diff options
author | ae <ae@FreeBSD.org> | 2012-10-25 09:39:14 +0000 |
---|---|---|
committer | ae <ae@FreeBSD.org> | 2012-10-25 09:39:14 +0000 |
commit | 71112b5a8eb3a8cd3f5d49eff9664a32fec42b56 (patch) | |
tree | 74b574e44bf5e980b33dbec1477301fa3513db78 /sys/netinet | |
parent | ae88b227912c0ec48a0dde46fe47f423ca864059 (diff) | |
download | FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.zip FreeBSD-src-71112b5a8eb3a8cd3f5d49eff9664a32fec42b56.tar.gz |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn
on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC
Discussed with: net@
MFC after: 2 weeks
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_fastfwd.c | 20 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 5 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 11 | ||||
-rw-r--r-- | sys/netinet/tcp_input.c | 17 | ||||
-rw-r--r-- | sys/netinet/udp_usrreq.c | 10 |
5 files changed, 19 insertions, 44 deletions
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index 0eaaafe..b8d04ec 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -167,9 +167,7 @@ ip_fastforward(struct mbuf *m) uint16_t sum, ip_len, ip_off; int error = 0; int hlen, mtu; -#ifdef IPFIREWALL_FORWARD - struct m_tag *fwd_tag; -#endif + struct m_tag *fwd_tag = NULL; /* * Are we active and forwarding packets? @@ -372,14 +370,13 @@ ip_fastforward(struct mbuf *m) * Go on with new destination address */ } -#ifdef IPFIREWALL_FORWARD + if (m->m_flags & M_FASTFWD_OURS) { /* * ipfw changed it for a local address on this host. */ goto forwardlocal; } -#endif /* IPFIREWALL_FORWARD */ passin: /* @@ -449,20 +446,13 @@ passin: /* * Destination address changed? */ -#ifndef IPFIREWALL_FORWARD - if (odest.s_addr != dest.s_addr) { -#else - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); + if (V_pfilforward != 0) + fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (odest.s_addr != dest.s_addr || fwd_tag != NULL) { -#endif /* IPFIREWALL_FORWARD */ /* * Is it now for a local address on this host? */ -#ifndef IPFIREWALL_FORWARD - if (in_localip(dest)) { -#else if (m->m_flags & M_FASTFWD_OURS || in_localip(dest)) { -#endif /* IPFIREWALL_FORWARD */ forwardlocal: /* * Return packet for processing by ip_input(). @@ -475,13 +465,11 @@ forwardlocal: /* * Redo route lookup with new destination address */ -#ifdef IPFIREWALL_FORWARD if (fwd_tag) { dest.s_addr = ((struct sockaddr_in *) (fwd_tag + 1))->sin_addr.s_addr; m_tag_delete(m, fwd_tag); } -#endif /* IPFIREWALL_FORWARD */ RTFREE(ro.ro_rt); if ((dst = ip_findroute(&ro, dest, m)) == NULL) return NULL; /* icmp unreach already sent */ diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index baa08a4..e0e98a2 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -509,7 +509,9 @@ tooshort: dchg = (odst.s_addr != ip->ip_dst.s_addr); ifp = m->m_pkthdr.rcvif; -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passin; + if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; goto ours; @@ -523,7 +525,6 @@ tooshort: ip_forward(m, dchg); return; } -#endif /* IPFIREWALL_FORWARD */ passin: diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 51c8b0e..2df0fe8 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -129,9 +129,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags, struct route iproute; struct rtentry *rte; /* cache for ro->ro_rt */ struct in_addr odst; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag = NULL; -#endif #ifdef IPSEC int no_route_but_check_spd = 0; #endif @@ -218,11 +216,7 @@ again: ro->ro_lle = NULL; rte = NULL; } -#ifdef IPFIREWALL_FORWARD if (rte == NULL && fwd_tag == NULL) { -#else - if (rte == NULL) { -#endif bzero(dst, sizeof(*dst)); dst->sin_family = AF_INET; dst->sin_len = sizeof(*dst); @@ -543,7 +537,9 @@ sendit: } } -#ifdef IPFIREWALL_FORWARD + if (V_pfilforward == 0) + goto passout; + /* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -574,7 +570,6 @@ sendit: ifa_free(&ia->ia_ifa); goto again; } -#endif /* IPFIREWALL_FORWARD */ passout: /* 127/8 must not appear on wire - RFC1122. */ diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 0341207..1d56dfd 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -75,6 +75,7 @@ __FBSDID("$FreeBSD$"); #include <vm/uma.h> #include <net/if.h> +#include <net/pfil.h> #include <net/route.h> #include <net/vnet.h> @@ -544,9 +545,7 @@ tcp_input(struct mbuf *m, int off0) uint8_t sig_checked = 0; #endif uint8_t iptos = 0; -#ifdef IPFIREWALL_FORWARD - struct m_tag *fwd_tag; -#endif + struct m_tag *fwd_tag = NULL; #ifdef INET6 struct ip6_hdr *ip6 = NULL; int isipv6; @@ -754,15 +753,13 @@ findpcb: } #endif -#ifdef IPFIREWALL_FORWARD /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); -#endif /* IPFIREWALL_FORWARD */ + if (V_pfilforward != 0) + fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); #ifdef INET6 -#ifdef IPFIREWALL_FORWARD if (isipv6 && fwd_tag != NULL) { struct sockaddr_in6 *next_hop6; @@ -788,9 +785,7 @@ findpcb: } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); - } else -#endif /* IPFIREWALL_FORWARD */ - if (isipv6) { + } else if (isipv6) { inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport, INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB, @@ -801,7 +796,6 @@ findpcb: else #endif #ifdef INET -#ifdef IPFIREWALL_FORWARD if (fwd_tag != NULL) { struct sockaddr_in *next_hop; @@ -828,7 +822,6 @@ findpcb: /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); } else -#endif /* IPFIREWALL_FORWARD */ inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport, ip->ip_dst, th->th_dport, INPLOOKUP_WILDCARD | INPLOOKUP_WLOCKPCB, diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 9a4a682..cd08468 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -65,6 +65,7 @@ __FBSDID("$FreeBSD$"); #include <vm/uma.h> #include <net/if.h> +#include <net/pfil.h> #include <net/route.h> #include <netinet/in.h> @@ -341,9 +342,7 @@ udp_input(struct mbuf *m, int off) uint16_t len, ip_len; struct ip save_ip; struct sockaddr_in udp_in; -#ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag; -#endif ifp = m->m_pkthdr.rcvif; UDPSTAT_INC(udps_ipackets); @@ -546,12 +545,12 @@ udp_input(struct mbuf *m, int off) /* * Locate pcb for datagram. */ -#ifdef IPFIREWALL_FORWARD + /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag != NULL) { + if (V_pfilforward != 0 && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in *next_hop; next_hop = (struct sockaddr_in *)(fwd_tag + 1); @@ -577,7 +576,6 @@ udp_input(struct mbuf *m, int off) /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); } else -#endif /* IPFIREWALL_FORWARD */ inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport, ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB, ifp, m); |