diff options
| author | lstewart <lstewart@FreeBSD.org> | 2010-11-20 07:36:43 +0000 |
|---|---|---|
| committer | lstewart <lstewart@FreeBSD.org> | 2010-11-20 07:36:43 +0000 |
| commit | 1f06c5de0debd265cae50275391a7f4e5bc78675 (patch) | |
| tree | 43e7c70d779402933d31efee38055dba56500cd4 /sys/netinet | |
| parent | b37eae53ee4e3a1a5a0e62469ccda2c3663710b3 (diff) | |
| download | FreeBSD-src-1f06c5de0debd265cae50275391a7f4e5bc78675.zip FreeBSD-src-1f06c5de0debd265cae50275391a7f4e5bc78675.tar.gz | |
When enabling or disabling SIFTR with a VIMAGE kernel, ensure we add or remove
the SIFTR pfil(9) hook functions to or from all network stacks. This patch
allows packets inbound or outbound from a vnet to be "seen" by SIFTR.
Additional work is required to allow SIFTR to actually generate log messages for
all vnet related packets because the siftr_findinpcb() function does not yet
search for inpcbs across all vnets. This issue will be fixed separately.
Reported and tested by: David Hayes <dahayes at swin edu au>
MFC after: 3 days
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/siftr.c | 36 |
1 files changed, 24 insertions, 12 deletions
diff --git a/sys/netinet/siftr.c b/sys/netinet/siftr.c index af77fec..254bea8 100644 --- a/sys/netinet/siftr.c +++ b/sys/netinet/siftr.c @@ -1109,26 +1109,38 @@ ret6: static int siftr_pfil(int action) { - struct pfil_head *pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); + struct pfil_head *pfh_inet; #ifdef SIFTR_IPV6 - struct pfil_head *pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); + struct pfil_head *pfh_inet6; #endif + VNET_ITERATOR_DECL(vnet_iter); - if (action == HOOK) { - pfil_add_hook(siftr_chkpkt, NULL, - PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet); + VNET_LIST_RLOCK(); + VNET_FOREACH(vnet_iter) { + CURVNET_SET(vnet_iter); + pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); #ifdef SIFTR_IPV6 - pfil_add_hook(siftr_chkpkt6, NULL, - PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet6); + pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); #endif - } else if (action == UNHOOK) { - pfil_remove_hook(siftr_chkpkt, NULL, - PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet); + + if (action == HOOK) { + pfil_add_hook(siftr_chkpkt, NULL, + PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet); +#ifdef SIFTR_IPV6 + pfil_add_hook(siftr_chkpkt6, NULL, + PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet6); +#endif + } else if (action == UNHOOK) { + pfil_remove_hook(siftr_chkpkt, NULL, + PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet); #ifdef SIFTR_IPV6 - pfil_remove_hook(siftr_chkpkt6, NULL, - PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet6); + pfil_remove_hook(siftr_chkpkt6, NULL, + PFIL_IN | PFIL_OUT | PFIL_WAITOK, pfh_inet6); #endif + } + CURVNET_RESTORE(); } + VNET_LIST_RUNLOCK(); return (0); } |
