summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_input.c
diff options
context:
space:
mode:
authorjulian <julian@FreeBSD.org>2009-10-11 05:59:43 +0000
committerjulian <julian@FreeBSD.org>2009-10-11 05:59:43 +0000
commit79c1f884ef6881dc506df5a23203f4cc0a447a35 (patch)
treed481a2e714a210799fdaf274f5482c3e67e5c845 /sys/netinet/ip_input.c
parentc98bb6fb8fe1b6c9437608e3d30fd1cbf47e2e6a (diff)
downloadFreeBSD-src-79c1f884ef6881dc506df5a23203f4cc0a447a35.zip
FreeBSD-src-79c1f884ef6881dc506df5a23203f4cc0a447a35.tar.gz
Virtualize the pfil hooks so that different jails may chose different
packet filters. ALso allows ipfw to be enabled on on ejail and disabled on another. In 8.0 it's a global setting. Sitting aroung in tree waiting to commit for: 2 months MFC after: 2 months
Diffstat (limited to 'sys/netinet/ip_input.c')
-rw-r--r--sys/netinet/ip_input.c20
1 files changed, 10 insertions, 10 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 7886fa7..50b66b5 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -170,7 +170,7 @@ SYSCTL_VNET_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW,
&VNET_NAME(ip_checkinterface), 0,
"Verify packet arrives on correct interface");
-struct pfil_head inet_pfil_hook; /* Packet filter hooks */
+VNET_DEFINE(struct pfil_head, inet_pfil_hook); /* Packet filter hooks */
static struct netisr_handler ip_nh = {
.nh_name = "ip",
@@ -318,6 +318,13 @@ ip_init(void)
NULL, UMA_ALIGN_PTR, 0);
maxnipq_update();
+ /* Initialize packet filter hooks. */
+ V_inet_pfil_hook.ph_type = PFIL_TYPE_AF;
+ V_inet_pfil_hook.ph_af = AF_INET;
+ if ((i = pfil_head_register(&V_inet_pfil_hook)) != 0)
+ printf("%s: WARNING: unable to register pfil hook, "
+ "error %d\n", __func__, i);
+
#ifdef FLOWTABLE
TUNABLE_INT_FETCH("net.inet.ip.output_flowtable_size",
&V_ip_output_flowtable_size);
@@ -348,13 +355,6 @@ ip_init(void)
ip_protox[pr->pr_protocol] = pr - inetsw;
}
- /* Initialize packet filter hooks. */
- inet_pfil_hook.ph_type = PFIL_TYPE_AF;
- inet_pfil_hook.ph_af = AF_INET;
- if ((i = pfil_head_register(&inet_pfil_hook)) != 0)
- printf("%s: WARNING: unable to register pfil hook, "
- "error %d\n", __func__, i);
-
/* Start ipport_tick. */
callout_init(&ipport_tick_callout, CALLOUT_MPSAFE);
callout_reset(&ipport_tick_callout, 1, ipport_tick, NULL);
@@ -510,11 +510,11 @@ tooshort:
*/
/* Jump over all PFIL processing if hooks are not active. */
- if (!PFIL_HOOKED(&inet_pfil_hook))
+ if (!PFIL_HOOKED(&V_inet_pfil_hook))
goto passin;
odst = ip->ip_dst;
- if (pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_IN, NULL) != 0)
+ if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_IN, NULL) != 0)
return;
if (m == NULL) /* consumed by filter */
return;
OpenPOWER on IntegriCloud