From d243747d92c4cacce93fc3a982655dc80d4886d4 Mon Sep 17 00:00:00 2001
From: andre <andre@FreeBSD.org>
Date: Fri, 27 Aug 2004 15:16:24 +0000
Subject: Always compile PFIL_HOOKS into the kernel and remove the associated
 kernel compile option.  All FreeBSD packet filters now use the PFIL_HOOKS API
 and thus it becomes a standard part of the network stack.

If no hooks are connected the entire packet filter hooks section and related
activities are jumped over.  This removes any performance impact if no hooks
are active.

Both OpenBSD and DragonFlyBSD have integrated PFIL_HOOKS permanently as well.
---
 sys/netinet/ip_output.c | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

(limited to 'sys/netinet/ip_output.c')

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 3576905..b392b99 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -33,7 +33,6 @@
 #include "opt_ipfw.h"
 #include "opt_ipsec.h"
 #include "opt_mac.h"
-#include "opt_pfil_hooks.h"
 #include "opt_mbuf_stress_test.h"
 
 #include <sys/param.h>
@@ -49,6 +48,7 @@
 
 #include <net/if.h>
 #include <net/netisr.h>
+#include <net/pfil.h>
 #include <net/route.h>
 
 #include <netinet/in.h>
@@ -58,9 +58,6 @@
 #include <netinet/in_var.h>
 #include <netinet/ip_var.h>
 
-#ifdef PFIL_HOOKS
-#include <net/pfil.h>
-#endif
 
 #include <machine/in_cksum.h>
 
@@ -132,9 +129,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	struct in_ifaddr *ia = NULL;
 	int isbroadcast, sw_csum;
 	struct route iproute;
-#ifdef PFIL_HOOKS
 	struct in_addr odst;
-#endif
 #ifdef IPFIREWALL_FORWARD
 	struct m_tag *fwd_tag = NULL;
 #endif
@@ -187,9 +182,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro,
 	}
 
 	dst = (struct sockaddr_in *)&ro->ro_dst;
-#ifdef PFIL_HOOKS
 again:
-#endif
 	/*
 	 * If there is a cached route,
 	 * check that it is to the same destination
@@ -665,10 +658,11 @@ skip_ipsec:
 spd_done:
 #endif /* FAST_IPSEC */
 
-#ifdef PFIL_HOOKS
-	/*
-	 * Run through list of hooks for output packets.
-	 */
+	/* Jump over all PFIL processing if hooks are not active. */
+	if (inet_pfil_hook.ph_busy_count == -1)
+		goto passout;
+
+	/* Run through list of hooks for output packets. */
 	odst.s_addr = ip->ip_dst.s_addr;
 	error = pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT);
 	if (error != 0 || m == NULL)
@@ -729,11 +723,7 @@ spd_done:
 	}
 #endif
 
-#endif /* PFIL_HOOKS */
-
-#if 0
-pass:
-#endif
+passout:
 	/* 127/8 must not appear on wire - RFC1122. */
 	if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
 	    (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
-- 
cgit v1.1