diff options
author | luigi <luigi@FreeBSD.org> | 2010-01-04 19:01:22 +0000 |
---|---|---|
committer | luigi <luigi@FreeBSD.org> | 2010-01-04 19:01:22 +0000 |
commit | 40024ff7c3bf948cb45283aec877bd552ee934d7 (patch) | |
tree | e632a2ed87ca91743db2bb3ace9525de5d414d89 /sys/netgraph | |
parent | d2744b88e92689da349b5de750666f235ea9a4ce (diff) | |
download | FreeBSD-src-40024ff7c3bf948cb45283aec877bd552ee934d7.zip FreeBSD-src-40024ff7c3bf948cb45283aec877bd552ee934d7.tar.gz |
Various cleanup done in ipfw3-head branch including:
- use a uniform mtag format for all packets that exit and re-enter
the firewall in the middle of a rulechain. On reentry, all tags
containing reinject info are renamed to MTAG_IPFW_RULE so the
processing is simpler.
- make ipfw and dummynet use ip_len and ip_off in network format
everywhere. Conversion is done only once instead of tracking
the format in every place.
- use a macro FREE_PKT to dispose of mbufs. This eases portability.
On passing i also removed a few typos, staticise or localise variables,
remove useless declarations and other minor things.
Overall the code shrinks a bit and is hopefully more readable.
I have tested functionality for all but ng_ipfw and if_bridge/if_ethersubr.
For ng_ipfw i am actually waiting for feedback from glebius@ because
we might have some small changes to make.
For if_bridge and if_ethersubr feedback would be welcome
(there are still some redundant parts in these two modules that
I would like to remove, but first i need to check functionality).
Diffstat (limited to 'sys/netgraph')
-rw-r--r-- | sys/netgraph/ng_ipfw.c | 49 |
1 files changed, 19 insertions, 30 deletions
diff --git a/sys/netgraph/ng_ipfw.c b/sys/netgraph/ng_ipfw.c index c02ca75..0112f66 100644 --- a/sys/netgraph/ng_ipfw.c +++ b/sys/netgraph/ng_ipfw.c @@ -221,21 +221,23 @@ ng_ipfw_findhook1(node_p node, u_int16_t rulenum) static int ng_ipfw_rcvdata(hook_p hook, item_p item) { - struct ng_ipfw_tag *ngit; + struct ipfw_rule_ref *tag; struct mbuf *m; NGI_GET_M(item, m); NG_FREE_ITEM(item); - if ((ngit = (struct ng_ipfw_tag *)m_tag_locate(m, NGM_IPFW_COOKIE, 0, - NULL)) == NULL) { + tag = (struct ipfw_rule_ref *) + m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL); + if (tag == NULL) { NG_FREE_M(m); return (EINVAL); /* XXX: find smth better */ }; - switch (ngit->dir) { - case DIR_OUT: - { + if (tag->info & IPFW_INFO_IN) { + ip_input(m); + return (0); + } else { struct ip *ip; if (m->m_len < sizeof(struct ip) && @@ -244,27 +246,16 @@ ng_ipfw_rcvdata(hook_p hook, item_p item) ip = mtod(m, struct ip *); - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); + SET_HOST_IPLEN(ip); return ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); - } - case DIR_IN: - ip_input(m); - return (0); - default: - panic("ng_ipfw_rcvdata: bad dir %u", ngit->dir); } - - /* not reached */ - return (0); } static int ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) { struct mbuf *m; - struct ng_ipfw_tag *ngit; struct ip *ip; hook_p hook; int error = 0; @@ -273,7 +264,7 @@ ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) * Node must be loaded and corresponding hook must be present. */ if (fw_node == NULL || - (hook = ng_ipfw_findhook1(fw_node, fwa->cookie)) == NULL) { + (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL) { if (tee == 0) m_freem(*m0); return (ESRCH); /* no hook associated with this rule */ @@ -285,21 +276,21 @@ ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) * a copy of a packet and forward it into netgraph without a tag. */ if (tee == 0) { + struct m_tag *tag; + struct ipfw_rule_ref *r; m = *m0; *m0 = NULL; /* it belongs now to netgraph */ - if ((ngit = (struct ng_ipfw_tag *)m_tag_alloc(NGM_IPFW_COOKIE, - 0, TAGSIZ, M_NOWAIT|M_ZERO)) == NULL) { + tag = m_tag_alloc(MTAG_IPFW_RULE, 0, sizeof(*r), + M_NOWAIT|M_ZERO); + if (tag == NULL) { m_freem(m); return (ENOMEM); } - ngit->slot = fwa->slot; - ngit->rulenum = fwa->rulenum; - ngit->rule_id = fwa->rule_id; - ngit->chain_id = fwa->chain_id; - ngit->dir = dir; -// ngit->ifp = fwa->oif; /* XXX do we use it ? */ - m_tag_prepend(m, &ngit->mt); + r = (struct ipfw_rule_ref *)(tag + 1); + *r = fwa->rule; + r->info = dir ? IPFW_INFO_IN : IPFW_INFO_OUT; + m_tag_prepend(m, tag); } else if ((m = m_dup(*m0, M_DONTWAIT)) == NULL) @@ -310,8 +301,6 @@ ng_ipfw_input(struct mbuf **m0, int dir, struct ip_fw_args *fwa, int tee) return (EINVAL); ip = mtod(m, struct ip *); - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); NG_SEND_DATA_ONLY(error, hook, m); |