summaryrefslogtreecommitdiffstats
path: root/sys/net
diff options
context:
space:
mode:
Diffstat (limited to 'sys/net')
-rw-r--r--sys/net/if_bridge.c41
-rw-r--r--sys/net/if_ethersubr.c6
-rw-r--r--sys/net/pfil.c53
3 files changed, 72 insertions, 28 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index d3a55fd..8e0e6e1 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -109,6 +109,7 @@ __FBSDID("$FreeBSD$");
#include <net/if_types.h>
#include <net/if_var.h>
#include <net/pfil.h>
+#include <net/vnet.h>
#include <netinet/in.h> /* for struct arpcom */
#include <netinet/in_systm.h>
@@ -1800,9 +1801,9 @@ bridge_dummynet(struct mbuf *m, struct ifnet *ifp)
return;
}
- if (PFIL_HOOKED(&inet_pfil_hook)
+ if (PFIL_HOOKED(&V_inet_pfil_hook)
#ifdef INET6
- || PFIL_HOOKED(&inet6_pfil_hook)
+ || PFIL_HOOKED(&V_inet6_pfil_hook)
#endif
) {
if (bridge_pfil(&m, sc->sc_ifp, ifp, PFIL_OUT) != 0)
@@ -2062,9 +2063,9 @@ bridge_forward(struct bridge_softc *sc, struct bridge_iflist *sbif,
ETHER_BPF_MTAP(ifp, m);
/* run the packet filter */
- if (PFIL_HOOKED(&inet_pfil_hook)
+ if (PFIL_HOOKED(&V_inet_pfil_hook)
#ifdef INET6
- || PFIL_HOOKED(&inet6_pfil_hook)
+ || PFIL_HOOKED(&V_inet6_pfil_hook)
#endif
) {
BRIDGE_UNLOCK(sc);
@@ -2102,9 +2103,9 @@ bridge_forward(struct bridge_softc *sc, struct bridge_iflist *sbif,
BRIDGE_UNLOCK(sc);
- if (PFIL_HOOKED(&inet_pfil_hook)
+ if (PFIL_HOOKED(&V_inet_pfil_hook)
#ifdef INET6
- || PFIL_HOOKED(&inet6_pfil_hook)
+ || PFIL_HOOKED(&V_inet6_pfil_hook)
#endif
) {
if (bridge_pfil(&m, ifp, dst_if, PFIL_OUT) != 0)
@@ -2243,7 +2244,7 @@ bridge_input(struct ifnet *ifp, struct mbuf *m)
#ifdef INET6
# define OR_PFIL_HOOKED_INET6 \
- || PFIL_HOOKED(&inet6_pfil_hook)
+ || PFIL_HOOKED(&V_inet6_pfil_hook)
#else
# define OR_PFIL_HOOKED_INET6
#endif
@@ -2260,7 +2261,7 @@ bridge_input(struct ifnet *ifp, struct mbuf *m)
iface->if_ipackets++; \
/* Filter on the physical interface. */ \
if (pfil_local_phys && \
- (PFIL_HOOKED(&inet_pfil_hook) \
+ (PFIL_HOOKED(&V_inet_pfil_hook) \
OR_PFIL_HOOKED_INET6)) { \
if (bridge_pfil(&m, NULL, ifp, \
PFIL_IN) != 0 || m == NULL) { \
@@ -2349,9 +2350,9 @@ bridge_broadcast(struct bridge_softc *sc, struct ifnet *src_if,
}
/* Filter on the bridge interface before broadcasting */
- if (runfilt && (PFIL_HOOKED(&inet_pfil_hook)
+ if (runfilt && (PFIL_HOOKED(&V_inet_pfil_hook)
#ifdef INET6
- || PFIL_HOOKED(&inet6_pfil_hook)
+ || PFIL_HOOKED(&V_inet6_pfil_hook)
#endif
)) {
if (bridge_pfil(&m, sc->sc_ifp, NULL, PFIL_OUT) != 0)
@@ -2396,9 +2397,9 @@ bridge_broadcast(struct bridge_softc *sc, struct ifnet *src_if,
* pointer so we do not redundantly filter on the bridge for
* each interface we broadcast on.
*/
- if (runfilt && (PFIL_HOOKED(&inet_pfil_hook)
+ if (runfilt && (PFIL_HOOKED(&V_inet_pfil_hook)
#ifdef INET6
- || PFIL_HOOKED(&inet6_pfil_hook)
+ || PFIL_HOOKED(&V_inet6_pfil_hook)
#endif
)) {
if (used == 0) {
@@ -3037,7 +3038,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir)
goto bad;
}
- if (ip_fw_chk_ptr && pfil_ipfw != 0 && dir == PFIL_OUT && ifp != NULL) {
+ if (V_ip_fw_chk_ptr && pfil_ipfw != 0 && dir == PFIL_OUT && ifp != NULL) {
struct dn_pkt_tag *dn_tag;
error = -1;
@@ -3057,7 +3058,7 @@ bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir)
args.next_hop = NULL;
args.eh = &eh2;
args.inp = NULL; /* used by ipfw uid/gid/jail rules */
- i = ip_fw_chk_ptr(&args);
+ i = V_ip_fw_chk_ptr(&args);
*mp = args.m;
if (*mp == NULL)
@@ -3109,21 +3110,21 @@ ipfwpass:
* in_if -> bridge_if -> out_if
*/
if (pfil_bridge && dir == PFIL_OUT && bifp != NULL)
- error = pfil_run_hooks(&inet_pfil_hook, mp, bifp,
+ error = pfil_run_hooks(&V_inet_pfil_hook, mp, bifp,
dir, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
break;
if (pfil_member && ifp != NULL)
- error = pfil_run_hooks(&inet_pfil_hook, mp, ifp,
+ error = pfil_run_hooks(&V_inet_pfil_hook, mp, ifp,
dir, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
break;
if (pfil_bridge && dir == PFIL_IN && bifp != NULL)
- error = pfil_run_hooks(&inet_pfil_hook, mp, bifp,
+ error = pfil_run_hooks(&V_inet_pfil_hook, mp, bifp,
dir, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
@@ -3163,21 +3164,21 @@ ipfwpass:
#ifdef INET6
case ETHERTYPE_IPV6:
if (pfil_bridge && dir == PFIL_OUT && bifp != NULL)
- error = pfil_run_hooks(&inet6_pfil_hook, mp, bifp,
+ error = pfil_run_hooks(&V_inet6_pfil_hook, mp, bifp,
dir, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
break;
if (pfil_member && ifp != NULL)
- error = pfil_run_hooks(&inet6_pfil_hook, mp, ifp,
+ error = pfil_run_hooks(&V_inet6_pfil_hook, mp, ifp,
dir, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
break;
if (pfil_bridge && dir == PFIL_IN && bifp != NULL)
- error = pfil_run_hooks(&inet6_pfil_hook, mp, bifp,
+ error = pfil_run_hooks(&V_inet6_pfil_hook, mp, bifp,
dir, NULL);
break;
#endif
diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c
index bac2044..5dff9bc 100644
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@@ -434,7 +434,7 @@ ether_output_frame(struct ifnet *ifp, struct mbuf *m)
{
#if defined(INET) || defined(INET6)
- if (ip_fw_chk_ptr && V_ether_ipfw != 0) {
+ if (V_ip_fw_chk_ptr && V_ether_ipfw != 0) {
if (ether_ipfw_chk(&m, ifp, 0) == 0) {
if (m) {
m_freem(m);
@@ -502,7 +502,7 @@ ether_ipfw_chk(struct mbuf **m0, struct ifnet *dst, int shared)
args.next_hop = NULL; /* we do not support forward yet */
args.eh = &save_eh; /* MAC header for bridged/MAC packets */
args.inp = NULL; /* used by ipfw uid/gid/jail rules */
- i = ip_fw_chk_ptr(&args);
+ i = V_ip_fw_chk_ptr(&args);
m = args.m;
if (m != NULL) {
/*
@@ -775,7 +775,7 @@ ether_demux(struct ifnet *ifp, struct mbuf *m)
* Allow dummynet and/or ipfw to claim the frame.
* Do not do this for PROMISC frames in case we are re-entered.
*/
- if (ip_fw_chk_ptr && V_ether_ipfw != 0 && !(m->m_flags & M_PROMISC)) {
+ if (V_ip_fw_chk_ptr && V_ether_ipfw != 0 && !(m->m_flags & M_PROMISC)) {
if (ether_ipfw_chk(&m, NULL, 0) == 0) {
if (m)
m_freem(m); /* dropped; free mbuf chain */
diff --git a/sys/net/pfil.c b/sys/net/pfil.c
index 3018eb9..76ed664 100644
--- a/sys/net/pfil.c
+++ b/sys/net/pfil.c
@@ -56,8 +56,9 @@ static int pfil_list_add(pfil_list_t *, struct packet_filter_hook *, int);
static int pfil_list_remove(pfil_list_t *,
int (*)(void *, struct mbuf **, struct ifnet *, int, struct inpcb *), void *);
-LIST_HEAD(, pfil_head) pfil_head_list =
- LIST_HEAD_INITIALIZER(&pfil_head_list);
+LIST_HEAD(pfilheadhead, pfil_head);
+VNET_DEFINE(struct pfilheadhead, pfil_head_list);
+#define V_pfil_head_list VNET(pfil_head_list)
/*
* pfil_run_hooks() runs the specified packet filter hooks.
@@ -97,7 +98,7 @@ pfil_head_register(struct pfil_head *ph)
struct pfil_head *lph;
PFIL_LIST_LOCK();
- LIST_FOREACH(lph, &pfil_head_list, ph_list) {
+ LIST_FOREACH(lph, &V_pfil_head_list, ph_list) {
if (ph->ph_type == lph->ph_type &&
ph->ph_un.phu_val == lph->ph_un.phu_val) {
PFIL_LIST_UNLOCK();
@@ -108,7 +109,7 @@ pfil_head_register(struct pfil_head *ph)
ph->ph_nhooks = 0;
TAILQ_INIT(&ph->ph_in);
TAILQ_INIT(&ph->ph_out);
- LIST_INSERT_HEAD(&pfil_head_list, ph, ph_list);
+ LIST_INSERT_HEAD(&V_pfil_head_list, ph, ph_list);
PFIL_LIST_UNLOCK();
return (0);
}
@@ -143,7 +144,7 @@ pfil_head_get(int type, u_long val)
struct pfil_head *ph;
PFIL_LIST_LOCK();
- LIST_FOREACH(ph, &pfil_head_list, ph_list)
+ LIST_FOREACH(ph, &V_pfil_head_list, ph_list)
if (ph->ph_type == type && ph->ph_un.phu_val == val)
break;
PFIL_LIST_UNLOCK();
@@ -284,3 +285,45 @@ pfil_list_remove(pfil_list_t *list,
}
return ENOENT;
}
+
+/****************
+ * Stuff that must be initialized for every instance
+ * (including the first of course).
+ */
+static int
+vnet_pfil_init(const void *unused)
+{
+ LIST_INIT(&V_pfil_head_list);
+ return (0);
+}
+
+/***********************
+ * Called for the removal of each instance.
+ */
+static int
+vnet_pfil_uninit(const void *unused)
+{
+ /* XXX should panic if list is not empty */
+ return 0;
+}
+
+/* Define startup order. */
+#define PFIL_SYSINIT_ORDER SI_SUB_PROTO_BEGIN
+#define PFIL_MODEVENT_ORDER (SI_ORDER_FIRST) /* On boot slot in here. */
+#define PFIL_VNET_ORDER (PFIL_MODEVENT_ORDER + 2) /* Later still. */
+
+/*
+ * Starting up.
+ * VNET_SYSINIT is called for each existing vnet and each new vnet.
+ */
+VNET_SYSINIT(vnet_pfil_init, PFIL_SYSINIT_ORDER, PFIL_VNET_ORDER,
+ vnet_pfil_init, NULL);
+
+/*
+ * Closing up shop. These are done in REVERSE ORDER,
+ * Not called on reboot.
+ * VNET_SYSUNINIT is called for each exiting vnet as it exits.
+ */
+VNET_SYSUNINIT(vnet_pfil_uninit, PFIL_SYSINIT_ORDER, PFIL_VNET_ORDER,
+ vnet_pfil_uninit, NULL);
+
OpenPOWER on IntegriCloud