Always compile PFIL_HOOKS into the kernel and remove the associated kernel

compile option.  All FreeBSD packet filters now use the PFIL_HOOKS API and
thus it becomes a standard part of the network stack.

If no hooks are connected the entire packet filter hooks section and related
activities are jumped over.  This removes any performance impact if no hooks
are active.

Both OpenBSD and DragonFlyBSD have integrated PFIL_HOOKS permanently as well.

5 files changed, 29 insertions, 47 deletions

diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index bc7c359..9a441f0 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -77,7 +77,6 @@
 
 #include "opt_ipfw.h"
 #include "opt_ipstealth.h"
-#include "opt_pfil_hooks.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -353,10 +352,13 @@ ip_fastforward(struct mbuf *m)
 	ip->ip_off = ntohs(ip->ip_off);
 
 	odest.s_addr = dest.s_addr = ip->ip_dst.s_addr;
-#ifdef PFIL_HOOKS
+
 	/*
 	 * Run through list of ipfilter hooks for input packets
 	 */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passin;
+
 	if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN) ||
 	    m == NULL)
 		return 1;
@@ -388,8 +390,8 @@ ip_fastforward(struct mbuf *m)
 		goto forwardlocal;
 	}
 #endif /* IPFIREWALL_FORWARD */
-#endif /* PFIL_HOOKS */
 
+passin:
 	/*
 	 * Step 4: decrement TTL and look up route
 	 */
@@ -429,10 +431,12 @@ ip_fastforward(struct mbuf *m)
 	 * Step 5: outgoing firewall packet processing
 	 */
 
-#ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for output packets.
 	 */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passout;
+
 	if (pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT) || m == NULL) {
 		goto consumed;
 	}
@@ -489,8 +493,8 @@ forwardlocal:
 			return 1;	/* icmp unreach already sent */
 		ifp = ro.ro_rt->rt_ifp;
 	}
-#endif /* PFIL_HOOKS */
 
+passout:
 	/*
 	 * Step 6: send off the packet
 	 */
diff --git a/sys/netinet/ip_fw_pfil.c b/sys/netinet/ip_fw_pfil.c
index 0f7d544..77ba4b6 100644
--- a/sys/netinet/ip_fw_pfil.c
+++ b/sys/netinet/ip_fw_pfil.c
@@ -30,15 +30,11 @@
 #include "opt_ipfw.h"
 #include "opt_ipdn.h"
 #include "opt_ipdivert.h"
-#include "opt_pfil_hooks.h"
 #include "opt_inet.h"
 #ifndef INET
 #error IPFIREWALL requires INET.
 #endif /* INET */
-#if !defined(PFIL_HOOKS)
-#error IPFIREWALL requires PFIL_HOOKS.
-#endif
-#endif
+#endif /* KLD_MODULE */
 
 #include <sys/param.h>
 #include <sys/systm.h>
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 98e1185..4d8c813 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -35,7 +35,6 @@
 #include "opt_ipstealth.h"
 #include "opt_ipsec.h"
 #include "opt_mac.h"
-#include "opt_pfil_hooks.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -156,9 +155,8 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW,
 #ifdef DIAGNOSTIC
 static int	ipprintfs = 0;
 #endif
-#ifdef PFIL_HOOKS
-struct pfil_head inet_pfil_hook;
-#endif
+
+struct pfil_head inet_pfil_hook;	/* Packet filter hooks */
 
 static struct	ifqueue ipintrq;
 static int	ipqmaxlen = IFQ_MAXLEN;
@@ -264,13 +262,12 @@ ip_init()
 		    pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW)
 			ip_protox[pr->pr_protocol] = pr - inetsw;
 
-#ifdef PFIL_HOOKS
+	/* Initialize packet filter hooks. */
 	inet_pfil_hook.ph_type = PFIL_TYPE_AF;
 	inet_pfil_hook.ph_af = AF_INET;
 	if ((i = pfil_head_register(&inet_pfil_hook)) != 0)
 		printf("%s: WARNING: unable to register pfil hook, "
 			"error %d\n", __func__, i);
-#endif /* PFIL_HOOKS */
 
 	IPQ_LOCK_INIT();
 	for (i = 0; i < IPREASS_NHASH; i++)
@@ -298,9 +295,7 @@ ip_input(struct mbuf *m)
 	int    checkif, hlen = 0;
 	u_short sum;
 	int dchg = 0;				/* dest changed after fw */
-#ifdef PFIL_HOOKS
 	struct in_addr odst;			/* original dst address */
-#endif
 #ifdef FAST_IPSEC
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
@@ -414,17 +409,16 @@ tooshort:
 	 * Bypass packet filtering for packets from a tunnel (gif).
 	 */
 	if (ipsec_getnhist(m))
-		goto pass;
+		goto passin;
 #endif
 #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
 	/*
 	 * Bypass packet filtering for packets from a tunnel (gif).
 	 */
 	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
-		goto pass;
+		goto passin;
 #endif
 
-#ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for input packets.
 	 *
@@ -432,6 +426,11 @@ tooshort:
 	 *     by NAT rewriting).  When this happens, tell
 	 *     ip_forward to do the right thing.
 	 */
+
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passin;
+
 	odst = ip->ip_dst;
 	if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif,
 	    PFIL_IN) != 0)
@@ -450,12 +449,7 @@ tooshort:
 	dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL);
 #endif /* IPFIREWALL_FORWARD */
 
-#endif /* PFIL_HOOKS */
-
-#if (defined(FAST_IPSEC) || defined(IPSEC)) && !defined(IPSEC_FILTERGIF)
-pass:
-#endif
-
+passin:
 	/*
 	 * Process options and, if not destined for us,
 	 * ship it on.  ip_dooptions returns 1 when an
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 3576905..b392b99 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -33,7 +33,6 @@
 #include "opt_ipfw.h"
 #include "opt_ipsec.h"
 #include "opt_mac.h"
-#include "opt_pfil_hooks.h"
 #include "opt_mbuf_stress_test.h"
 
 #include <sys/param.h>
@@ -49,6 +48,7 @@
 
 #include <net/if.h>
 #include <net/netisr.h>
+#include <net/pfil.h>
 #include <net/route.h>
 
 #include <netinet/in.h>
@@ -58,9 +58,6 @@
 #include <netinet/in_var.h>
 #include <netinet/ip_var.h>
 
-#ifdef PFIL_HOOKS
-#include <net/pfil.h>
-#endif
 
 #include <machine/in_cksum.h>
 
@@ -132,9 +129,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	struct in_ifaddr *ia = NULL;
 	int isbroadcast, sw_csum;
 	struct route iproute;
-#ifdef PFIL_HOOKS
 	struct in_addr odst;
-#endif
 #ifdef IPFIREWALL_FORWARD
 	struct m_tag *fwd_tag = NULL;
 #endif
@@ -187,9 +182,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	}
 
 	dst = (struct sockaddr_in *)&ro->ro_dst;
-#ifdef PFIL_HOOKS
 again:
-#endif
 	/*
 	 * If there is a cached route,
 	 * check that it is to the same destination
@@ -665,10 +658,11 @@ skip_ipsec:
 spd_done:
 #endif /* FAST_IPSEC */
 
-#ifdef PFIL_HOOKS
-	/*
-	 * Run through list of hooks for output packets.
-	 */
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passout;
+
+	/* Run through list of hooks for output packets. */
 	odst.s_addr = ip->ip_dst.s_addr;
 	error = pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT);
 	if (error != 0 || m == NULL)
@@ -729,11 +723,7 @@ spd_done:
 	}
 #endif
 
-#endif /* PFIL_HOOKS */
-
-#if 0
-pass:
-#endif
+passout:
 	/* 127/8 must not appear on wire - RFC1122. */
 	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
 	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index f557225..46bd596 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -192,9 +192,7 @@ extern int	(*ip_rsvp_vif)(struct socket *, struct sockopt *);
 extern void	(*ip_rsvp_force_done)(struct socket *);
 extern void	(*rsvp_input_p)(struct mbuf *m, int off);
 
-#ifdef PFIL_HOOKS
-extern	struct pfil_head inet_pfil_hook;
-#endif
+extern	struct pfil_head inet_pfil_hook;	/* packet filter hooks */
 
 void	in_delayed_cksum(struct mbuf *m);