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
|
||||
if (odest.s_addr != dest.s_addr || fwd_tag != NULL) {
|
||||
/*
|
||||
@ -469,6 +469,7 @@ ip_fastforward(struct mbuf *m)
|
||||
dest.s_addr = ((struct sockaddr_in *)
|
||||
(fwd_tag + 1))->sin_addr.s_addr;
|
||||
m_tag_delete(m, fwd_tag);
|
||||
m->m_flags &= ~M_IP_NEXTHOP;
|
||||
}
|
||||
RTFREE(ro.ro_rt);
|
||||
if ((dst = ip_findroute(&ro, dest, m)) == NULL)
|
||||
|
@ -509,23 +509,22 @@ ip_input(struct mbuf *m)
|
||||
dchg = (odst.s_addr != ip->ip_dst.s_addr);
|
||||
ifp = m->m_pkthdr.rcvif;
|
||||
|
||||
if (V_pfilforward == 0)
|
||||
goto passin;
|
||||
|
||||
if (m->m_flags & M_FASTFWD_OURS) {
|
||||
m->m_flags &= ~M_FASTFWD_OURS;
|
||||
goto ours;
|
||||
}
|
||||
if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) {
|
||||
/*
|
||||
* Directly ship the packet on. This allows forwarding
|
||||
* packets originally destined to us to some other directly
|
||||
* connected host.
|
||||
*/
|
||||
ip_forward(m, dchg);
|
||||
return;
|
||||
if (m->m_flags & M_IP_NEXTHOP) {
|
||||
dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
|
||||
if (dchg != 0) {
|
||||
/*
|
||||
* Directly ship the packet on. This allows
|
||||
* forwarding packets originally destined to us
|
||||
* to some other directly connected host.
|
||||
*/
|
||||
ip_forward(m, 1);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
passin:
|
||||
|
||||
/*
|
||||
|
@ -537,9 +537,6 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
|
||||
}
|
||||
}
|
||||
|
||||
if (V_pfilforward == 0)
|
||||
goto passout;
|
||||
|
||||
/* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */
|
||||
if (m->m_flags & M_FASTFWD_OURS) {
|
||||
if (m->m_pkthdr.rcvif == NULL)
|
||||
@ -560,11 +557,12 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
|
||||
goto done;
|
||||
}
|
||||
/* Or forward to some other address? */
|
||||
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
|
||||
if (fwd_tag) {
|
||||
if ((m->m_flags & M_IP_NEXTHOP) &&
|
||||
(fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
|
||||
dst = (struct sockaddr_in *)&ro->ro_dst;
|
||||
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
|
||||
m->m_flags |= M_SKIP_FIREWALL;
|
||||
m->m_flags &= ~M_IP_NEXTHOP;
|
||||
m_tag_delete(m, fwd_tag);
|
||||
if (ia != NULL)
|
||||
ifa_free(&ia->ia_ifa);
|
||||
|
@ -163,6 +163,7 @@ void kmod_ipstat_dec(int statnum);
|
||||
* mbuf flag used by ip_fastfwd
|
||||
*/
|
||||
#define M_FASTFWD_OURS M_PROTO1 /* changed dst to local */
|
||||
#define M_IP_NEXTHOP M_PROTO2 /* explicit ip nexthop */
|
||||
|
||||
#ifdef __NO_STRICT_ALIGNMENT
|
||||
#define IP_HDR_ALIGNED_P(ip) 1
|
||||
|
@ -75,7 +75,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <vm/uma.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/pfil.h>
|
||||
#include <net/route.h>
|
||||
#include <net/vnet.h>
|
||||
|
||||
@ -781,7 +780,7 @@ tcp_input(struct mbuf *m, int off0)
|
||||
/*
|
||||
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
|
||||
*/
|
||||
if (V_pfilforward != 0)
|
||||
if (m->m_flags & M_IP_NEXTHOP)
|
||||
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
|
||||
|
||||
#ifdef INET6
|
||||
@ -810,6 +809,7 @@ tcp_input(struct mbuf *m, int off0)
|
||||
}
|
||||
/* Remove the tag from the packet. We don't need it anymore. */
|
||||
m_tag_delete(m, fwd_tag);
|
||||
m->m_flags &= ~M_IP_NEXTHOP;
|
||||
} else if (isipv6) {
|
||||
inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src,
|
||||
th->th_sport, &ip6->ip6_dst, th->th_dport,
|
||||
@ -846,6 +846,7 @@ tcp_input(struct mbuf *m, int off0)
|
||||
}
|
||||
/* Remove the tag from the packet. We don't need it anymore. */
|
||||
m_tag_delete(m, fwd_tag);
|
||||
m->m_flags &= ~M_IP_NEXTHOP;
|
||||
} else
|
||||
inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src,
|
||||
th->th_sport, ip->ip_dst, th->th_dport,
|
||||
|
@ -65,7 +65,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <vm/uma.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/pfil.h>
|
||||
#include <net/route.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
@ -549,7 +548,7 @@ udp_input(struct mbuf *m, int off)
|
||||
/*
|
||||
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
|
||||
*/
|
||||
if (V_pfilforward != 0 &&
|
||||
if ((m->m_flags & M_IP_NEXTHOP) &&
|
||||
(fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
|
||||
struct sockaddr_in *next_hop;
|
||||
|
||||
@ -575,6 +574,7 @@ udp_input(struct mbuf *m, int off)
|
||||
}
|
||||
/* Remove the tag from the packet. We don't need it anymore. */
|
||||
m_tag_delete(m, fwd_tag);
|
||||
m->m_flags &= ~M_IP_NEXTHOP;
|
||||
} else
|
||||
inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport,
|
||||
ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD |
|
||||
|
@ -592,8 +592,6 @@ ip6_forward(struct mbuf *m, int srcrt)
|
||||
goto again; /* Redo the routing table lookup. */
|
||||
}
|
||||
|
||||
if (V_pfilforward == 0)
|
||||
goto pass;
|
||||
/* See if local, if yes, send it to netisr. */
|
||||
if (m->m_flags & M_FASTFWD_OURS) {
|
||||
if (m->m_pkthdr.rcvif == NULL)
|
||||
@ -611,11 +609,12 @@ ip6_forward(struct mbuf *m, int srcrt)
|
||||
goto out;
|
||||
}
|
||||
/* Or forward to some other address? */
|
||||
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
|
||||
if (fwd_tag) {
|
||||
if ((m->m_flags & M_IP6_NEXTHOP) &&
|
||||
(fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
|
||||
dst = (struct sockaddr_in6 *)&rin6.ro_dst;
|
||||
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
|
||||
m->m_flags |= M_SKIP_FIREWALL;
|
||||
m->m_flags &= ~M_IP6_NEXTHOP;
|
||||
m_tag_delete(m, fwd_tag);
|
||||
goto again2;
|
||||
}
|
||||
|
@ -628,15 +628,14 @@ ip6_input(struct mbuf *m)
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
|
||||
|
||||
if (V_pfilforward == 0)
|
||||
goto passin;
|
||||
if (m->m_flags & M_FASTFWD_OURS) {
|
||||
m->m_flags &= ~M_FASTFWD_OURS;
|
||||
ours = 1;
|
||||
deliverifp = m->m_pkthdr.rcvif;
|
||||
goto hbhcheck;
|
||||
}
|
||||
if (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
|
||||
if ((m->m_flags & M_IP6_NEXTHOP) &&
|
||||
m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) {
|
||||
/*
|
||||
* Directly ship the packet on. This allows forwarding
|
||||
* packets originally destined to us to some other directly
|
||||
|
@ -913,8 +913,6 @@ skip_ipsec2:;
|
||||
goto again; /* Redo the routing table lookup. */
|
||||
}
|
||||
|
||||
if (V_pfilforward == 0)
|
||||
goto passout;
|
||||
/* See if local, if yes, send it to netisr. */
|
||||
if (m->m_flags & M_FASTFWD_OURS) {
|
||||
if (m->m_pkthdr.rcvif == NULL)
|
||||
@ -932,11 +930,12 @@ skip_ipsec2:;
|
||||
goto done;
|
||||
}
|
||||
/* Or forward to some other address? */
|
||||
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
|
||||
if (fwd_tag) {
|
||||
if ((m->m_flags & M_IP6_NEXTHOP) &&
|
||||
(fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
|
||||
dst = (struct sockaddr_in6 *)&ro->ro_dst;
|
||||
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6));
|
||||
m->m_flags |= M_SKIP_FIREWALL;
|
||||
m->m_flags &= ~M_IP6_NEXTHOP;
|
||||
m_tag_delete(m, fwd_tag);
|
||||
goto again;
|
||||
}
|
||||
|
@ -285,6 +285,8 @@ struct ip6aux {
|
||||
#define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */
|
||||
#define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */
|
||||
|
||||
#define M_IP6_NEXTHOP M_PROTO2 /* explicit ip nexthop */
|
||||
|
||||
#ifdef __NO_STRICT_ALIGNMENT
|
||||
#define IP6_HDR_ALIGNED_P(ip) 1
|
||||
#else
|
||||
|
@ -92,7 +92,6 @@ __FBSDID("$FreeBSD$");
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/if_types.h>
|
||||
#include <net/pfil.h>
|
||||
#include <net/route.h>
|
||||
|
||||
#include <netinet/in.h>
|
||||
@ -396,7 +395,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
|
||||
/*
|
||||
* Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain.
|
||||
*/
|
||||
if (V_pfilforward != 0 &&
|
||||
if ((m->m_flags & M_IP6_NEXTHOP) &&
|
||||
(fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) {
|
||||
struct sockaddr_in6 *next_hop6;
|
||||
|
||||
@ -423,6 +422,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto)
|
||||
}
|
||||
/* Remove the tag from the packet. We don't need it anymore. */
|
||||
m_tag_delete(m, fwd_tag);
|
||||
m->m_flags &= ~M_IP6_NEXTHOP;
|
||||
} else
|
||||
inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src,
|
||||
uh->uh_sport, &ip6->ip6_dst, uh->uh_dport,
|
||||
|
@ -2535,7 +2535,6 @@ ipfw_init(void)
|
||||
"(+ipv6) "
|
||||
#endif
|
||||
"initialized, divert %s, nat %s, "
|
||||
"rule-based forwarding turned %s, "
|
||||
"default to %s, logging ",
|
||||
#ifdef IPDIVERT
|
||||
"enabled",
|
||||
@ -2547,7 +2546,6 @@ ipfw_init(void)
|
||||
#else
|
||||
"loadable",
|
||||
#endif
|
||||
V_pfilforward ? "on": "off",
|
||||
default_to_accept ? "accept" : "deny");
|
||||
|
||||
/*
|
||||
|
@ -159,8 +159,6 @@ ipfw_check_packet(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir,
|
||||
/* next_hop may be set by ipfw_chk */
|
||||
if (args.next_hop == NULL && args.next_hop6 == NULL)
|
||||
break; /* pass */
|
||||
if (V_pfilforward == 0)
|
||||
break;
|
||||
#if (!defined(INET6) && !defined(INET))
|
||||
ret = EACCES;
|
||||
#else
|
||||
@ -201,6 +199,7 @@ ipfw_check_packet(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir,
|
||||
bcopy(args.next_hop6, (fwd_tag+1), len);
|
||||
if (in6_localip(&args.next_hop6->sin6_addr))
|
||||
(*m0)->m_flags |= M_FASTFWD_OURS;
|
||||
(*m0)->m_flags |= M_IP6_NEXTHOP;
|
||||
}
|
||||
#endif
|
||||
#ifdef INET
|
||||
@ -208,6 +207,7 @@ ipfw_check_packet(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir,
|
||||
bcopy(args.next_hop, (fwd_tag+1), len);
|
||||
if (in_localip(args.next_hop->sin_addr))
|
||||
(*m0)->m_flags |= M_FASTFWD_OURS;
|
||||
(*m0)->m_flags |= M_IP_NEXTHOP;
|
||||
}
|
||||
#endif
|
||||
m_tag_prepend(*m0, fwd_tag);
|
||||
|
Loading…
Reference in New Issue
Block a user