diff options
-rw-r--r-- | UPDATING | 4 | ||||
-rw-r--r-- | share/man/man4/ipfirewall.4 | 2 | ||||
-rw-r--r-- | share/man/man9/pfil.9 | 6 | ||||
-rw-r--r-- | sys/alpha/conf/GENERIC | 1 | ||||
-rw-r--r-- | sys/amd64/conf/GENERIC | 1 | ||||
-rw-r--r-- | sys/conf/NOTES | 7 | ||||
-rw-r--r-- | sys/conf/files | 4 | ||||
-rw-r--r-- | sys/conf/options | 1 | ||||
-rw-r--r-- | sys/i386/conf/GENERIC | 1 | ||||
-rw-r--r-- | sys/ia64/conf/GENERIC | 1 | ||||
-rw-r--r-- | sys/ia64/conf/SKI | 1 | ||||
-rw-r--r-- | sys/modules/bridge/Makefile | 9 | ||||
-rw-r--r-- | sys/net/bridge.c | 10 | ||||
-rw-r--r-- | sys/netinet/ip_fastfwd.c | 14 | ||||
-rw-r--r-- | sys/netinet/ip_fw_pfil.c | 6 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 28 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 24 | ||||
-rw-r--r-- | sys/netinet/ip_var.h | 4 | ||||
-rw-r--r-- | sys/netinet6/ip6_forward.c | 16 | ||||
-rw-r--r-- | sys/netinet6/ip6_input.c | 20 | ||||
-rw-r--r-- | sys/netinet6/ip6_output.c | 14 | ||||
-rw-r--r-- | sys/netinet6/ip6_var.h | 4 | ||||
-rw-r--r-- | sys/pc98/conf/GENERIC | 1 | ||||
-rw-r--r-- | sys/powerpc/conf/GENERIC | 1 | ||||
-rw-r--r-- | sys/sparc64/conf/GENERIC | 1 |
25 files changed, 58 insertions, 123 deletions
@@ -23,6 +23,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 6.x IS SLOW: developers choose to disable these features on build machines to maximize performance. +20040827: + PFIL_HOOKS are a fixed part of the network stack now and do not + need to be specified in the kernel configuration file anymore. + 20040819: Netgraph changed its message format slightly to align the data portion well on 64 bit machines. diff --git a/share/man/man4/ipfirewall.4 b/share/man/man4/ipfirewall.4 index 272ffc5..578a42a 100644 --- a/share/man/man4/ipfirewall.4 +++ b/share/man/man4/ipfirewall.4 @@ -46,8 +46,6 @@ logging enable .Xr divert 4 sockets -.It Dv PFIL_HOOKS -add packet filter hooks .El .Sh SEE ALSO .Xr setsockopt 2 , diff --git a/share/man/man9/pfil.9 b/share/man/man9/pfil.9 index 4d0cded..c0da628 100644 --- a/share/man/man9/pfil.9 +++ b/share/man/man9/pfil.9 @@ -122,12 +122,6 @@ The filter returns an error (errno) if the packet processing is to stop, or 0 if the processing is to continue. If the packet processing is to stop, it is the responsibility of the filter to free the packet. -.Pp -The -.Nm -interface is enabled in the kernel via the -.Dv PFIL_HOOKS -option. .Sh RETURN VALUES If successful, .Fn pfil_head_get diff --git a/sys/alpha/conf/GENERIC b/sys/alpha/conf/GENERIC index 1a649e9..f2714b9 100644 --- a/sys/alpha/conf/GENERIC +++ b/sys/alpha/conf/GENERIC @@ -69,7 +69,6 @@ options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions -options PFIL_HOOKS # pfil(9) framework # Debugging for use in -current options KDB #Enable kernel debugger support diff --git a/sys/amd64/conf/GENERIC b/sys/amd64/conf/GENERIC index f5c33c6..95afbc3 100644 --- a/sys/amd64/conf/GENERIC +++ b/sys/amd64/conf/GENERIC @@ -57,7 +57,6 @@ options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. -options PFIL_HOOKS # pfil(9) framework options ADAPTIVE_GIANT # Giant mutex is adaptive. # Debugging for use in -current diff --git a/sys/conf/NOTES b/sys/conf/NOTES index bd54d47..c816a21 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -544,7 +544,6 @@ device musycc # LMC/SBE LMC1504 quad T1/E1 # The `pflog' device provides the pflog0 interface which logs packets. # The `pfsync' device provides the pfsync0 interface used for # synchronization of firewall state tables (over the net). -# Requires option PFIL_HOOKS # # The PPP_BSDCOMP option enables support for compress(1) style entire # packet compression, the PPP_DEFLATE is for zlib/gzip style compression. @@ -599,7 +598,6 @@ device stf #6to4 IPv6 over IPv4 encapsulation # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # limits the number of times a matching entry can be logged. -# IPFIREWALL requires the option PFIL_HOOKS. # # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, @@ -622,10 +620,6 @@ device stf #6to4 IPv6 over IPv4 encapsulation # packets without touching the ttl). This can be useful to hide firewalls # from traceroute and similar tools. # -# PFIL_HOOKS enables an abstraction layer which is meant to be used in -# network code where filtering is required. See pfil(9). This option is -# required by the IPFILTER option and the PF device. -# # TCPDEBUG enables code which keeps traces of the TCP state machine # for sockets with the SO_DEBUG option set, which can then be examined # using the trpt(8) utility. @@ -645,7 +639,6 @@ options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding -options PFIL_HOOKS #required by IPFILTER options TCPDEBUG # The MBUF_STRESS_TEST option enables options which create diff --git a/sys/conf/files b/sys/conf/files index 4e7a497..32aa116 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1264,8 +1264,8 @@ net/net_osdep.c standard net/netisr.c standard net/ppp_deflate.c optional ppp_deflate net/ppp_tty.c optional ppp -net/pfil.c optional pfil_hooks -net/pfil.c optional ipfilter +net/pfil.c optional ether +net/pfil.c optional inet net/radix.c standard net/raw_cb.c standard net/raw_usrreq.c standard diff --git a/sys/conf/options b/sys/conf/options index 8c16d05..d0d7990 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -344,7 +344,6 @@ DUMMYNET opt_ipdn.h IPFILTER opt_ipfilter.h IPFILTER_LOG opt_ipfilter.h IPFILTER_DEFAULT_BLOCK opt_ipfilter.h -PFIL_HOOKS opt_pfil_hooks.h IPFIREWALL opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h diff --git a/sys/i386/conf/GENERIC b/sys/i386/conf/GENERIC index 2cedebb..9e9051c 100644 --- a/sys/i386/conf/GENERIC +++ b/sys/i386/conf/GENERIC @@ -58,7 +58,6 @@ options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. -options PFIL_HOOKS # pfil(9) framework options ADAPTIVE_GIANT # Giant mutex is adaptive. # Debugging for use in -current diff --git a/sys/ia64/conf/GENERIC b/sys/ia64/conf/GENERIC index 11d7d38..8a0f786 100644 --- a/sys/ia64/conf/GENERIC +++ b/sys/ia64/conf/GENERIC @@ -40,7 +40,6 @@ options MSDOSFS # MSDOS Filesystem options NFSCLIENT # Network Filesystem Client options NFSSERVER # Network Filesystem Server options NFS_ROOT # NFS usable as root device -options PFIL_HOOKS # pfil(9) framework options PROCFS # Process filesystem (/proc) options PSEUDOFS # Pseudo-filesystem framework options SCHED_ULE # ULE scheduler diff --git a/sys/ia64/conf/SKI b/sys/ia64/conf/SKI index ce805e9..f632a1f 100644 --- a/sys/ia64/conf/SKI +++ b/sys/ia64/conf/SKI @@ -35,7 +35,6 @@ options INET6 # IPv6 communications protocols options KDB # Enable kernel debugger support options KTRACE # ktrace(1) syscall trace support options MD_ROOT # MD usable as root device -options PFIL_HOOKS # pfil(9) framework options PROCFS # Process filesystem (/proc) options PSEUDOFS # Pseudo-filesystem framework options SCHED_ULE # ULE scheduler diff --git a/sys/modules/bridge/Makefile b/sys/modules/bridge/Makefile index 70f6b40..4842564 100644 --- a/sys/modules/bridge/Makefile +++ b/sys/modules/bridge/Makefile @@ -5,13 +5,4 @@ KMOD= bridge SRCS= bridge.c SRCS+= opt_pfil_hooks.h -# -# By default don't enable pfil hooks support. This means you -# cannot use ipfilter together with the bridge. To enable it -# uncomment the line below -# -opt_pfil_hooks.h: -# echo "#define PFIL_HOOKS 1" > opt_pfil_hooks.h - touch opt_pfil_hooks.h - .include <bsd.kmod.mk> diff --git a/sys/net/bridge.c b/sys/net/bridge.c index 59e5905..1d4472e 100644 --- a/sys/net/bridge.c +++ b/sys/net/bridge.c @@ -87,7 +87,6 @@ * - be very careful when bridging VLANs * - loop detection is still not very robust. */ -#include "opt_pfil_hooks.h" #include <sys/param.h> #include <sys/mbuf.h> @@ -105,16 +104,13 @@ #include <net/if_arp.h> /* for struct arpcom */ #include <net/if_types.h> #include <net/if_var.h> +#include <net/pfil.h> #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/in_var.h> #include <netinet/ip.h> - -#ifdef PFIL_HOOKS -#include <net/pfil.h> #include <netinet/ip_var.h> -#endif #include <net/route.h> #include <netinet/ip_fw.h> @@ -965,9 +961,7 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst) * and pkts already gone through a pipe. */ if (src != NULL && ( -#ifdef PFIL_HOOKS (inet_pfil_hook.ph_busy_count >= 0 && bdg_ipf != 0) || -#endif (IPFW_LOADED && bdg_ipfw != 0))) { int i; @@ -998,7 +992,6 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst) bcopy(eh, &save_eh, ETHER_HDR_LEN); /* local copy for restore */ m_adj(m0, ETHER_HDR_LEN); /* temporarily strip header */ -#ifdef PFIL_HOOKS /* * NetBSD-style generic packet filter, pfil(9), hooks. * Enables ipf(8) in bridging. @@ -1031,7 +1024,6 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst) ip->ip_off = htons(ip->ip_off); } } /* XXX: Prevent ipfw from being run twice. */ -#endif /* PFIL_HOOKS */ /* * Prepare arguments and call the firewall. diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index bc7c359..9a441f0 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -77,7 +77,6 @@ #include "opt_ipfw.h" #include "opt_ipstealth.h" -#include "opt_pfil_hooks.h" #include <sys/param.h> #include <sys/systm.h> @@ -353,10 +352,13 @@ ip_fastforward(struct mbuf *m) ip->ip_off = ntohs(ip->ip_off); odest.s_addr = dest.s_addr = ip->ip_dst.s_addr; -#ifdef PFIL_HOOKS + /* * Run through list of ipfilter hooks for input packets */ + if (inet_pfil_hook.ph_busy_count == -1) + goto passin; + if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN) || m == NULL) return 1; @@ -388,8 +390,8 @@ ip_fastforward(struct mbuf *m) goto forwardlocal; } #endif /* IPFIREWALL_FORWARD */ -#endif /* PFIL_HOOKS */ +passin: /* * Step 4: decrement TTL and look up route */ @@ -429,10 +431,12 @@ ip_fastforward(struct mbuf *m) * Step 5: outgoing firewall packet processing */ -#ifdef PFIL_HOOKS /* * Run through list of hooks for output packets. */ + if (inet_pfil_hook.ph_busy_count == -1) + goto passout; + if (pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT) || m == NULL) { goto consumed; } @@ -489,8 +493,8 @@ forwardlocal: return 1; /* icmp unreach already sent */ ifp = ro.ro_rt->rt_ifp; } -#endif /* PFIL_HOOKS */ +passout: /* * Step 6: send off the packet */ diff --git a/sys/netinet/ip_fw_pfil.c b/sys/netinet/ip_fw_pfil.c index 0f7d544..77ba4b6 100644 --- a/sys/netinet/ip_fw_pfil.c +++ b/sys/netinet/ip_fw_pfil.c @@ -30,15 +30,11 @@ #include "opt_ipfw.h" #include "opt_ipdn.h" #include "opt_ipdivert.h" -#include "opt_pfil_hooks.h" #include "opt_inet.h" #ifndef INET #error IPFIREWALL requires INET. #endif /* INET */ -#if !defined(PFIL_HOOKS) -#error IPFIREWALL requires PFIL_HOOKS. -#endif -#endif +#endif /* KLD_MODULE */ #include <sys/param.h> #include <sys/systm.h> diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 98e1185..4d8c813 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -35,7 +35,6 @@ #include "opt_ipstealth.h" #include "opt_ipsec.h" #include "opt_mac.h" -#include "opt_pfil_hooks.h" #include <sys/param.h> #include <sys/systm.h> @@ -156,9 +155,8 @@ SYSCTL_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW, #ifdef DIAGNOSTIC static int ipprintfs = 0; #endif -#ifdef PFIL_HOOKS -struct pfil_head inet_pfil_hook; -#endif + +struct pfil_head inet_pfil_hook; /* Packet filter hooks */ static struct ifqueue ipintrq; static int ipqmaxlen = IFQ_MAXLEN; @@ -264,13 +262,12 @@ ip_init() pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) ip_protox[pr->pr_protocol] = pr - inetsw; -#ifdef PFIL_HOOKS + /* Initialize packet filter hooks. */ inet_pfil_hook.ph_type = PFIL_TYPE_AF; inet_pfil_hook.ph_af = AF_INET; if ((i = pfil_head_register(&inet_pfil_hook)) != 0) printf("%s: WARNING: unable to register pfil hook, " "error %d\n", __func__, i); -#endif /* PFIL_HOOKS */ IPQ_LOCK_INIT(); for (i = 0; i < IPREASS_NHASH; i++) @@ -298,9 +295,7 @@ ip_input(struct mbuf *m) int checkif, hlen = 0; u_short sum; int dchg = 0; /* dest changed after fw */ -#ifdef PFIL_HOOKS struct in_addr odst; /* original dst address */ -#endif #ifdef FAST_IPSEC struct m_tag *mtag; struct tdb_ident *tdbi; @@ -414,17 +409,16 @@ tooshort: * Bypass packet filtering for packets from a tunnel (gif). */ if (ipsec_getnhist(m)) - goto pass; + goto passin; #endif #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) /* * Bypass packet filtering for packets from a tunnel (gif). */ if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) - goto pass; + goto passin; #endif -#ifdef PFIL_HOOKS /* * Run through list of hooks for input packets. * @@ -432,6 +426,11 @@ tooshort: * by NAT rewriting). When this happens, tell * ip_forward to do the right thing. */ + + /* Jump over all PFIL processing if hooks are not active. */ + if (inet_pfil_hook.ph_busy_count == -1) + goto passin; + odst = ip->ip_dst; if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN) != 0) @@ -450,12 +449,7 @@ tooshort: dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL); #endif /* IPFIREWALL_FORWARD */ -#endif /* PFIL_HOOKS */ - -#if (defined(FAST_IPSEC) || defined(IPSEC)) && !defined(IPSEC_FILTERGIF) -pass: -#endif - +passin: /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 3576905..b392b99 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -33,7 +33,6 @@ #include "opt_ipfw.h" #include "opt_ipsec.h" #include "opt_mac.h" -#include "opt_pfil_hooks.h" #include "opt_mbuf_stress_test.h" #include <sys/param.h> @@ -49,6 +48,7 @@ #include <net/if.h> #include <net/netisr.h> +#include <net/pfil.h> #include <net/route.h> #include <netinet/in.h> @@ -58,9 +58,6 @@ #include <netinet/in_var.h> #include <netinet/ip_var.h> -#ifdef PFIL_HOOKS -#include <net/pfil.h> -#endif #include <machine/in_cksum.h> @@ -132,9 +129,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, struct in_ifaddr *ia = NULL; int isbroadcast, sw_csum; struct route iproute; -#ifdef PFIL_HOOKS struct in_addr odst; -#endif #ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag = NULL; #endif @@ -187,9 +182,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, } dst = (struct sockaddr_in *)&ro->ro_dst; -#ifdef PFIL_HOOKS again: -#endif /* * If there is a cached route, * check that it is to the same destination @@ -665,10 +658,11 @@ skip_ipsec: spd_done: #endif /* FAST_IPSEC */ -#ifdef PFIL_HOOKS - /* - * Run through list of hooks for output packets. - */ + /* Jump over all PFIL processing if hooks are not active. */ + if (inet_pfil_hook.ph_busy_count == -1) + goto passout; + + /* Run through list of hooks for output packets. */ odst.s_addr = ip->ip_dst.s_addr; error = pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT); if (error != 0 || m == NULL) @@ -729,11 +723,7 @@ spd_done: } #endif -#endif /* PFIL_HOOKS */ - -#if 0 -pass: -#endif +passout: /* 127/8 must not appear on wire - RFC1122. */ if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index f557225..46bd596 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -192,9 +192,7 @@ extern int (*ip_rsvp_vif)(struct socket *, struct sockopt *); extern void (*ip_rsvp_force_done)(struct socket *); extern void (*rsvp_input_p)(struct mbuf *m, int off); -#ifdef PFIL_HOOKS -extern struct pfil_head inet_pfil_hook; -#endif +extern struct pfil_head inet_pfil_hook; /* packet filter hooks */ void in_delayed_cksum(struct mbuf *m); diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 689404b..94206ab 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -34,7 +34,6 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" -#include "opt_pfil_hooks.h" #include <sys/param.h> #include <sys/systm.h> @@ -50,9 +49,7 @@ #include <net/if.h> #include <net/route.h> -#ifdef PFIL_HOOKS #include <net/pfil.h> -#endif #include <netinet/in.h> #include <netinet/in_var.h> @@ -578,18 +575,19 @@ ip6_forward(m, srcrt) in6_clearscope(&ip6->ip6_src); in6_clearscope(&ip6->ip6_dst); -#ifdef PFIL_HOOKS - /* - * Run through list of hooks for output packets. - */ + /* Jump over all PFIL processing if hooks are not active. */ + if (inet6_pfil_hook.ph_busy_count == -1) + goto pass; + + /* Run through list of hooks for output packets. */ error = pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT); if (error != 0) goto senderr; if (m == NULL) goto freecopy; ip6 = mtod(m, struct ip6_hdr *); -#endif /* PFIL_HOOKS */ +pass: error = nd6_output(rt->rt_ifp, origifp, m, dst, rt); if (error) { in6_ifstat_inc(rt->rt_ifp, ifs6_out_discard); @@ -605,9 +603,7 @@ ip6_forward(m, srcrt) } } -#ifdef PFIL_HOOKS senderr: -#endif if (mcopy == NULL) return; switch (error) { diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index e11cef1..e5bb0c3 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -65,7 +65,6 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" -#include "opt_pfil_hooks.h" #include <sys/param.h> #include <sys/systm.h> @@ -86,9 +85,7 @@ #include <net/if_dl.h> #include <net/route.h> #include <net/netisr.h> -#ifdef PFIL_HOOKS #include <net/pfil.h> -#endif #include <netinet/in.h> #include <netinet/in_systm.h> @@ -139,9 +136,7 @@ int ip6_sourcecheck_interval; /* XXX */ int ip6_ours_check_algorithm; -#ifdef PFIL_HOOKS struct pfil_head inet6_pfil_hook; -#endif /* firewall hooks */ ip6_fw_chk_t *ip6_fw_chk_ptr; @@ -181,13 +176,14 @@ ip6_init() if (pr->pr_domain->dom_family == PF_INET6 && pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) ip6_protox[pr->pr_protocol] = pr - inet6sw; -#ifdef PFIL_HOOKS + + /* Initialize packet filter hooks. */ inet6_pfil_hook.ph_type = PFIL_TYPE_AF; inet6_pfil_hook.ph_af = AF_INET6; if ((i = pfil_head_register(&inet6_pfil_hook)) != 0) printf("%s: WARNING: unable to register pfil hook, " "error %d\n", __func__, i); -#endif /* PFIL_HOOKS */ + ip6intrq.ifq_maxlen = ip6qmaxlen; mtx_init(&ip6intrq.ifq_mtx, "ip6_inq", NULL, MTX_DEF); netisr_register(NETISR_IPV6, ip6_input, &ip6intrq, 0); @@ -233,9 +229,7 @@ ip6_input(m) struct ifnet *deliverifp = NULL; struct sockaddr_in6 sa6; u_int32_t srczone, dstzone; -#ifdef PFIL_HOOKS struct in6_addr odst; -#endif int srcrt = 0; GIANT_REQUIRED; /* XXX for now */ @@ -417,7 +411,6 @@ ip6_input(m) } } -#ifdef PFIL_HOOKS /* * Run through list of hooks for input packets. * @@ -426,14 +419,19 @@ ip6_input(m) * tell ip6_forward to do the right thing. */ odst = ip6->ip6_dst; + + /* Jump over all PFIL processing if hooks are not active. */ + if (inet6_pfil_hook.ph_busy_count == -1) + goto passin; + if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN)) return; if (m == NULL) /* consumed by filter */ return; ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); -#endif /* PFIL_HOOKS */ +passin: /* * Check with the firewall... */ diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index f5c3559..bdee8fe 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -65,7 +65,6 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" -#include "opt_pfil_hooks.h" #include <sys/param.h> #include <sys/malloc.h> @@ -80,9 +79,7 @@ #include <net/if.h> #include <net/route.h> -#ifdef PFIL_HOOKS #include <net/pfil.h> -#endif #include <netinet/in.h> #include <netinet/in_var.h> @@ -936,16 +933,17 @@ skip_ipsec2:; m->m_pkthdr.rcvif = NULL; } -#ifdef PFIL_HOOKS - /* - * Run through list of hooks for output packets. - */ + /* Jump over all PFIL processing if hooks are not active. */ + if (inet6_pfil_hook.ph_busy_count == -1) + goto passout; + + /* Run through list of hooks for output packets. */ error = pfil_run_hooks(&inet6_pfil_hook, &m, ifp, PFIL_OUT); if (error != 0 || m == NULL) goto done; ip6 = mtod(m, struct ip6_hdr *); -#endif /* PFIL_HOOKS */ +passout: /* * Send the packet to the outgoing interface. * If necessary, do IPv6 fragmentation before sending. diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index 36bf36d..2841b63 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -318,9 +318,7 @@ extern int ip6_use_tempaddr; /* whether to use temporary addresses. */ extern int ip6_prefer_tempaddr; /* whether to prefer temporary addresses in the source address selection */ -#ifdef PFIL_HOOKS -extern struct pfil_head inet6_pfil_hook; -#endif +extern struct pfil_head inet6_pfil_hook; /* packet filter hooks */ extern struct pr_usrreqs rip6_usrreqs; struct sockopt; diff --git a/sys/pc98/conf/GENERIC b/sys/pc98/conf/GENERIC index a631d09..9541575 100644 --- a/sys/pc98/conf/GENERIC +++ b/sys/pc98/conf/GENERIC @@ -59,7 +59,6 @@ options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev -options PFIL_HOOKS # pfil(9) framework # Debugging for use in -current options KDB # Enable kernel debugger support. diff --git a/sys/powerpc/conf/GENERIC b/sys/powerpc/conf/GENERIC index 35eec94..ad88985 100644 --- a/sys/powerpc/conf/GENERIC +++ b/sys/powerpc/conf/GENERIC @@ -56,7 +56,6 @@ options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores #options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions -options PFIL_HOOKS # pfil(9) framework # Debugging for use in -current options KDB #Enable the kernel debugger diff --git a/sys/sparc64/conf/GENERIC b/sys/sparc64/conf/GENERIC index 0da03bc..51651c5 100644 --- a/sys/sparc64/conf/GENERIC +++ b/sys/sparc64/conf/GENERIC @@ -56,7 +56,6 @@ options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions -options PFIL_HOOKS # pfil(9) framework # Debugging for use in -current options KDB # Enable kernel debugger support. |