Following up on a request from Ermal Luci to make

ip_divert work as a client of pf(4),
make ip_divert not depend on ipfw.

This is achieved by moving to ip_var.h the struct ipfw_rule_ref
(which is part of the mtag for all reinjected packets) and other
declarations of global variables, and moving to raw_ip.c global
variables for filter and divert hooks.

Note that names and locations could be made more generic
(ipfw_rule_ref is really a generic reference robust to reconfigurations;
the packet filter is not necessarily ipfw; filters and their clients
are not necessarily limited to ipv4), but _right now_ most
of this stuff works on ipfw and ipv4, so i don't feel like
doing a gratuitous renaming, at least for the time being.

1 files changed, 1 insertions, 47 deletions

diff --git a/sys/netinet/ipfw/ip_fw_private.h b/sys/netinet/ipfw/ip_fw_private.h
index cfc07aa..92508f1 100644
--- a/sys/netinet/ipfw/ip_fw_private.h
+++ b/sys/netinet/ipfw/ip_fw_private.h
@@ -35,8 +35,6 @@
 
 #ifdef _KERNEL
 
-#define MTAG_IPFW	1148380143	/* IPFW-tagged cookie */
-#define MTAG_IPFW_RULE	1262273568	/* rule reference */
 
 /* Return values from ipfw_chk() */
 enum {
@@ -66,38 +64,6 @@ struct _ip6dn_args {
        struct route_in6 ro_pmtu_or;
 };
 
-/*
- * Reference to an ipfw rule that can be carried outside critical sections.
- * A rule is identified by rulenum:rule_id which is ordered.
- * In version chain_id the rule can be found in slot 'slot', so
- * we don't need a lookup if chain_id == chain->id.
- *
- * On exit from the firewall this structure refers to the rule after
- * the matching one (slot points to the new rule; rulenum:rule_id-1
- * is the matching rule), and additional info (e.g. info often contains
- * the insn argument or tablearg in the low 16 bits, in host format).
- * On entry, the structure is valid if slot>0, and refers to the starting
- * rules. 'info' contains the reason for reinject, e.g. divert port,
- * divert direction, and so on.
- */
-struct ipfw_rule_ref {
-	uint32_t	slot;		/* slot for matching rule	*/
-	uint32_t	rulenum;	/* matching rule number		*/
-	uint32_t	rule_id;	/* matching rule id		*/
-	uint32_t	chain_id;	/* ruleset id			*/
-	uint32_t	info;		/* see below			*/
-};
-
-enum {
-	IPFW_INFO_MASK	= 0x0000ffff,
-	IPFW_INFO_OUT	= 0x00000000,	/* outgoing, just for convenience */
-	IPFW_INFO_IN	= 0x80000000,	/* incoming, overloads dir */
-	IPFW_ONEPASS	= 0x40000000,	/* One-pass, do not reinject */
-	IPFW_IS_MASK	= 0x30000000,	/* which source ? */
-	IPFW_IS_DIVERT	= 0x20000000,
-	IPFW_IS_DUMMYNET =0x10000000,
-	IPFW_IS_PIPE	= 0x08000000,	/* pip1=1, queue = 0 */
-};
 
 /*
  * Arguments for calling ipfw_chk() and dummynet_io(). We put them
@@ -289,10 +255,7 @@ int ipfw_del_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr,
 int ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt);
 int ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl);
 
-/* hooks for divert */
-extern void (*ip_divert_ptr)(struct mbuf *m, int incoming);
-
-/* In ip_fw_nat.c */
+/* In ip_fw_nat.c -- XXX to be moved to ip_var.h */
 
 extern struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int);
 
@@ -307,14 +270,5 @@ extern ipfw_nat_cfg_t *ipfw_nat_del_ptr;
 extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
 extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
 
-/* netgraph prototypes */
-
-typedef int ng_ipfw_input_t(struct mbuf **, int, struct ip_fw_args *, int);
-extern  ng_ipfw_input_t *ng_ipfw_input_p;
-#define NG_IPFW_LOADED  (ng_ipfw_input_p != NULL)
-
-#define TAGSIZ  (sizeof(struct ng_ipfw_tag) - sizeof(struct m_tag))
-
-
 #endif /* _KERNEL */
 #endif /* _IPFW2_PRIVATE_H */