Always compile PFIL_HOOKS into the kernel and remove the associated kernel

compile option. All FreeBSD packet filters now use the PFIL_HOOKS API and thus it becomes a standard part of the network stack. If no hooks are connected the entire packet filter hooks section and related activities are jumped over. This removes any performance impact if no hooks are active. Both OpenBSD and DragonFlyBSD have integrated PFIL_HOOKS permanently as well.
2004-08-27 15:16:24 +00:00 · 2004-08-27 15:16:24 +00:00 · c21fd23260
commit c21fd23260
parent 9e4211a1b8
25 changed files with 58 additions and 123 deletions
--- a/4
+++ b/4
@ -23,6 +23,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 6.x IS SLOW:
 	developers choose to disable these features on build machines
 	to maximize performance.

+20040827:
+	PFIL_HOOKS are a fixed part of the network stack now and do not
+	need to be specified in the kernel configuration file anymore.
+
 20040819:
 	Netgraph changed its message format slightly to align the data
 	portion well on 64 bit machines.
--- a/share/man/man4/ipfirewall.4
+++ b/share/man/man4/ipfirewall.4
@ -46,8 +46,6 @@ logging
 enable
 .Xr divert 4
 sockets
-.It Dv PFIL_HOOKS
-add packet filter hooks
 .El
 .Sh SEE ALSO
 .Xr setsockopt 2 ,
--- a/share/man/man9/pfil.9
+++ b/share/man/man9/pfil.9
@ -122,12 +122,6 @@ The filter returns an error (errno) if the packet processing is to stop, or 0
 if the processing is to continue.
 If the packet processing is to stop, it is the responsibility of the
 filter to free the packet.
-.Pp
-The
-.Nm
-interface is enabled in the kernel via the
-.Dv PFIL_HOOKS
-option.
 .Sh RETURN VALUES
 If successful,
 .Fn pfil_head_get
--- a/sys/alpha/conf/GENERIC
+++ b/sys/alpha/conf/GENERIC
@ -69,7 +69,6 @@ options 	SYSVSHM			#SYSV-style shared memory
 options 	SYSVMSG			#SYSV-style message queues
 options 	SYSVSEM			#SYSV-style semaphores
 options 	_KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
-options 	PFIL_HOOKS		# pfil(9) framework

 # Debugging for use in -current
 options 	KDB			#Enable kernel debugger support
--- a/sys/amd64/conf/GENERIC
+++ b/sys/amd64/conf/GENERIC
@ -57,7 +57,6 @@ options 	AHC_REG_PRETTY_PRINT	# Print register bitfields in debug
 					# output.  Adds ~128k to driver.
 options 	AHD_REG_PRETTY_PRINT	# Print register bitfields in debug
 					# output.  Adds ~215k to driver.
-options 	PFIL_HOOKS		# pfil(9) framework
 options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.

 # Debugging for use in -current
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@ -544,7 +544,6 @@ device		musycc	# LMC/SBE LMC1504 quad T1/E1
 #  The `pflog' device provides the pflog0 interface which logs packets.
 #  The `pfsync' device provides the pfsync0 interface used for
 #   synchronization of firewall state tables (over the net).
-# Requires option PFIL_HOOKS
 #
 # The PPP_BSDCOMP option enables support for compress(1) style entire
 # packet compression, the PPP_DEFLATE is for zlib/gzip style compression.
@ -599,7 +598,6 @@ device		stf			#6to4 IPv6 over IPv4 encapsulation
 # conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
 # logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
 # limits the number of times a matching entry can be logged.
-# IPFIREWALL requires the option PFIL_HOOKS.
 #
 # WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"
 # and if you do not add other rules during startup to allow access,
@ -622,10 +620,6 @@ device		stf			#6to4 IPv6 over IPv4 encapsulation
 # packets without touching the ttl).  This can be useful to hide firewalls
 # from traceroute and similar tools.
 #
-# PFIL_HOOKS enables an abstraction layer which is meant to be used in
-# network code where filtering is required.  See pfil(9).  This option is
-# required by the IPFILTER option and the PF device.
-#
 # TCPDEBUG enables code which keeps traces of the TCP state machine
 # for sockets with the SO_DEBUG option set, which can then be examined
 # using the trpt(8) utility.
@ -645,7 +639,6 @@ options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
 options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
 options 	IPSTEALTH		#support for stealth forwarding
-options 	PFIL_HOOKS		#required by IPFILTER
 options 	TCPDEBUG

 # The MBUF_STRESS_TEST option enables options which create
--- a/sys/conf/files
+++ b/sys/conf/files
@ -1264,8 +1264,8 @@ net/net_osdep.c		standard
 net/netisr.c		standard
 net/ppp_deflate.c	optional ppp_deflate
 net/ppp_tty.c		optional ppp
-net/pfil.c		optional pfil_hooks
-net/pfil.c		optional ipfilter
+net/pfil.c		optional ether
+net/pfil.c		optional inet
 net/radix.c		standard
 net/raw_cb.c		standard
 net/raw_usrreq.c	standard
--- a/sys/conf/options
+++ b/sys/conf/options
@ -344,7 +344,6 @@ DUMMYNET		opt_ipdn.h
 IPFILTER		opt_ipfilter.h
 IPFILTER_LOG		opt_ipfilter.h
 IPFILTER_DEFAULT_BLOCK	opt_ipfilter.h
-PFIL_HOOKS		opt_pfil_hooks.h
 IPFIREWALL		opt_ipfw.h
 IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
--- a/sys/i386/conf/GENERIC
+++ b/sys/i386/conf/GENERIC
@ -58,7 +58,6 @@ options 	AHC_REG_PRETTY_PRINT	# Print register bitfields in debug
 					# output.  Adds ~128k to driver.
 options 	AHD_REG_PRETTY_PRINT	# Print register bitfields in debug
 					# output.  Adds ~215k to driver.
-options 	PFIL_HOOKS		# pfil(9) framework
 options 	ADAPTIVE_GIANT		# Giant mutex is adaptive.

 # Debugging for use in -current
--- a/sys/ia64/conf/GENERIC
+++ b/sys/ia64/conf/GENERIC
@ -40,7 +40,6 @@ options 	MSDOSFS		# MSDOS Filesystem
 options 	NFSCLIENT	# Network Filesystem Client
 options 	NFSSERVER	# Network Filesystem Server
 options 	NFS_ROOT	# NFS usable as root device
-options 	PFIL_HOOKS	# pfil(9) framework
 options 	PROCFS		# Process filesystem (/proc)
 options 	PSEUDOFS	# Pseudo-filesystem framework
 options 	SCHED_ULE	# ULE scheduler
--- a/sys/ia64/conf/SKI
+++ b/sys/ia64/conf/SKI
@ -35,7 +35,6 @@ options 	INET6		# IPv6 communications protocols
 options 	KDB		# Enable kernel debugger support
 options 	KTRACE		# ktrace(1) syscall trace support
 options 	MD_ROOT		# MD usable as root device
-options 	PFIL_HOOKS	# pfil(9) framework
 options 	PROCFS		# Process filesystem (/proc)
 options 	PSEUDOFS	# Pseudo-filesystem framework
 options 	SCHED_ULE	# ULE scheduler
--- a/sys/modules/bridge/Makefile
+++ b/sys/modules/bridge/Makefile
@ -5,13 +5,4 @@ KMOD=	bridge
 SRCS=	bridge.c
 SRCS+=	opt_pfil_hooks.h

-#
-# By default don't enable pfil hooks support.  This means you
-# cannot use ipfilter together with the bridge.  To enable it
-# uncomment the line below
-#
-opt_pfil_hooks.h:
-#	echo "#define PFIL_HOOKS 1" > opt_pfil_hooks.h
-	touch opt_pfil_hooks.h
-
 .include <bsd.kmod.mk>
--- a/sys/net/bridge.c
+++ b/sys/net/bridge.c
@ -87,7 +87,6 @@
 *  - be very careful when bridging VLANs
 *  - loop detection is still not very robust.
 */
-#include "opt_pfil_hooks.h"

 #include <sys/param.h>
 #include <sys/mbuf.h>
@ -105,16 +104,13 @@
 #include <net/if_arp.h>		/* for struct arpcom */
 #include <net/if_types.h>
 #include <net/if_var.h>
+#include <net/pfil.h>

 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
-
-#ifdef PFIL_HOOKS
-#include <net/pfil.h>
 #include <netinet/ip_var.h>
-#endif

 #include <net/route.h>
 #include <netinet/ip_fw.h>
@ -965,9 +961,7 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst)
     * and pkts already gone through a pipe.
     */
    if (src != NULL && (
-#ifdef PFIL_HOOKS
 	(inet_pfil_hook.ph_busy_count >= 0 && bdg_ipf != 0) ||
-#endif
 	(IPFW_LOADED && bdg_ipfw != 0))) {

 	int i;
@ -998,7 +992,6 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst)
 	bcopy(eh, &save_eh, ETHER_HDR_LEN);	/* local copy for restore */
 	m_adj(m0, ETHER_HDR_LEN);		/* temporarily strip header */

-#ifdef PFIL_HOOKS
 	/*
 	 * NetBSD-style generic packet filter, pfil(9), hooks.
 	 * Enables ipf(8) in bridging.
@ -1031,7 +1024,6 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst)
 	    ip->ip_off = htons(ip->ip_off);
 	}
 	} /* XXX: Prevent ipfw from being run twice. */
-#endif /* PFIL_HOOKS */

 	/*
 	 * Prepare arguments and call the firewall.
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@ -77,7 +77,6 @@

 #include "opt_ipfw.h"
 #include "opt_ipstealth.h"
-#include "opt_pfil_hooks.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -353,10 +352,13 @@ ip_fastforward(struct mbuf *m)
 	ip->ip_off = ntohs(ip->ip_off);

 	odest.s_addr = dest.s_addr = ip->ip_dst.s_addr;
-#ifdef PFIL_HOOKS
+
 	/*
 	 * Run through list of ipfilter hooks for input packets
 	 */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passin;
+
 	if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN) ||
 	    m == NULL)
 		return 1;
@ -388,8 +390,8 @@ ip_fastforward(struct mbuf *m)
 		goto forwardlocal;
 	}
 #endif /* IPFIREWALL_FORWARD */
-#endif /* PFIL_HOOKS */

+passin:
 	/*
 	 * Step 4: decrement TTL and look up route
 	 */
@ -429,10 +431,12 @@ ip_fastforward(struct mbuf *m)
 	 * Step 5: outgoing firewall packet processing
 	 */

-#ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for output packets.
 	 */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passout;
+
 	if (pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT) || m == NULL) {
 		goto consumed;
 	}
@ -489,8 +493,8 @@ ip_fastforward(struct mbuf *m)
 			return 1;	/* icmp unreach already sent */
 		ifp = ro.ro_rt->rt_ifp;
 	}
-#endif /* PFIL_HOOKS */

+passout:
 	/*
 	 * Step 6: send off the packet
 	 */
--- a/sys/netinet/ip_fw_pfil.c
+++ b/sys/netinet/ip_fw_pfil.c
@ -30,15 +30,11 @@
 #include "opt_ipfw.h"
 #include "opt_ipdn.h"
 #include "opt_ipdivert.h"
-#include "opt_pfil_hooks.h"
 #include "opt_inet.h"
 #ifndef INET
 #error IPFIREWALL requires INET.
 #endif /* INET */
-#if !defined(PFIL_HOOKS)
-#error IPFIREWALL requires PFIL_HOOKS.
-#endif
-#endif
+#endif /* KLD_MODULE */

 #include <sys/param.h>
 #include <sys/systm.h>
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -35,7 +35,6 @@
 #include "opt_ipstealth.h"
 #include "opt_ipsec.h"
 #include "opt_mac.h"
-#include "opt_pfil_hooks.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -156,9 +155,8 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW,
 #ifdef DIAGNOSTIC
 static int	ipprintfs = 0;
 #endif
-#ifdef PFIL_HOOKS
-struct pfil_head inet_pfil_hook;
-#endif
+
+struct pfil_head inet_pfil_hook;	/* Packet filter hooks */

 static struct	ifqueue ipintrq;
 static int	ipqmaxlen = IFQ_MAXLEN;
@ -264,13 +262,12 @@ ip_init()
 		    pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
 			ip_protox[pr->pr_protocol] = pr - inetsw;

-#ifdef PFIL_HOOKS
+	/* Initialize packet filter hooks. */
 	inet_pfil_hook.ph_type = PFIL_TYPE_AF;
 	inet_pfil_hook.ph_af = AF_INET;
 	if ((i = pfil_head_register(&inet_pfil_hook)) != 0)
 		printf("%s: WARNING: unable to register pfil hook, "
 			"error %d\n", __func__, i);
-#endif /* PFIL_HOOKS */

 	IPQ_LOCK_INIT();
 	for (i = 0; i < IPREASS_NHASH; i++)
@ -298,9 +295,7 @@ ip_input(struct mbuf *m)
 	int    checkif, hlen = 0;
 	u_short sum;
 	int dchg = 0;				/* dest changed after fw */
-#ifdef PFIL_HOOKS
 	struct in_addr odst;			/* original dst address */
-#endif
 #ifdef FAST_IPSEC
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
@ -414,17 +409,16 @@ ip_input(struct mbuf *m)
 	 * Bypass packet filtering for packets from a tunnel (gif).
 	 */
 	if (ipsec_getnhist(m))
-		goto pass;
+		goto passin;
 #endif
 #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
 	/*
 	 * Bypass packet filtering for packets from a tunnel (gif).
 	 */
 	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
-		goto pass;
+		goto passin;
 #endif

-#ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for input packets.
 	 *
@ -432,6 +426,11 @@ ip_input(struct mbuf *m)
 	 *     by NAT rewriting).  When this happens, tell
 	 *     ip_forward to do the right thing.
 	 */
+
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passin;
+
 	odst = ip->ip_dst;
 	if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif,
 	    PFIL_IN) != 0)
@ -450,12 +449,7 @@ ip_input(struct mbuf *m)
 	dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
 #endif /* IPFIREWALL_FORWARD */

-#endif /* PFIL_HOOKS */
-
-#if (defined(FAST_IPSEC) || defined(IPSEC)) && !defined(IPSEC_FILTERGIF)
-pass:
-#endif
-
+passin:
 	/*
 	 * Process options and, if not destined for us,
 	 * ship it on.  ip_dooptions returns 1 when an
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@ -33,7 +33,6 @@
 #include "opt_ipfw.h"
 #include "opt_ipsec.h"
 #include "opt_mac.h"
-#include "opt_pfil_hooks.h"
 #include "opt_mbuf_stress_test.h"

 #include <sys/param.h>
@ -49,6 +48,7 @@

 #include <net/if.h>
 #include <net/netisr.h>
+#include <net/pfil.h>
 #include <net/route.h>

 #include <netinet/in.h>
@ -58,9 +58,6 @@
 #include <netinet/in_var.h>
 #include <netinet/ip_var.h>

-#ifdef PFIL_HOOKS
-#include <net/pfil.h>
-#endif

 #include <machine/in_cksum.h>

@ -132,9 +129,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	struct in_ifaddr *ia = NULL;
 	int isbroadcast, sw_csum;
 	struct route iproute;
-#ifdef PFIL_HOOKS
 	struct in_addr odst;
-#endif
 #ifdef IPFIREWALL_FORWARD
 	struct m_tag *fwd_tag = NULL;
 #endif
@ -187,9 +182,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	}

 	dst = (struct sockaddr_in *)&ro->ro_dst;
-#ifdef PFIL_HOOKS
 again:
-#endif
 	/*
 	 * If there is a cached route,
 	 * check that it is to the same destination
@ -665,10 +658,11 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 spd_done:
 #endif /* FAST_IPSEC */

-#ifdef PFIL_HOOKS
-	/*
-	 * Run through list of hooks for output packets.
-	 */
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passout;
+
+	/* Run through list of hooks for output packets. */
 	odst.s_addr = ip->ip_dst.s_addr;
 	error = pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT);
 	if (error != 0 || m == NULL)
@ -729,11 +723,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	}
 #endif

-#endif /* PFIL_HOOKS */
-
-#if 0
-pass:
-#endif
+passout:
 	/* 127/8 must not appear on wire - RFC1122. */
 	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
 	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@ -192,9 +192,7 @@ extern int	(*ip_rsvp_vif)(struct socket *, struct sockopt *);
 extern void	(*ip_rsvp_force_done)(struct socket *);
 extern void	(*rsvp_input_p)(struct mbuf *m, int off);

-#ifdef PFIL_HOOKS
-extern	struct pfil_head inet_pfil_hook;
-#endif
+extern	struct pfil_head inet_pfil_hook;	/* packet filter hooks */

 void	in_delayed_cksum(struct mbuf *m);

--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@ -34,7 +34,6 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
-#include "opt_pfil_hooks.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -50,9 +49,7 @@

 #include <net/if.h>
 #include <net/route.h>
-#ifdef PFIL_HOOKS
 #include <net/pfil.h>
-#endif

 #include <netinet/in.h>
 #include <netinet/in_var.h>
@ -578,18 +575,19 @@ ip6_forward(m, srcrt)
 	in6_clearscope(&ip6->ip6_src);
 	in6_clearscope(&ip6->ip6_dst);

-#ifdef PFIL_HOOKS
-	/*
-	 * Run through list of hooks for output packets.
-	 */
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet6_pfil_hook.ph_busy_count == -1)
+		goto pass;
+
+	/* Run through list of hooks for output packets. */
 	error = pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT);
 	if (error != 0)
 		goto senderr;
 	if (m == NULL)
 		goto freecopy;
 	ip6 = mtod(m, struct ip6_hdr *);
-#endif /* PFIL_HOOKS */

+pass:
 	error = nd6_output(rt->rt_ifp, origifp, m, dst, rt);
 	if (error) {
 		in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard);
@ -605,9 +603,7 @@ ip6_forward(m, srcrt)
 		}
 	}

-#ifdef PFIL_HOOKS
 senderr:
-#endif
 	if (mcopy == NULL)
 		return;
 	switch (error) {
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@ -65,7 +65,6 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
-#include "opt_pfil_hooks.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -86,9 +85,7 @@
 #include <net/if_dl.h>
 #include <net/route.h>
 #include <net/netisr.h>
-#ifdef PFIL_HOOKS
 #include <net/pfil.h>
-#endif

 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@ -139,9 +136,7 @@ int ip6_sourcecheck_interval;		/* XXX */

 int ip6_ours_check_algorithm;

-#ifdef PFIL_HOOKS
 struct pfil_head inet6_pfil_hook;
-#endif

 /* firewall hooks */
 ip6_fw_chk_t *ip6_fw_chk_ptr;
@ -181,13 +176,14 @@ ip6_init()
 		if (pr->pr_domain->dom_family == PF_INET6 &&
 		    pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
 			ip6_protox[pr->pr_protocol] = pr - inet6sw;
-#ifdef PFIL_HOOKS
+
+	/* Initialize packet filter hooks. */
 	inet6_pfil_hook.ph_type = PFIL_TYPE_AF;
 	inet6_pfil_hook.ph_af = AF_INET6;
 	if ((i = pfil_head_register(&inet6_pfil_hook)) != 0)
 		printf("%s: WARNING: unable to register pfil hook, "
 			"error %d\n", __func__, i);
-#endif /* PFIL_HOOKS */
+
 	ip6intrq.ifq_maxlen = ip6qmaxlen;
 	mtx_init(&ip6intrq.ifq_mtx, "ip6_inq", NULL, MTX_DEF);
 	netisr_register(NETISR_IPV6, ip6_input, &ip6intrq, 0);
@ -233,9 +229,7 @@ ip6_input(m)
 	struct ifnet *deliverifp = NULL;
 	struct sockaddr_in6 sa6;
 	u_int32_t srczone, dstzone;
-#ifdef PFIL_HOOKS
 	struct in6_addr odst;
-#endif
 	int srcrt = 0;

 	GIANT_REQUIRED;			/* XXX for now */
@ -417,7 +411,6 @@ ip6_input(m)
 		}
 	}

-#ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for input packets.
 	 *
@ -426,14 +419,19 @@ ip6_input(m)
 	 *     tell ip6_forward to do the right thing.
 	 */
 	odst = ip6->ip6_dst;
+
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet6_pfil_hook.ph_busy_count == -1)
+		goto passin;
+
 	if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN))
 		return;
 	if (m == NULL)			/* consumed by filter */
 		return;
 	ip6 = mtod(m, struct ip6_hdr *);
 	srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
-#endif /* PFIL_HOOKS */

+passin:
 	/*
 	 * Check with the firewall...
 	 */
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@ -65,7 +65,6 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
-#include "opt_pfil_hooks.h"

 #include <sys/param.h>
 #include <sys/malloc.h>
@ -80,9 +79,7 @@

 #include <net/if.h>
 #include <net/route.h>
-#ifdef PFIL_HOOKS
 #include <net/pfil.h>
-#endif

 #include <netinet/in.h>
 #include <netinet/in_var.h>
@ -936,16 +933,17 @@ skip_ipsec2:;
 		m->m_pkthdr.rcvif = NULL;
 	}

-#ifdef PFIL_HOOKS
-	/*
-	 * Run through list of hooks for output packets.
-	 */
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet6_pfil_hook.ph_busy_count == -1)
+		goto passout;
+
+	/* Run through list of hooks for output packets. */
 	error = pfil_run_hooks(&inet6_pfil_hook, &m, ifp, PFIL_OUT);
 	if (error != 0 || m == NULL)
 		goto done;
 	ip6 = mtod(m, struct ip6_hdr *);
-#endif /* PFIL_HOOKS */

+passout:
 	/*
 	 * Send the packet to the outgoing interface.
 	 * If necessary, do IPv6 fragmentation before sending.
--- a/sys/netinet6/ip6_var.h
+++ b/sys/netinet6/ip6_var.h
@ -318,9 +318,7 @@ extern int	ip6_use_tempaddr; /* whether to use temporary addresses. */
 extern int	ip6_prefer_tempaddr; /* whether to prefer temporary addresses
 					in the source address selection */

-#ifdef PFIL_HOOKS
-extern	struct pfil_head inet6_pfil_hook;
-#endif
+extern	struct pfil_head inet6_pfil_hook;	/* packet filter hooks */

 extern struct	pr_usrreqs rip6_usrreqs;
 struct sockopt;
--- a/sys/pc98/conf/GENERIC
+++ b/sys/pc98/conf/GENERIC
@ -59,7 +59,6 @@ options 	SYSVMSG			# SYSV-style message queues
 options 	SYSVSEM			# SYSV-style semaphores
 options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
 options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev
-options 	PFIL_HOOKS		# pfil(9) framework

 # Debugging for use in -current
 options 	KDB			# Enable kernel debugger support.
--- a/sys/powerpc/conf/GENERIC
+++ b/sys/powerpc/conf/GENERIC
@ -56,7 +56,6 @@ options 	SYSVSHM			#SYSV-style shared memory
 options 	SYSVMSG			#SYSV-style message queues
 options 	SYSVSEM			#SYSV-style semaphores
 #options 	_KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions
-options 	PFIL_HOOKS		# pfil(9) framework

 # Debugging for use in -current
 options 	KDB			#Enable the kernel debugger
--- a/sys/sparc64/conf/GENERIC
+++ b/sys/sparc64/conf/GENERIC
@ -56,7 +56,6 @@ options 	SYSVSHM			# SYSV-style shared memory
 options 	SYSVMSG			# SYSV-style message queues
 options 	SYSVSEM			# SYSV-style semaphores
 options 	_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
-options 	PFIL_HOOKS		# pfil(9) framework

 # Debugging for use in -current
 options 	KDB			# Enable kernel debugger support.