o update PFIL_HOOKS support to current API used by netbsd

o revamp IPv4+IPv6+bridge usage to match API changes
o remove pfil_head instances from protosw entries (no longer used)
o add locking
o bump FreeBSD version for 3rd party modules

Heavy lifting by:	"Max Laier" <max@love2party.net>
Supported by:		FreeBSD Foundation
Obtained from:		NetBSD (bits of pfil.h and pfil.c)

5 files changed, 35 insertions, 68 deletions

diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index 1e6dde8..9233aba 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -34,6 +34,7 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
+#include "opt_pfil_hooks.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -113,11 +114,6 @@ ip6_forward(m, srcrt)
 	int error, type = 0, code = 0;
 	struct mbuf *mcopy = NULL;
 	struct ifnet *origifp;	/* maybe unnecessary */
-#ifdef PFIL_HOOKS
-	struct packet_filter_hook *pfh;
-	struct mbuf *m1;
-	int rv;
-#endif /* PFIL_HOOKS */
 #ifdef IPSEC
 	struct secpolicy *sp = NULL;
 #endif
@@ -526,21 +522,13 @@ ip6_forward(m, srcrt)
 	/*
 	 * Run through list of hooks for output packets.
 	 */
-	m1 = m;
-	pfh = pfil_hook_get(PFIL_OUT, &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
-	for (; pfh; pfh = pfh->pfil_link.tqe_next)
-		if (pfh->pfil_func) {
-			rv = pfh->pfil_func(ip6, sizeof(*ip6),
-					    rt->rt_ifp, 1, &m1);
-			if (rv) {
-				error = EHOSTUNREACH;
-				goto freecopy;
-			}
-			m = m1;
-			if (m == NULL)
-				goto freecopy;
-			ip6 = mtod(m, struct ip6_hdr *);
-		}
+	if (pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT) != 0) {
+		error = EHOSTUNREACH;
+		goto freecopy;
+	}
+	if (m == NULL)
+		goto freecopy;
+	ip6 = mtod(m, struct ip6_hdr *);
 #endif /* PFIL_HOOKS */
 
 	error = nd6_output(rt->rt_ifp, origifp, m, dst, rt);
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index dcb74fb..9089071 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -143,6 +143,9 @@ int ip6_sourcecheck_interval;		/* XXX */
 
 int ip6_ours_check_algorithm;
 
+#ifdef PFIL_HOOKS
+struct pfil_head inet6_pfil_hook;
+#endif
 
 /* firewall hooks */
 ip6_fw_chk_t *ip6_fw_chk_ptr;
@@ -184,6 +187,13 @@ ip6_init()
 		if (pr->pr_domain->dom_family == PF_INET6 &&
 		    pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
 			ip6_protox[pr->pr_protocol] = pr - inet6sw;
+#ifdef PFIL_HOOKS
+	inet6_pfil_hook.ph_type = PFIL_TYPE_AF;
+	inet6_pfil_hook.ph_af = AF_INET6;
+	if ((i = pfil_head_register(&inet6_pfil_hook)) != 0)
+		printf("%s: WARNING: unable to register pfil hook, "
+			"error %d\n", __func__, i);
+#endif /* PFIL_HOOKS */
 	ip6intrq.ifq_maxlen = ip6qmaxlen;
 	mtx_init(&ip6intrq.ifq_mtx, "ip6_inq", NULL, MTX_DEF);
 	netisr_register(NETISR_IPV6, ip6_input, &ip6intrq);
@@ -241,11 +251,6 @@ ip6_input(m)
 	u_int32_t rtalert = ~0;
 	int nxt, ours = 0;
 	struct ifnet *deliverifp = NULL;
-#ifdef  PFIL_HOOKS
-	struct packet_filter_hook *pfh;
-	struct mbuf *m0;
-	int rv;
-#endif  /* PFIL_HOOKS */
 
 #ifdef IPSEC
 	/*
@@ -340,25 +345,13 @@ ip6_input(m)
 
 #ifdef PFIL_HOOKS
 	/*
-	 * Run through list of hooks for input packets.  If there are any
-	 * filters which require that additional packets in the flow are
-	 * not fast-forwarded, they must clear the M_CANFASTFWD flag.
-	 * Note that filters must _never_ set this flag, as another filter
-	 * in the list may have previously cleared it.
+	 * Run through list of hooks for input packets.
 	 */
-	m0 = m;
-	pfh = pfil_hook_get(PFIL_IN, &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
-	for (; pfh; pfh = pfh->pfil_link.tqe_next)
-		if (pfh->pfil_func) {
-			rv = pfh->pfil_func(ip6, sizeof(*ip6),
-					    m->m_pkthdr.rcvif, 0, &m0);
-			if (rv)
-				return;
-			m = m0;
-			if (m == NULL)
-				return;
-			ip6 = mtod(m, struct ip6_hdr *);
-		}
+	if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN))
+		return;
+	if (m == NULL)			/* consumed by filter */
+		return;
+	ip6 = mtod(m, struct ip6_hdr *);
 #endif /* PFIL_HOOKS */
 
 	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index b18f9a7..7e81373 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -173,11 +173,6 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 	struct route_in6 *ro_pmtu = NULL;
 	int hdrsplit = 0;
 	int needipsec = 0;
-#ifdef PFIL_HOOKS
-	struct packet_filter_hook *pfh;
-	struct mbuf *m1;
-	int rv;
-#endif /* PFIL_HOOKS */
 #ifdef IPSEC
 	int needipsectun = 0;
 	struct secpolicy *sp = NULL;
@@ -931,20 +926,13 @@ skip_ipsec2:;
 	/*
 	 * Run through list of hooks for output packets.
 	 */
-	m1 = m;
-	pfh = pfil_hook_get(PFIL_OUT, &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
-	for (; pfh; pfh = pfh->pfil_link.tqe_next)
-		if (pfh->pfil_func) {
-			rv = pfh->pfil_func(ip6, sizeof(*ip6), ifp, 1, &m1);
-			if (rv) {
-				error = EHOSTUNREACH;
-				goto done;
-			}
-			m = m1;
-			if (m == NULL)
-				goto done;
-			ip6 = mtod(m, struct ip6_hdr *);
-		}
+	if (pfil_run_hooks(&inet6_pfil_hook, &m, ifp, PFIL_OUT) != 0) {
+		error = EHOSTUNREACH;
+		goto done;
+	}
+	if (m == NULL)
+		goto done;
+	ip6 = mtod(m, struct ip6_hdr *);
 #endif /* PFIL_HOOKS */
 	/*
 	 * Send the packet to the outgoing interface.
diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h
index 7ffdf1e..2f7e2a6 100644
--- a/sys/netinet6/ip6_var.h
+++ b/sys/netinet6/ip6_var.h
@@ -285,6 +285,10 @@ extern int   ip6_lowportmax;		/* maximum reserved port */
 
 extern int	ip6_use_tempaddr; /* whether to use temporary addresses. */
 
+#ifdef PFIL_HOOKS
+extern	struct pfil_head inet6_pfil_hook;
+#endif
+
 extern struct	pr_usrreqs rip6_usrreqs;
 struct sockopt;
 
diff --git a/sys/netinet6/ip6protosw.h b/sys/netinet6/ip6protosw.h
index 9730121..c6d4589 100644
--- a/sys/netinet6/ip6protosw.h
+++ b/sys/netinet6/ip6protosw.h
@@ -72,11 +72,6 @@
 #define _NETINET6_IP6PROTOSW_H_
 
 /*
- * For pfil_head structure.
- */
-#include <net/pfil.h>
-
-/*
  * Protocol switch table for IPv6.
  * All other definitions should refer to sys/protosw.h
  */
@@ -153,7 +148,6 @@ struct ip6protosw {
 	void	(*pr_drain)		/* flush any excess space possible */
 			__P((void));
 	struct	pr_usrreqs *pr_usrreqs;	/* supersedes pr_usrreq() */
-	struct	pfil_head	pr_pfh;
 };
 
 #ifdef _KERNEL