diff options
author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-08-07 12:12:37 +0200 |
---|---|---|
committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2018-09-21 10:29:36 +0200 |
commit | de261e0404e1fe54544275fc57d5b982df4f42b4 (patch) | |
tree | 856cbdf23d6809b99c4d642d066bc45cd67c26e6 /freebsd/sys/netpfil/pf | |
parent | libbsd.txt: Use rtems_bsd_ifconfig_lo0() (diff) | |
download | rtems-libbsd-de261e0404e1fe54544275fc57d5b982df4f42b4.tar.bz2 |
Update to FreeBSD head 2017-06-01
Git mirror commit dfb26efac4ce9101dda240e94d9ab53f80a9e131.
Update #3472.
Diffstat (limited to 'freebsd/sys/netpfil/pf')
-rw-r--r-- | freebsd/sys/netpfil/pf/pf_if.c | 36 | ||||
-rw-r--r-- | freebsd/sys/netpfil/pf/pf_ioctl.c | 35 | ||||
-rw-r--r-- | freebsd/sys/netpfil/pf/pf_norm.c | 4 | ||||
-rw-r--r-- | freebsd/sys/netpfil/pf/pf_table.c | 53 |
4 files changed, 56 insertions, 72 deletions
diff --git a/freebsd/sys/netpfil/pf/pf_if.c b/freebsd/sys/netpfil/pf/pf_if.c index fbcda5b8..0ca6a019 100644 --- a/freebsd/sys/netpfil/pf/pf_if.c +++ b/freebsd/sys/netpfil/pf/pf_if.c @@ -91,9 +91,9 @@ static int pfi_skip_if(const char *, struct pfi_kif *); static int pfi_unmask(void *); static void pfi_attach_ifnet_event(void * __unused, struct ifnet *); static void pfi_detach_ifnet_event(void * __unused, struct ifnet *); -static void pfi_attach_group_event(void *, struct ifg_group *); -static void pfi_change_group_event(void *, char *); -static void pfi_detach_group_event(void *, struct ifg_group *); +static void pfi_attach_group_event(void * __unused, struct ifg_group *); +static void pfi_change_group_event(void * __unused, char *); +static void pfi_detach_group_event(void * __unused, struct ifg_group *); static void pfi_ifaddr_event(void * __unused, struct ifnet *); RB_HEAD(pfi_ifhead, pfi_kif); @@ -145,11 +145,11 @@ pfi_initialize(void) pfi_detach_cookie = EVENTHANDLER_REGISTER(ifnet_departure_event, pfi_detach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); pfi_attach_group_cookie = EVENTHANDLER_REGISTER(group_attach_event, - pfi_attach_group_event, curvnet, EVENTHANDLER_PRI_ANY); + pfi_attach_group_event, NULL, EVENTHANDLER_PRI_ANY); pfi_change_group_cookie = EVENTHANDLER_REGISTER(group_change_event, - pfi_change_group_event, curvnet, EVENTHANDLER_PRI_ANY); + pfi_change_group_event, NULL, EVENTHANDLER_PRI_ANY); pfi_detach_group_cookie = EVENTHANDLER_REGISTER(group_detach_event, - pfi_detach_group_event, curvnet, EVENTHANDLER_PRI_ANY); + pfi_detach_group_event, NULL, EVENTHANDLER_PRI_ANY); pfi_ifaddr_event_cookie = EVENTHANDLER_REGISTER(ifaddr_event, pfi_ifaddr_event, NULL, EVENTHANDLER_PRI_ANY); } @@ -802,10 +802,8 @@ static void pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp) { - CURVNET_SET(ifp->if_vnet); if (V_pf_vnet_active == 0) { /* Avoid teardown race in the least expensive way. */ - CURVNET_RESTORE(); return; } pfi_attach_ifnet(ifp); @@ -814,7 +812,6 @@ pfi_attach_ifnet_event(void *arg __unused, struct ifnet *ifp) pf_altq_ifnet_event(ifp, 0); PF_RULES_WUNLOCK(); #endif - CURVNET_RESTORE(); } static void @@ -825,10 +822,8 @@ pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp) if (kif == NULL) return; - CURVNET_SET(ifp->if_vnet); if (V_pf_vnet_active == 0) { /* Avoid teardown race in the least expensive way. */ - CURVNET_RESTORE(); return; } PF_RULES_WLOCK(); @@ -841,32 +836,26 @@ pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp) pf_altq_ifnet_event(ifp, 1); #endif PF_RULES_WUNLOCK(); - CURVNET_RESTORE(); } static void -pfi_attach_group_event(void *arg , struct ifg_group *ifg) +pfi_attach_group_event(void *arg __unused, struct ifg_group *ifg) { - CURVNET_SET((struct vnet *)arg); if (V_pf_vnet_active == 0) { /* Avoid teardown race in the least expensive way. */ - CURVNET_RESTORE(); return; } pfi_attach_ifgroup(ifg); - CURVNET_RESTORE(); } static void -pfi_change_group_event(void *arg, char *gname) +pfi_change_group_event(void *arg __unused, char *gname) { struct pfi_kif *kif; - CURVNET_SET((struct vnet *)arg); if (V_pf_vnet_active == 0) { /* Avoid teardown race in the least expensive way. */ - CURVNET_RESTORE(); return; } @@ -876,21 +865,18 @@ pfi_change_group_event(void *arg, char *gname) kif = pfi_kif_attach(kif, gname); pfi_kif_update(kif); PF_RULES_WUNLOCK(); - CURVNET_RESTORE(); } static void -pfi_detach_group_event(void *arg, struct ifg_group *ifg) +pfi_detach_group_event(void *arg __unused, struct ifg_group *ifg) { struct pfi_kif *kif = (struct pfi_kif *)ifg->ifg_pf_kif; if (kif == NULL) return; - CURVNET_SET((struct vnet *)arg); if (V_pf_vnet_active == 0) { /* Avoid teardown race in the least expensive way. */ - CURVNET_RESTORE(); return; } PF_RULES_WLOCK(); @@ -899,7 +885,6 @@ pfi_detach_group_event(void *arg, struct ifg_group *ifg) kif->pfik_group = NULL; ifg->ifg_pf_kif = NULL; PF_RULES_WUNLOCK(); - CURVNET_RESTORE(); } static void @@ -908,10 +893,8 @@ pfi_ifaddr_event(void *arg __unused, struct ifnet *ifp) if (ifp->if_pf_kif == NULL) return; - CURVNET_SET(ifp->if_vnet); if (V_pf_vnet_active == 0) { /* Avoid teardown race in the least expensive way. */ - CURVNET_RESTORE(); return; } PF_RULES_WLOCK(); @@ -920,5 +903,4 @@ pfi_ifaddr_event(void *arg __unused, struct ifnet *ifp) pfi_kif_update(ifp->if_pf_kif); } PF_RULES_WUNLOCK(); - CURVNET_RESTORE(); } diff --git a/freebsd/sys/netpfil/pf/pf_ioctl.c b/freebsd/sys/netpfil/pf/pf_ioctl.c index 4f507081..e9ca8d95 100644 --- a/freebsd/sys/netpfil/pf/pf_ioctl.c +++ b/freebsd/sys/netpfil/pf/pf_ioctl.c @@ -180,7 +180,7 @@ static int hook_pf(void); static int dehook_pf(void); static int shutdown_pf(void); static int pf_load(void); -static int pf_unload(void); +static void pf_unload(void); static struct cdevsw pf_cdevsw = { .d_ioctl = pfioctl, @@ -1864,6 +1864,8 @@ DIOCGETSTATES_full: counter_u64_zero(V_pf_status.fcounters[i]); for (int i = 0; i < SCNT_MAX; i++) counter_u64_zero(V_pf_status.scounters[i]); + for (int i = 0; i < LCNT_MAX; i++) + counter_u64_zero(V_pf_status.lcounters[i]); V_pf_status.since = time_second; if (*V_pf_status.ifname) pfi_update_status(V_pf_status.ifname, NULL); @@ -2440,11 +2442,12 @@ DIOCGETSTATES_full: #undef ERROUT DIOCCHANGEADDR_error: - if (newpa->kif) - pfi_kif_unref(newpa->kif); - PF_RULES_WUNLOCK(); - if (newpa != NULL) + if (newpa != NULL) { + if (newpa->kif) + pfi_kif_unref(newpa->kif); free(newpa, M_PFRULE); + } + PF_RULES_WUNLOCK(); if (kif != NULL) free(kif, PFI_MTYPE); break; @@ -3721,17 +3724,8 @@ dehook_pf(void) static void pf_load_vnet(void) { - VNET_ITERATOR_DECL(vnet_iter); - - VNET_LIST_RLOCK(); - VNET_FOREACH(vnet_iter) { - CURVNET_SET(vnet_iter); - V_pf_pfil_hooked = 0; - TAILQ_INIT(&V_pf_tags); - TAILQ_INIT(&V_pf_qids); - CURVNET_RESTORE(); - } - VNET_LIST_RUNLOCK(); + TAILQ_INIT(&V_pf_tags); + TAILQ_INIT(&V_pf_qids); pfattach_vnet(); V_pf_vnet_active = 1; @@ -3798,10 +3792,9 @@ pf_unload_vnet(void) pf_mtag_cleanup(); } -static int +static void pf_unload(void) { - int error = 0; sx_xlock(&pf_end_lock); pf_end_threads = 1; @@ -3819,8 +3812,6 @@ pf_unload(void) rw_destroy(&pf_rules_lock); sx_destroy(&pf_ioctl_lock); sx_destroy(&pf_end_lock); - - return (error); } static void @@ -3838,6 +3829,7 @@ vnet_pf_uninit(const void *unused __unused) pf_unload_vnet(); } +SYSUNINIT(pf_unload, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND, pf_unload, NULL); VNET_SYSUNINIT(vnet_pf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD, vnet_pf_uninit, NULL); @@ -3858,7 +3850,8 @@ pf_modevent(module_t mod, int type, void *data) error = EBUSY; break; case MOD_UNLOAD: - error = pf_unload(); + /* Handled in SYSUNINIT(pf_unload) to ensure it's done after + * the vnet_pf_uninit()s */ break; default: error = EINVAL; diff --git a/freebsd/sys/netpfil/pf/pf_norm.c b/freebsd/sys/netpfil/pf/pf_norm.c index f4d46378..60733ae8 100644 --- a/freebsd/sys/netpfil/pf/pf_norm.c +++ b/freebsd/sys/netpfil/pf/pf_norm.c @@ -764,6 +764,10 @@ pf_refragment6(struct ifnet *ifp, struct mbuf **m0, struct m_tag *mtag) hdr->ip6_nxt = IPPROTO_FRAGMENT; } + /* The MTU must be a multiple of 8 bytes, or we risk doing the + * fragmentation wrong. */ + maxlen = maxlen & ~7; + /* * Maxlen may be less than 8 if there was only a single * fragment. As it was fragmented before, add a fragment diff --git a/freebsd/sys/netpfil/pf/pf_table.c b/freebsd/sys/netpfil/pf/pf_table.c index 3460046b..c655effa 100644 --- a/freebsd/sys/netpfil/pf/pf_table.c +++ b/freebsd/sys/netpfil/pf/pf_table.c @@ -186,9 +186,14 @@ static struct pfr_kentry static RB_PROTOTYPE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare); static RB_GENERATE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare); -struct pfr_ktablehead pfr_ktables; -struct pfr_table pfr_nulltable; -int pfr_ktable_cnt; +static VNET_DEFINE(struct pfr_ktablehead, pfr_ktables); +#define V_pfr_ktables VNET(pfr_ktables) + +static VNET_DEFINE(struct pfr_table, pfr_nulltable); +#define V_pfr_nulltable VNET(pfr_nulltable) + +static VNET_DEFINE(int, pfr_ktable_cnt); +#define V_pfr_ktable_cnt VNET(pfr_ktable_cnt) void pfr_initialize(void) @@ -258,7 +263,7 @@ pfr_add_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size, return (ESRCH); if (kt->pfrkt_flags & PFR_TFLAG_CONST) return (EPERM); - tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0); + tmpkt = pfr_create_ktable(&V_pfr_nulltable, 0, 0); if (tmpkt == NULL) return (ENOMEM); SLIST_INIT(&workq); @@ -410,7 +415,7 @@ pfr_set_addrs(struct pfr_table *tbl, struct pfr_addr *addr, int size, return (ESRCH); if (kt->pfrkt_flags & PFR_TFLAG_CONST) return (EPERM); - tmpkt = pfr_create_ktable(&pfr_nulltable, 0, 0); + tmpkt = pfr_create_ktable(&V_pfr_nulltable, 0, 0); if (tmpkt == NULL) return (ENOMEM); pfr_mark_addrs(kt); @@ -1085,7 +1090,7 @@ pfr_clr_tables(struct pfr_table *filter, int *ndel, int flags) return (ENOENT); SLIST_INIT(&workq); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { + RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) { if (pfr_skip_table(filter, p, flags)) continue; if (!strcmp(p->pfrkt_anchor, PF_RESERVED_ANCHOR)) @@ -1120,7 +1125,7 @@ pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags) flags & PFR_FLAG_USERIOCTL)) senderr(EINVAL); key.pfrkt_flags |= PFR_TFLAG_ACTIVE; - p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); + p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key); if (p == NULL) { p = pfr_create_ktable(&key.pfrkt_t, tzero, 1); if (p == NULL) @@ -1136,7 +1141,7 @@ pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags) /* find or create root table */ bzero(key.pfrkt_anchor, sizeof(key.pfrkt_anchor)); - r = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); + r = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key); if (r != NULL) { p->pfrkt_root = r; goto _skip; @@ -1192,7 +1197,7 @@ pfr_del_tables(struct pfr_table *tbl, int size, int *ndel, int flags) if (pfr_validate_table(&key.pfrkt_t, 0, flags & PFR_FLAG_USERIOCTL)) return (EINVAL); - p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); + p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key); if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) { SLIST_FOREACH(q, &workq, pfrkt_workq) if (!pfr_ktable_compare(p, q)) @@ -1231,7 +1236,7 @@ pfr_get_tables(struct pfr_table *filter, struct pfr_table *tbl, int *size, *size = n; return (0); } - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { + RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) { if (pfr_skip_table(filter, p, flags)) continue; if (n-- <= 0) @@ -1266,7 +1271,7 @@ pfr_get_tstats(struct pfr_table *filter, struct pfr_tstats *tbl, int *size, return (0); } SLIST_INIT(&workq); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { + RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) { if (pfr_skip_table(filter, p, flags)) continue; if (n-- <= 0) @@ -1298,7 +1303,7 @@ pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags) bcopy(tbl + i, &key.pfrkt_t, sizeof(key.pfrkt_t)); if (pfr_validate_table(&key.pfrkt_t, 0, 0)) return (EINVAL); - p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); + p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key); if (p != NULL) { SLIST_INSERT_HEAD(&workq, p, pfrkt_workq); xzero++; @@ -1330,7 +1335,7 @@ pfr_set_tflags(struct pfr_table *tbl, int size, int setflag, int clrflag, if (pfr_validate_table(&key.pfrkt_t, 0, flags & PFR_FLAG_USERIOCTL)) return (EINVAL); - p = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); + p = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key); if (p != NULL && (p->pfrkt_flags & PFR_TFLAG_ACTIVE)) { p->pfrkt_nflags = (p->pfrkt_flags | setflag) & ~clrflag; @@ -1372,7 +1377,7 @@ pfr_ina_begin(struct pfr_table *trs, u_int32_t *ticket, int *ndel, int flags) if (rs == NULL) return (ENOMEM); SLIST_INIT(&workq); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { + RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) { if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) || pfr_skip_table(trs, p, 0)) continue; @@ -1417,7 +1422,7 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size, return (EBUSY); tbl->pfrt_flags |= PFR_TFLAG_INACTIVE; SLIST_INIT(&tableq); - kt = RB_FIND(pfr_ktablehead, &pfr_ktables, (struct pfr_ktable *)tbl); + kt = RB_FIND(pfr_ktablehead, &V_pfr_ktables, (struct pfr_ktable *)tbl); if (kt == NULL) { kt = pfr_create_ktable(tbl, 0, 1); if (kt == NULL) @@ -1430,7 +1435,7 @@ pfr_ina_define(struct pfr_table *tbl, struct pfr_addr *addr, int size, /* find or create root table */ bzero(&key, sizeof(key)); strlcpy(key.pfrkt_name, tbl->pfrt_name, sizeof(key.pfrkt_name)); - rt = RB_FIND(pfr_ktablehead, &pfr_ktables, &key); + rt = RB_FIND(pfr_ktablehead, &V_pfr_ktables, &key); if (rt != NULL) { kt->pfrkt_root = rt; goto _skip; @@ -1507,7 +1512,7 @@ pfr_ina_rollback(struct pfr_table *trs, u_int32_t ticket, int *ndel, int flags) if (rs == NULL || !rs->topen || ticket != rs->tticket) return (0); SLIST_INIT(&workq); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { + RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) { if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) || pfr_skip_table(trs, p, 0)) continue; @@ -1543,7 +1548,7 @@ pfr_ina_commit(struct pfr_table *trs, u_int32_t ticket, int *nadd, return (EBUSY); SLIST_INIT(&workq); - RB_FOREACH(p, pfr_ktablehead, &pfr_ktables) { + RB_FOREACH(p, pfr_ktablehead, &V_pfr_ktables) { if (!(p->pfrkt_flags & PFR_TFLAG_INACTIVE) || pfr_skip_table(trs, p, 0)) continue; @@ -1689,7 +1694,7 @@ pfr_table_count(struct pfr_table *filter, int flags) PF_RULES_ASSERT(); if (flags & PFR_FLAG_ALLRSETS) - return (pfr_ktable_cnt); + return (V_pfr_ktable_cnt); if (filter->pfrt_anchor[0]) { rs = pf_find_ruleset(filter->pfrt_anchor); return ((rs != NULL) ? rs->tables : -1); @@ -1722,8 +1727,8 @@ pfr_insert_ktable(struct pfr_ktable *kt) PF_RULES_WASSERT(); - RB_INSERT(pfr_ktablehead, &pfr_ktables, kt); - pfr_ktable_cnt++; + RB_INSERT(pfr_ktablehead, &V_pfr_ktables, kt); + V_pfr_ktable_cnt++; if (kt->pfrkt_root != NULL) if (!kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR]++) pfr_setflags_ktable(kt->pfrkt_root, @@ -1754,14 +1759,14 @@ pfr_setflags_ktable(struct pfr_ktable *kt, int newf) if (!(newf & PFR_TFLAG_ACTIVE)) newf &= ~PFR_TFLAG_USRMASK; if (!(newf & PFR_TFLAG_SETMASK)) { - RB_REMOVE(pfr_ktablehead, &pfr_ktables, kt); + RB_REMOVE(pfr_ktablehead, &V_pfr_ktables, kt); if (kt->pfrkt_root != NULL) if (!--kt->pfrkt_root->pfrkt_refcnt[PFR_REFCNT_ANCHOR]) pfr_setflags_ktable(kt->pfrkt_root, kt->pfrkt_root->pfrkt_flags & ~PFR_TFLAG_REFDANCHOR); pfr_destroy_ktable(kt, 1); - pfr_ktable_cnt--; + V_pfr_ktable_cnt--; return; } if (!(newf & PFR_TFLAG_ACTIVE) && kt->pfrkt_cnt) { @@ -1882,7 +1887,7 @@ static struct pfr_ktable * pfr_lookup_table(struct pfr_table *tbl) { /* struct pfr_ktable start like a struct pfr_table */ - return (RB_FIND(pfr_ktablehead, &pfr_ktables, + return (RB_FIND(pfr_ktablehead, &V_pfr_ktables, (struct pfr_ktable *)tbl)); } |