Commit Graph

33 Commits

Author SHA1 Message Date
Kristof Provost
effaab8861 netpfil: Introduce PFIL_FWD flag
Forwarded packets passed through PFIL_OUT, which made it difficult for
firewalls to figure out if they were forwarding or producing packets. This in
turn is an issue for pf for IPv6 fragment handling: it needs to call
ip6_output() or ip6_forward() to handle the fragments. Figuring out which was
difficult (and until now, incorrect).
Having pfil distinguish the two removes an ugly piece of code from pf.

Introduce a new variant of the netpfil callbacks with a flags variable, which
has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if
a packet is forwarded.

Reviewed by:	ae, kevans
Differential Revision:	https://reviews.freebsd.org/D13715
2018-03-23 16:56:44 +00:00
Sergey Kandaurov
aceea44d31 Fix pfil_add_hook() and pfil_remove_hook() type. 2017-03-27 14:32:34 +00:00
Joel Dahl
082dbcbf5e mdoc fixes. 2013-08-25 06:58:51 +00:00
Andre Oppermann
6e3e14fe44 Fix BUGS section after botched modify in r254772.
Reported by:	bjk
2013-08-24 21:30:35 +00:00
Andre Oppermann
2c4e923de2 Adjust for the pfil_func_t typedef added in r254769. 2013-08-24 11:57:02 +00:00
Andre Oppermann
bacda5aaa9 pfil_hook_get() has been internalized in r254771 and is no longer
part of the API.  It wasn't safe for external use in any case.
2013-08-24 10:38:02 +00:00
Sergey Kandaurov
fe6ba75294 Correct rmlock(9) xref and add a missing comma. 2012-11-13 19:03:13 +00:00
Alexander V. Chernikov
4dab1a18a3 Make PFIL use per-VNET lock instead of per-AF lock. Since most used packet
filters (ipfw and PF) use the same ruleset with the same lock for both
AF_INET and AF_INET6 there is no need in more fine-grade locking.
However, it is possible to request personal lock by specifying
PFIL_FLAG_PRIVATE_LOCK flag in pfil_head structure (see pfil.9 for
more details).

Export PFIL lock via rw_lock(9)/rm_lock(9)-like API permitting pfil consumers
to use this lock instead of own lock. This help reducing locks on main
traffic path.

pfil_assert() is currently not implemented due to absense of rm_assert().
Waiting for some kind of r234648 to be merged in HEAD.

This change is part of bigger patch reducing routing locking.

Sponsored by:	Yandex LLC
Reviewed by:	glebius, ae
OK'd by:	silence on net@
MFC after:	3 weeks
2012-10-22 14:10:17 +00:00
Gleb Smirnoff
21d172a3f1 A step in resolving mess with byte ordering for AF_INET. After this change:
- All packets in NETISR_IP queue are in net byte order.
  - ip_input() is entered in net byte order and converts packet
    to host byte order right _after_ processing pfil(9) hooks.
  - ip_output() is entered in host byte order and converts packet
    to net byte order right _before_ processing pfil(9) hooks.
  - ip_fragment() accepts and emits packet in net byte order.
  - ip_forward(), ip_mloopback() use host byte order (untouched actually).
  - ip_fastforward() no longer modifies packet at all (except ip_ttl).
  - Swapping of byte order there and back removed from the following modules:
    pf(4), ipfw(4), enc(4), if_bridge(4).
  - Swapping of byte order added to ipfilter(4), based on __FreeBSD_version
  - __FreeBSD_version bumped.
  - pfil(9) manual page updated.

Reviewed by:	ray, luigi, eri, melifaro
Tested by:	glebius (LE), ray (BE)
2012-10-06 10:02:11 +00:00
Joel Dahl
9f668383b7 Remove trailing whitespace. 2012-09-16 21:17:28 +00:00
Alexander V. Chernikov
54202ab3d1 Add section describing existing filtering points.
Document byteorder behavior in AF_INET[6] hooks in new section.

MFC after:	2 weeks
2012-09-16 13:13:02 +00:00
Ruslan Ermilov
81ae4b8da9 Markup fixes. 2006-09-18 15:24:20 +00:00
Max Laier
b6de9e91bd Remove bridge(4) from the tree. if_bridge(4) is a full functional
replacement and has additional features which make it superior.

Discussed on:	-arch
Reviewed by:	thompsa
X-MFC-after:	never (RELENG_6 as transition period)
2005-09-27 18:10:43 +00:00
Ruslan Ermilov
9cbda59000 Sort sections. 2005-01-21 08:36:40 +00:00
Ruslan Ermilov
c0854fb7b2 Scheduled mdoc(7) sweep. 2005-01-12 21:48:25 +00:00
Brian Feldman
dd44434547 s/ENOBUF/ENOBUFS/ 2004-10-11 18:40:50 +00:00
Max Laier
85bba4455a Change pfil starvation prevention from fail-open to fail-close.
We return ENOBUF to indicate the problem, which is an errno that should be
handled well everywhere.

Requested & Submitted by:	green
Silently okay'ed by:		The rest of the firewall gang
MFC after:			3 days
2004-10-08 12:07:20 +00:00
Max Laier
d6a8d58875 Add an additional struct inpcb * argument to pfil(9) in order to enable
passing along socket information. This is required to work around a LOR with
the socket code which results in an easy reproducible hard lockup with
debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do
so later. The missing piece is to turn the filter locking into a leaf lock
and will follow in a seperate (later) commit.

This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in
forseeable future.

Suggested by:		rwatson
A lot of work by:	csjp (he'd be even more helpful w/o mentor-reviews ;)
Reviewed by:		rwatson, csjp
Tested by:		-pf, -ipfw, LINT, csjp and myself
MFC after:		3 days

LOR IDs:		14 - 17 (not fixed yet)
2004-09-29 04:54:33 +00:00
Andre Oppermann
c21fd23260 Always compile PFIL_HOOKS into the kernel and remove the associated kernel
compile option.  All FreeBSD packet filters now use the PFIL_HOOKS API and
thus it becomes a standard part of the network stack.

If no hooks are connected the entire packet filter hooks section and related
activities are jumped over.  This removes any performance impact if no hooks
are active.

Both OpenBSD and DragonFlyBSD have integrated PFIL_HOOKS permanently as well.
2004-08-27 15:16:24 +00:00
Ruslan Ermilov
bf7f20c2b6 Assorted markup, spelling, and grammar fixes. 2004-06-16 08:33:57 +00:00
Simon L. B. Nielsen
0e87afb66f - Fix typo.
- Use .Fx when I'm here anyway.

PR:		docs/63622
Submitted by:	Andrew Boothman <andrew@mux.org.uk>
2004-03-01 22:58:07 +00:00
Sam Leffler
89a688272a update to reflect new api
Submitted by:	Max Laier <max@love2party.net>
Obtained from:	NetBSD (with changes)
2003-09-25 20:49:28 +00:00
Ruslan Ermilov
fe08efe680 mdoc(7): Use the new feature of the .In macro. 2003-09-08 19:57:22 +00:00
Bruce Evans
df2aa36d5a Fixed missing return type in the prototoype for the hook function. 2002-01-11 13:18:32 +00:00
Ruslan Ermilov
e4c7f9b607 mdoc(7) police: tidy up the markup. 2002-01-10 13:09:00 +00:00
Mike Pritchard
b82af3f5e4 ispell sweep of share/man/man9/*. 2002-01-09 11:43:48 +00:00
Chad David
f16b3c0de4 Update function definitions and required include files to reflect
the current state of the system.

Approved by: alfred
2001-12-26 23:14:04 +00:00
Ruslan Ermilov
32eef9aeb1 mdoc(7) police: Use the new .In macro for #include statements. 2001-10-01 16:09:29 +00:00
Jens Schweikhardt
c1f3e4bf21 Removed whitespace at end-of-line; no content changes. I simply did
cd src/share; find man[1-9] -type f|xargs perl -pi -e 's/[ \t]+$//'

BTW, what editors are the culprits? I'm using vim and it shows
me whitespace at EOL in troff files with a thick blue block...

Reviewed by:	Silence from cvs diff -b
MFC after:	7 days
2001-07-14 19:41:16 +00:00
Dima Dorfman
5e75e35cca Grammar police: "its", not "it's", is the possessive form of "it". 2001-04-15 19:53:47 +00:00
Ruslan Ermilov
d0353b836e mdoc(7) police: split punctuation characters + misc fixes. 2001-02-01 16:38:02 +00:00
Darren Reed
08aa4ea3b8 patch from Alexey Zelkin 2000-05-11 00:44:35 +00:00
Darren Reed
e9c7bebf95 Add pfil(9) subroutines and manpage from NetBSD. 2000-05-10 13:37:51 +00:00