diff options
author | mlaier <mlaier@FreeBSD.org> | 2004-07-17 05:10:06 +0000 |
---|---|---|
committer | mlaier <mlaier@FreeBSD.org> | 2004-07-17 05:10:06 +0000 |
commit | 512e25ff0c381e595604171a4af5cf7f7ba15f64 (patch) | |
tree | 203d59f4a1a363e46b01bb30478bb27cde0e1fc0 /sys | |
parent | 7f77b9d9fb88afc0949c3855c9c66ffc35512490 (diff) | |
download | FreeBSD-src-512e25ff0c381e595604171a4af5cf7f7ba15f64.zip FreeBSD-src-512e25ff0c381e595604171a4af5cf7f7ba15f64.tar.gz |
Define semantic of M_SKIP_FIREWALL more precisely, i.e. also pass associated
icmp_error() packets. While here retire PACKET_TAG_PF_GENERATED (which
served the same purpose) and use M_SKIP_FIREWALL in pf as well. This should
speed up things a bit as we get rid of the tag allocations.
Discussed with: juli
Diffstat (limited to 'sys')
-rw-r--r-- | sys/contrib/pf/net/pf.c | 39 | ||||
-rw-r--r-- | sys/netinet/ip_icmp.c | 16 | ||||
-rw-r--r-- | sys/sys/mbuf.h | 1 |
3 files changed, 34 insertions, 22 deletions
diff --git a/sys/contrib/pf/net/pf.c b/sys/contrib/pf/net/pf.c index a49b3f6..085f5cb 100644 --- a/sys/contrib/pf/net/pf.c +++ b/sys/contrib/pf/net/pf.c @@ -1379,7 +1379,9 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl) { struct mbuf *m; +#ifdef ALTQ struct m_tag *mtag; +#endif int len = 0, tlen; /* make the compiler happy */ #ifdef INET struct ip *h = NULL; /* make the compiler happy */ @@ -1412,6 +1414,12 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, } /* create outgoing mbuf */ +#ifdef __FreeBSD__ + m = m_gethdr(M_DONTWAIT, MT_HEADER); + if (m == NULL) + return; + m->m_flags |= M_SKIP_FIREWALL; +#else mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); if (mtag == NULL) return; @@ -1421,6 +1429,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, return; } m_tag_prepend(m, mtag); +#endif #ifdef ALTQ if (r != NULL && r->qid) { struct altq_tag *atag; @@ -1542,25 +1551,30 @@ void pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, struct pf_rule *r) { +#ifdef ALTQ struct m_tag *mtag; +#endif struct mbuf *m0; #ifdef __FreeBSD__ struct ip *ip; #endif - mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); - if (mtag == NULL) - return; #ifdef __FreeBSD__ m0 = m_copypacket(m, M_DONTWAIT); + if (m0 == NULL) + return; + m0->m_flags |= M_SKIP_FIREWALL; #else + mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); + if (mtag == NULL) + return; m0 = m_copy(m, 0, M_COPYALL); -#endif if (m0 == NULL) { m_tag_free(mtag); return; } m_tag_prepend(m0, mtag); +#endif #ifdef ALTQ if (r->qid) { @@ -5436,15 +5450,16 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, /* Cheat. */ if (r->rt == PF_FASTROUTE) { - mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); - if (mtag == NULL) - goto bad; - m_tag_prepend(m0, mtag); #ifdef __FreeBSD__ + m0->m_flags |= M_SKIP_FIREWALL; PF_UNLOCK(); ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); PF_LOCK(); #else + mtag = m_tag_get(PACKET_TAG_PF_GENERATED, 0, M_NOWAIT); + if (mtag == NULL) + goto bad; + m_tag_prepend(m0, mtag); ip6_output(m0, NULL, NULL, 0, NULL, NULL); #endif return; @@ -5788,9 +5803,11 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0) PF_LOCK(); #endif if (!pf_status.running || - (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { #ifdef __FreeBSD__ + (m->m_flags & M_SKIP_FIREWALL)) { PF_UNLOCK(); +#else + (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { #endif return (PF_PASS); } @@ -6113,9 +6130,11 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0) #endif if (!pf_status.running || - (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { #ifdef __FreeBSD__ + (m->m_flags & M_SKIP_FIREWALL)) { PF_UNLOCK(); +#else + (m_tag_find(m, PACKET_TAG_PF_GENERATED, NULL) != NULL)) { #endif return (PF_PASS); } diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 457deba..44c4080 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -144,7 +144,6 @@ icmp_error(n, type, code, dest, destifp) register unsigned oiplen = oip->ip_hl << 2; register struct icmp *icp; register struct mbuf *m; - register struct m_tag *mtag; unsigned icmplen; #ifdef ICMPPRINTFS @@ -224,6 +223,11 @@ icmp_error(n, type, code, dest, destifp) */ if (m->m_data - sizeof(struct ip) < m->m_pktdat) panic("icmp len"); + /* + * If the original mbuf was meant to bypass the firewall, the error + * reply should bypass as well. + */ + m->m_flags |= n->m_flags & M_SKIP_FIREWALL; m->m_data -= sizeof(struct ip); m->m_len += sizeof(struct ip); m->m_pkthdr.len = m->m_len; @@ -235,16 +239,6 @@ icmp_error(n, type, code, dest, destifp) nip->ip_hl = 5; nip->ip_p = IPPROTO_ICMP; nip->ip_tos = 0; - /* - * XXX: Move PF_GENERATED m_tag to new packet, if it exists. - * This should be replaced by unified flags/tags for - * pf/ipfw/ipf and future pfil_hook applications. - */ - mtag = m_tag_find(n, PACKET_TAG_PF_GENERATED, NULL); - if (mtag != NULL) { - m_tag_unlink(n, mtag); - m_tag_prepend(m, mtag); - } icmp_reflect(m); freeit: diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index ad443fe..0ba8e00 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -626,7 +626,6 @@ struct mbuf *m_uiotombuf(struct uio *, int, int); #define PACKET_TAG_DIVERT 17 /* divert info */ #define PACKET_TAG_IPFORWARD 18 /* ipforward info */ #define PACKET_TAG_MACLABEL (19 | MTAG_PERSISTENT) /* MAC label */ -#define PACKET_TAG_PF_GENERATED (20 | MTAG_PERSISTENT) /* PF, pass always */ #define PACKET_TAG_PF_ROUTED 21 /* PF routed, avoid loops */ #define PACKET_TAG_PF_FRAGCACHE 22 /* PF fragment cached */ #define PACKET_TAG_PF_QID 23 /* PF ALTQ queue id */ |