diff options
-rw-r--r-- | UPDATING | 5 | ||||
-rw-r--r-- | sbin/ipfw/ipfw.8 | 8 | ||||
-rw-r--r-- | sys/net/pfil.c | 6 | ||||
-rw-r--r-- | sys/net/pfil.h | 3 | ||||
-rw-r--r-- | sys/netinet/ip_fastfwd.c | 3 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 23 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 8 | ||||
-rw-r--r-- | sys/netinet/ip_var.h | 1 | ||||
-rw-r--r-- | sys/netinet/tcp_input.c | 5 | ||||
-rw-r--r-- | sys/netinet/udp_usrreq.c | 4 | ||||
-rw-r--r-- | sys/netinet6/ip6_forward.c | 7 | ||||
-rw-r--r-- | sys/netinet6/ip6_input.c | 5 | ||||
-rw-r--r-- | sys/netinet6/ip6_output.c | 7 | ||||
-rw-r--r-- | sys/netinet6/ip6_var.h | 2 | ||||
-rw-r--r-- | sys/netinet6/udp6_usrreq.c | 4 | ||||
-rw-r--r-- | sys/netpfil/ipfw/ip_fw2.c | 2 | ||||
-rw-r--r-- | sys/netpfil/ipfw/ip_fw_pfil.c | 4 |
17 files changed, 38 insertions, 59 deletions
@@ -24,10 +24,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10.x IS SLOW: disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) -20121025: +20121102: The IPFIREWALL_FORWARD kernel option has been removed. Its - functionality now can be turned on using the net.pfil.forward - sysctl variable. + functionality now turned on by default. 20121023: The ZERO_COPY_SOCKET kernel option has been removed and diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 5542ddc..db0dfc0 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -774,14 +774,6 @@ This makes the .Xr netstat 1 entry look rather weird but is intended for use with transparent proxy servers. -.Pp -To enable -.Cm fwd -the -.Xr sysctl 8 -variable -.Va net.pfil.forward -should be set to 1. .It Cm nat Ar nat_nr | tablearg Pass packet to a nat instance diff --git a/sys/net/pfil.c b/sys/net/pfil.c index 8d36999..06da0be 100644 --- a/sys/net/pfil.c +++ b/sys/net/pfil.c @@ -37,7 +37,6 @@ #include <sys/rmlock.h> #include <sys/socket.h> #include <sys/socketvar.h> -#include <sys/sysctl.h> #include <sys/systm.h> #include <sys/condvar.h> #include <sys/lock.h> @@ -65,11 +64,6 @@ VNET_DEFINE(struct pfilheadhead, pfil_head_list); VNET_DEFINE(struct rmlock, pfil_lock); #define V_pfil_lock VNET(pfil_lock) -VNET_DEFINE(int, pfilforward) = 0; -SYSCTL_NODE(_net, OID_AUTO, pfil, CTLFLAG_RW, 0, "Packer filter interface"); -SYSCTL_VNET_INT(_net_pfil, OID_AUTO, forward, CTLFLAG_RW, - &VNET_NAME(pfilforward), 0, - "Enable forwarding performed by packet filters"); /* * pfil_run_hooks() runs the specified packet filter hooks. */ diff --git a/sys/net/pfil.h b/sys/net/pfil.h index 9c45f10..fabfe9a 100644 --- a/sys/net/pfil.h +++ b/sys/net/pfil.h @@ -38,14 +38,11 @@ #include <sys/_mutex.h> #include <sys/lock.h> #include <sys/rmlock.h> -#include <net/vnet.h> struct mbuf; struct ifnet; struct inpcb; -VNET_DECLARE(int, pfilforward); -#define V_pfilforward VNET(pfilforward) /* * The packet filter hooks are designed for anything to call them to * possibly intercept the packet. diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c index 2ef163b..3a228ca 100644 --- a/sys/netinet/ip_fastfwd.c +++ b/sys/netinet/ip_fastfwd.c @@ -446,7 +446,7 @@ passin: /* * Destination address changed? */ - if (V_pfilforward != 0) + if (m->m_flags & M_IP_NEXTHOP) fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); if (odest.s_addr != dest.s_addr || fwd_tag != NULL) { /* @@ -469,6 +469,7 @@ forwardlocal: dest.s_addr = ((struct sockaddr_in *) (fwd_tag + 1))->sin_addr.s_addr; m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } RTFREE(ro.ro_rt); if ((dst = ip_findroute(&ro, dest, m)) == NULL) diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index e0e98a2..033c03d 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -509,23 +509,22 @@ tooshort: dchg = (odst.s_addr != ip->ip_dst.s_addr); ifp = m->m_pkthdr.rcvif; - if (V_pfilforward == 0) - goto passin; - if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; goto ours; } - if ((dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL)) != 0) { - /* - * Directly ship the packet on. This allows forwarding - * packets originally destined to us to some other directly - * connected host. - */ - ip_forward(m, dchg); - return; + if (m->m_flags & M_IP_NEXTHOP) { + dchg = (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL); + if (dchg != 0) { + /* + * Directly ship the packet on. This allows + * forwarding packets originally destined to us + * to some other directly connected host. + */ + ip_forward(m, 1); + return; + } } - passin: /* diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 96faf47..40785bb 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -537,9 +537,6 @@ sendit: } } - if (V_pfilforward == 0) - goto passout; - /* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -560,11 +557,12 @@ sendit: goto done; } /* Or forward to some other address? */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag) { + if ((m->m_flags & M_IP_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { dst = (struct sockaddr_in *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in)); m->m_flags |= M_SKIP_FIREWALL; + m->m_flags &= ~M_IP_NEXTHOP; m_tag_delete(m, fwd_tag); if (ia != NULL) ifa_free(&ia->ia_ifa); diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index 6b2f86e..cc3eff8 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -163,6 +163,7 @@ void kmod_ipstat_dec(int statnum); * mbuf flag used by ip_fastfwd */ #define M_FASTFWD_OURS M_PROTO1 /* changed dst to local */ +#define M_IP_NEXTHOP M_PROTO2 /* explicit ip nexthop */ #ifdef __NO_STRICT_ALIGNMENT #define IP_HDR_ALIGNED_P(ip) 1 diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index ba642a6..a89257e 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -75,7 +75,6 @@ __FBSDID("$FreeBSD$"); #include <vm/uma.h> #include <net/if.h> -#include <net/pfil.h> #include <net/route.h> #include <net/vnet.h> @@ -781,7 +780,7 @@ findpcb: /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - if (V_pfilforward != 0) + if (m->m_flags & M_IP_NEXTHOP) fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); #ifdef INET6 @@ -810,6 +809,7 @@ findpcb: } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } else if (isipv6) { inp = in6_pcblookup_mbuf(&V_tcbinfo, &ip6->ip6_src, th->th_sport, &ip6->ip6_dst, th->th_dport, @@ -846,6 +846,7 @@ findpcb: } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } else inp = in_pcblookup_mbuf(&V_tcbinfo, ip->ip_src, th->th_sport, ip->ip_dst, th->th_dport, diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index cd08468..45e2693 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -65,7 +65,6 @@ __FBSDID("$FreeBSD$"); #include <vm/uma.h> #include <net/if.h> -#include <net/pfil.h> #include <net/route.h> #include <netinet/in.h> @@ -549,7 +548,7 @@ udp_input(struct mbuf *m, int off) /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - if (V_pfilforward != 0 && + if ((m->m_flags & M_IP_NEXTHOP) && (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in *next_hop; @@ -575,6 +574,7 @@ udp_input(struct mbuf *m, int off) } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP_NEXTHOP; } else inp = in_pcblookup_mbuf(&V_udbinfo, ip->ip_src, uh->uh_sport, ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD | diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index c1ea400..6bdf55a 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -592,8 +592,6 @@ skip_routing: goto again; /* Redo the routing table lookup. */ } - if (V_pfilforward == 0) - goto pass; /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -611,11 +609,12 @@ skip_routing: goto out; } /* Or forward to some other address? */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag) { + if ((m->m_flags & M_IP6_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { dst = (struct sockaddr_in6 *)&rin6.ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6)); m->m_flags |= M_SKIP_FIREWALL; + m->m_flags &= ~M_IP6_NEXTHOP; m_tag_delete(m, fwd_tag); goto again2; } diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index bbb6fdd..3b50143 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -628,15 +628,14 @@ ip6_input(struct mbuf *m) ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); - if (V_pfilforward == 0) - goto passin; if (m->m_flags & M_FASTFWD_OURS) { m->m_flags &= ~M_FASTFWD_OURS; ours = 1; deliverifp = m->m_pkthdr.rcvif; goto hbhcheck; } - if (m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) { + if ((m->m_flags & M_IP6_NEXTHOP) && + m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) { /* * Directly ship the packet on. This allows forwarding * packets originally destined to us to some other directly diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index e7254a6..0d762e9 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -913,8 +913,6 @@ again: goto again; /* Redo the routing table lookup. */ } - if (V_pfilforward == 0) - goto passout; /* See if local, if yes, send it to netisr. */ if (m->m_flags & M_FASTFWD_OURS) { if (m->m_pkthdr.rcvif == NULL) @@ -932,11 +930,12 @@ again: goto done; } /* Or forward to some other address? */ - fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); - if (fwd_tag) { + if ((m->m_flags & M_IP6_NEXTHOP) && + (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { dst = (struct sockaddr_in6 *)&ro->ro_dst; bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in6)); m->m_flags |= M_SKIP_FIREWALL; + m->m_flags &= ~M_IP6_NEXTHOP; m_tag_delete(m, fwd_tag); goto again; } diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index a725188..e4afc6f 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -285,6 +285,8 @@ struct ip6aux { #define IPV6_FORWARDING 0x02 /* most of IPv6 header exists */ #define IPV6_MINMTU 0x04 /* use minimum MTU (IPV6_USE_MIN_MTU) */ +#define M_IP6_NEXTHOP M_PROTO2 /* explicit ip nexthop */ + #ifdef __NO_STRICT_ALIGNMENT #define IP6_HDR_ALIGNED_P(ip) 1 #else diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index d7040c4..952905a 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -92,7 +92,6 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/if_types.h> -#include <net/pfil.h> #include <net/route.h> #include <netinet/in.h> @@ -396,7 +395,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto) /* * Grab info from PACKET_TAG_IPFORWARD tag prepended to the chain. */ - if (V_pfilforward != 0 && + if ((m->m_flags & M_IP6_NEXTHOP) && (fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL) { struct sockaddr_in6 *next_hop6; @@ -423,6 +422,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto) } /* Remove the tag from the packet. We don't need it anymore. */ m_tag_delete(m, fwd_tag); + m->m_flags &= ~M_IP6_NEXTHOP; } else inp = in6_pcblookup_mbuf(&V_udbinfo, &ip6->ip6_src, uh->uh_sport, &ip6->ip6_dst, uh->uh_dport, diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index 69d975b..01ef4e1 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -2535,7 +2535,6 @@ ipfw_init(void) "(+ipv6) " #endif "initialized, divert %s, nat %s, " - "rule-based forwarding turned %s, " "default to %s, logging ", #ifdef IPDIVERT "enabled", @@ -2547,7 +2546,6 @@ ipfw_init(void) #else "loadable", #endif - V_pfilforward ? "on": "off", default_to_accept ? "accept" : "deny"); /* diff --git a/sys/netpfil/ipfw/ip_fw_pfil.c b/sys/netpfil/ipfw/ip_fw_pfil.c index c34650d..5d6c1bd 100644 --- a/sys/netpfil/ipfw/ip_fw_pfil.c +++ b/sys/netpfil/ipfw/ip_fw_pfil.c @@ -159,8 +159,6 @@ again: /* next_hop may be set by ipfw_chk */ if (args.next_hop == NULL && args.next_hop6 == NULL) break; /* pass */ - if (V_pfilforward == 0) - break; #if (!defined(INET6) && !defined(INET)) ret = EACCES; #else @@ -201,6 +199,7 @@ again: bcopy(args.next_hop6, (fwd_tag+1), len); if (in6_localip(&args.next_hop6->sin6_addr)) (*m0)->m_flags |= M_FASTFWD_OURS; + (*m0)->m_flags |= M_IP6_NEXTHOP; } #endif #ifdef INET @@ -208,6 +207,7 @@ again: bcopy(args.next_hop, (fwd_tag+1), len); if (in_localip(args.next_hop->sin_addr)) (*m0)->m_flags |= M_FASTFWD_OURS; + (*m0)->m_flags |= M_IP_NEXTHOP; } #endif m_tag_prepend(*m0, fwd_tag); |