From 1c777cb93202829df49895d99888ea6735220c39 Mon Sep 17 00:00:00 2001 From: cy Date: Thu, 29 May 2014 02:55:07 +0000 Subject: MFC r264235: Implement the final missing sysctls by moving ipf_auth_softc_t from ip_auth.c to ip_auth.h. ip_frag_soft_t moves from ip_frag.c to ip_frag.h. mlfk_ipl.c creates sysctl MIBs that reference control blocks that are dynamically created when IP Filter is loaded. This necessitated creating them on-the-fly rather than statically at compile time. Approved by: glebius (mentor) --- sys/contrib/ipfilter/netinet/ip_auth.c | 27 -------- sys/contrib/ipfilter/netinet/ip_auth.h | 18 +++++ sys/contrib/ipfilter/netinet/ip_frag.c | 21 ------ sys/contrib/ipfilter/netinet/ip_frag.h | 20 ++++++ sys/contrib/ipfilter/netinet/mlfk_ipl.c | 118 +++++++++++++++++++++----------- 5 files changed, 117 insertions(+), 87 deletions(-) (limited to 'sys/contrib/ipfilter/netinet') diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index 5a2ebec..8624c3b 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -131,33 +131,6 @@ static const char rcsid[] = "@(#)$FreeBSD$"; #endif - -typedef struct ipf_auth_softc_s { -#if SOLARIS && defined(_KERNEL) - kcondvar_t ipf_auth_wait; -#endif /* SOLARIS */ -#if defined(linux) && defined(_KERNEL) - wait_queue_head_t ipf_auth_next_linux; -#endif - ipfrwlock_t ipf_authlk; - ipfmutex_t ipf_auth_mx; - int ipf_auth_size; - int ipf_auth_used; - int ipf_auth_replies; - int ipf_auth_defaultage; - int ipf_auth_lock; - ipf_authstat_t ipf_auth_stats; - frauth_t *ipf_auth; - mb_t **ipf_auth_pkts; - int ipf_auth_start; - int ipf_auth_end; - int ipf_auth_next; - frauthent_t *ipf_auth_entries; - frentry_t *ipf_auth_ip; - frentry_t *ipf_auth_rules; -} ipf_auth_softc_t; - - static void ipf_auth_deref __P((frauthent_t **)); static void ipf_auth_deref_unlocked __P((ipf_auth_softc_t *, frauthent_t **)); static int ipf_auth_geniter __P((ipf_main_softc_t *, ipftoken_t *, diff --git a/sys/contrib/ipfilter/netinet/ip_auth.h b/sys/contrib/ipfilter/netinet/ip_auth.h index 914f999..81e166a 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.h +++ b/sys/contrib/ipfilter/netinet/ip_auth.h @@ -49,6 +49,24 @@ typedef struct ipf_authstat { frauthent_t *fas_faelist; } ipf_authstat_t; +typedef struct ipf_auth_softc_s { + ipfrwlock_t ipf_authlk; + ipfmutex_t ipf_auth_mx; + int ipf_auth_size; + int ipf_auth_used; + int ipf_auth_replies; + int ipf_auth_defaultage; + int ipf_auth_lock; + ipf_authstat_t ipf_auth_stats; + frauth_t *ipf_auth; + mb_t **ipf_auth_pkts; + int ipf_auth_start; + int ipf_auth_end; + int ipf_auth_next; + frauthent_t *ipf_auth_entries; + frentry_t *ipf_auth_ip; + frentry_t *ipf_auth_rules; +} ipf_auth_softc_t; extern frentry_t *ipf_auth_check __P((fr_info_t *, u_32_t *)); extern void ipf_auth_expire __P((ipf_main_softc_t *)); diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c index 87e5b7b..fd4ff24 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.c +++ b/sys/contrib/ipfilter/netinet/ip_frag.c @@ -91,27 +91,6 @@ static const char rcsid[] = "@(#)$FreeBSD$"; #endif -typedef struct ipf_frag_softc_s { - ipfrwlock_t ipfr_ipidfrag; - ipfrwlock_t ipfr_frag; - ipfrwlock_t ipfr_natfrag; - int ipfr_size; - int ipfr_ttl; - int ipfr_lock; - int ipfr_inited; - ipfr_t *ipfr_list; - ipfr_t **ipfr_tail; - ipfr_t *ipfr_natlist; - ipfr_t **ipfr_nattail; - ipfr_t *ipfr_ipidlist; - ipfr_t **ipfr_ipidtail; - ipfr_t **ipfr_heads; - ipfr_t **ipfr_nattab; - ipfr_t **ipfr_ipidtab; - ipfrstat_t ipfr_stats; -} ipf_frag_softc_t; - - #ifdef USE_MUTEXES static ipfr_t *ipfr_frag_new __P((ipf_main_softc_t *, ipf_frag_softc_t *, fr_info_t *, u_32_t, ipfr_t **, diff --git a/sys/contrib/ipfilter/netinet/ip_frag.h b/sys/contrib/ipfilter/netinet/ip_frag.h index 6b0c1be..baa767d 100644 --- a/sys/contrib/ipfilter/netinet/ip_frag.h +++ b/sys/contrib/ipfilter/netinet/ip_frag.h @@ -70,6 +70,26 @@ typedef struct ipfrstat { struct ipfr **ifs_nattab; } ipfrstat_t; +typedef struct ipf_frag_softc_s { + ipfrwlock_t ipfr_ipidfrag; + ipfrwlock_t ipfr_frag; + ipfrwlock_t ipfr_natfrag; + int ipfr_size; + int ipfr_ttl; + int ipfr_lock; + int ipfr_inited; + ipfr_t *ipfr_list; + ipfr_t **ipfr_tail; + ipfr_t *ipfr_natlist; + ipfr_t **ipfr_nattail; + ipfr_t *ipfr_ipidlist; + ipfr_t **ipfr_ipidtail; + ipfr_t **ipfr_heads; + ipfr_t **ipfr_nattab; + ipfr_t **ipfr_ipidtab; + ipfrstat_t ipfr_stats; +} ipf_frag_softc_t; + #define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_pass) - \ offsetof(ipfr_t, ipfr_ifp)) diff --git a/sys/contrib/ipfilter/netinet/mlfk_ipl.c b/sys/contrib/ipfilter/netinet/mlfk_ipl.c index af83007..83a9189 100644 --- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c +++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c @@ -44,6 +44,8 @@ static dev_t ipf_devs[IPL_LOGSIZE]; static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS ); static int ipf_modload(void); static int ipf_modunload(void); +static int ipf_fbsd_sysctl_create(ipf_main_softc_t*); +static int ipf_fbsd_sysctl_destroy(ipf_main_softc_t*); #if (__FreeBSD_version >= 500024) # if (__FreeBSD_version >= 502116) @@ -70,59 +72,36 @@ SYSCTL_DECL(_net_inet); #define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \ SYSCTL_OID(parent, nbr, name, CTLTYPE_INT|access, \ ptr, val, sysctl_ipf_int, "I", descr); +#define SYSCTL_DYN_IPF(parent, nbr, name, access,ptr, val, descr) \ + SYSCTL_ADD_OID(&ipf_clist, SYSCTL_STATIC_CHILDREN(parent), nbr, name, \ + CTLFLAG_DYN|CTLTYPE_INT|access, ptr, val, sysctl_ipf_int, "I", descr) +static struct sysctl_ctx_list ipf_clist; #define CTLFLAG_OFF 0x00800000 /* IPFilter must be disabled */ #define CTLFLAG_RWO (CTLFLAG_RW|CTLFLAG_OFF) SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF"); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipfmain.ipf_flags, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipfmain.ipf_pass, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipfmain.ipf_active, 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &ipfmain.ipf_flags, 0, "IPF flags"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_pass, CTLFLAG_RW, &ipfmain.ipf_pass, 0, "default pass/block"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &ipfmain.ipf_active, 0, "IPF is active"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RWO, - &ipfmain.ipf_tcpidletimeout, 0, ""); + &ipfmain.ipf_tcpidletimeout, 0, "TCP idle timeout in seconds"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RWO, - &ipfmain.ipf_tcphalfclosed, 0, ""); + &ipfmain.ipf_tcphalfclosed, 0, "timeout for half closed TCP sessions"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosewait, CTLFLAG_RWO, - &ipfmain.ipf_tcpclosewait, 0, ""); + &ipfmain.ipf_tcpclosewait, 0, "timeout for TCP sessions in closewait status"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcplastack, CTLFLAG_RWO, - &ipfmain.ipf_tcplastack, 0, ""); + &ipfmain.ipf_tcplastack, 0, "timeout for TCP sessions in last ack status"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcptimeout, CTLFLAG_RWO, &ipfmain.ipf_tcptimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_tcpclosed, CTLFLAG_RWO, &ipfmain.ipf_tcpclosed, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO, - &ipfmain.ipf_udptimeout, 0, ""); + &ipfmain.ipf_udptimeout, 0, "UDP timeout"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO, &ipfmain.ipf_udpacktimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO, - &ipfmain.ipf_icmptimeout, 0, ""); -#if 0 -/* this needs to be resolved at compile time */ -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO, - &((ipf_nat_softc_t *)ipfmain.ipf_nat_soft)->ipf_nat_defage, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, - &ipf_ipfrttl, 0, ""); -#endif -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_running, CTLFLAG_RD, - &ipfmain.ipf_running, 0, ""); -#if 0 -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO, - &ipfmain.ipf_state_soft)->ipf_state_size, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statemax, CTLFLAG_RWO, - &(ipfmain.ipf_state_soft)->ipf_state_max, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_nattable_sz, CTLFLAG_RWO, - &(ipfmain.ipf_nat_soft)->ipf_nat_table_sz, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_natrules_sz, CTLFLAG_RWO, - &(ipfmain.ipf_nat_soft)->ipf_nat_maprules_sz, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_rdrrules_sz, CTLFLAG_RWO, - &(ipfmain.ipf_nat_soft)->ipf_nat_rdrrules_sz, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, ipf_hostmap_sz, CTLFLAG_RWO, - &(ipfmain.ipf_nat_soft)->ipf_nat_hostmap_sz, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RWO, - &ipf_auth_size, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, - &ipf_auth_used, 0, ""); -SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, - &ipf_auth_defaultage, 0, ""); -#endif + &ipfmain.ipf_icmptimeout, 0, "ICMP timeout"); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, + &ipfmain.ipf_running, 0, "IPF is running"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &ipfmain.ipf_chksrc, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &ipfmain.ipf_minttl, 0, ""); @@ -177,7 +156,6 @@ static struct cdevsw ipf_cdevsw = { static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME, IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL }; - static int ipfilter_modevent(module_t mod, int type, void *unused) { @@ -212,6 +190,9 @@ ipf_modload() if (ipf_create_all(&ipfmain) == NULL) return EIO; + if (ipf_fbsd_sysctl_create(&ipfmain) != 0) + return EIO; + error = ipfattach(&ipfmain); if (error) return error; @@ -268,6 +249,9 @@ ipf_modunload() if (ipfmain.ipf_refcnt) return EBUSY; + if (ipf_fbsd_sysctl_destroy(&ipfmain) != 0) + return EIO; + error = ipf_pfil_unhook(); if (error != 0) return error; @@ -277,6 +261,7 @@ ipf_modunload() if (error != 0) return error; + ipf_fbsd_sysctl_destroy(&ipfmain); ipf_destroy_all(&ipfmain); ipf_unload_all(); } else @@ -526,3 +511,58 @@ static int ipfwrite(dev, uio) return ipf_sync_write(&ipfmain, uio); return ENXIO; } + +static int +ipf_fbsd_sysctl_create(main_softc) + ipf_main_softc_t *main_softc; +{ + ipf_nat_softc_t *nat_softc; + ipf_state_softc_t *state_softc; + ipf_auth_softc_t *auth_softc; + ipf_frag_softc_t *frag_softc; + + nat_softc = main_softc->ipf_nat_soft; + state_softc = main_softc->ipf_state_soft; + auth_softc = main_softc->ipf_auth_soft; + frag_softc = main_softc->ipf_frag_soft; + + sysctl_ctx_init(&ipf_clist); + + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_defnatage", CTLFLAG_RWO, + &nat_softc->ipf_nat_defage, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_statesize", CTLFLAG_RWO, + &state_softc->ipf_state_size, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_statemax", CTLFLAG_RWO, + &state_softc->ipf_state_max, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_nattable_max", CTLFLAG_RWO, + &nat_softc->ipf_nat_table_max, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_nattable_sz", CTLFLAG_RWO, + &nat_softc->ipf_nat_table_sz, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_natrules_sz", CTLFLAG_RWO, + &nat_softc->ipf_nat_maprules_sz, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_rdrrules_sz", CTLFLAG_RWO, + &nat_softc->ipf_nat_rdrrules_sz, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "ipf_hostmap_sz", CTLFLAG_RWO, + &nat_softc->ipf_nat_hostmap_sz, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_authsize", CTLFLAG_RWO, + &auth_softc->ipf_auth_size, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_authused", CTLFLAG_RD, + &auth_softc->ipf_auth_used, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_defaultauthage", CTLFLAG_RW, + &auth_softc->ipf_auth_defaultage, 0, ""); + SYSCTL_DYN_IPF(_net_inet_ipf, OID_AUTO, "fr_ipfrttl", CTLFLAG_RW, + &frag_softc->ipfr_ttl, 0, ""); + return 0; +} + +static int +ipf_fbsd_sysctl_destroy(main_softc) + ipf_main_softc_t *main_softc; +{ + if (sysctl_ctx_free(&ipf_clist)) { + printf("sysctl_ctx_free failed"); + return(ENOTEMPTY); + } + return 0; +} + -- cgit v1.1