From 83807ec50da2dec25df74073d007a33ae79d8bfd Mon Sep 17 00:00:00 2001 From: mlaier Date: Tue, 3 Jul 2007 12:46:08 +0000 Subject: Link pf 4.1 to the build: - move ftp-proxy from libexec to usr.sbin - add tftp-proxy - new altq mtag link Approved by: re (kensmith) --- sys/conf/files | 16 +++++--- sys/contrib/altq/altq/altq_cbq.c | 6 +-- sys/contrib/altq/altq/altq_hfsc.c | 6 +-- sys/contrib/altq/altq/altq_priq.c | 6 +-- sys/contrib/altq/altq/altq_red.c | 10 ++--- sys/contrib/pf/net/pf_mtag.h | 82 +++++++++++++++++++++++++++++++++++++++ sys/modules/ipfw/Makefile | 1 + sys/modules/pf/Makefile | 6 +++ sys/net/if_ethersubr.c | 4 +- sys/netinet/ip_fw2.c | 14 +++---- sys/netinet6/in6.h | 5 +++ sys/sys/mbuf.h | 6 +-- 12 files changed, 126 insertions(+), 36 deletions(-) create mode 100644 sys/contrib/pf/net/pf_mtag.h (limited to 'sys') diff --git a/sys/conf/files b/sys/conf/files index 9826f2c..d8a4f42 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -327,16 +327,18 @@ contrib/pf/net/pf.c optional pf \ compile-with "${NORMAL_C} -I$S/contrib/pf" contrib/pf/net/pf_if.c optional pf \ compile-with "${NORMAL_C} -I$S/contrib/pf" -contrib/pf/net/pf_subr.c optional pf \ - compile-with "${NORMAL_C} -I$S/contrib/pf" contrib/pf/net/pf_ioctl.c optional pf \ compile-with "${NORMAL_C} -I$S/contrib/pf" contrib/pf/net/pf_norm.c optional pf \ compile-with "${NORMAL_C} -I$S/contrib/pf" -contrib/pf/net/pf_table.c optional pf \ - compile-with "${NORMAL_C} -I$S/contrib/pf" contrib/pf/net/pf_osfp.c optional pf \ compile-with "${NORMAL_C} -I$S/contrib/pf" +contrib/pf/net/pf_ruleset.c optional pf \ + compile-with "${NORMAL_C} -I$S/contrib/pf" +contrib/pf/net/pf_subr.c optional pf \ + compile-with "${NORMAL_C} -I$S/contrib/pf" +contrib/pf/net/pf_table.c optional pf \ + compile-with "${NORMAL_C} -I$S/contrib/pf" contrib/pf/netinet/in4_cksum.c optional pf inet crypto/blowfish/bf_ecb.c optional ipsec crypto/blowfish/bf_skey.c optional crypto | ipsec @@ -1584,7 +1586,8 @@ net/if_disc.c optional disc net/if_edsc.c optional edsc net/if_ef.c optional ef net/if_enc.c optional enc -net/if_ethersubr.c optional ether +net/if_ethersubr.c optional ether \ + compile-with "${NORMAL_C} -I$S/contrib/pf" net/if_faith.c optional faith net/if_fddisubr.c optional fddi net/if_fwsubr.c optional fwip @@ -1825,7 +1828,8 @@ netinet/ip_dummynet.c optional dummynet netinet/ip_ecn.c optional inet | inet6 netinet/ip_encap.c optional inet | inet6 netinet/ip_fastfwd.c optional inet -netinet/ip_fw2.c optional ipfirewall +netinet/ip_fw2.c optional ipfirewall \ + compile-with "${NORMAL_C} -I$S/contrib/pf" netinet/ip_fw_pfil.c optional ipfirewall netinet/ip_icmp.c optional inet netinet/ip_input.c optional inet diff --git a/sys/contrib/altq/altq/altq_cbq.c b/sys/contrib/altq/altq/altq_cbq.c index aafa5c8..7cdfb40 100644 --- a/sys/contrib/altq/altq/altq_cbq.c +++ b/sys/contrib/altq/altq/altq_cbq.c @@ -500,7 +500,7 @@ cbq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) { cbq_state_t *cbqp = (cbq_state_t *)ifq->altq_disc; struct rm_class *cl; - struct m_tag *t; + struct pf_mtag *t; int len; IFQ_LOCK_ASSERT(ifq); @@ -520,8 +520,8 @@ cbq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) return (ENOBUFS); } cl = NULL; - if ((t = m_tag_find(m, PACKET_TAG_PF_QID, NULL)) != NULL) - cl = clh_to_clp(cbqp, ((struct altq_tag *)(t+1))->qid); + if ((t = pf_find_mtag(m)) != NULL) + cl = clh_to_clp(cbqp, t->qid); #ifdef ALTQ3_COMPAT else if ((ifq->altq_flags & ALTQF_CLASSIFY) && pktattr != NULL) cl = pktattr->pattr_class; diff --git a/sys/contrib/altq/altq/altq_hfsc.c b/sys/contrib/altq/altq/altq_hfsc.c index 8fea4dd..bf7a4f0 100644 --- a/sys/contrib/altq/altq/altq_hfsc.c +++ b/sys/contrib/altq/altq/altq_hfsc.c @@ -693,7 +693,7 @@ hfsc_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) { struct hfsc_if *hif = (struct hfsc_if *)ifq->altq_disc; struct hfsc_class *cl; - struct m_tag *t; + struct pf_mtag *t; int len; IFQ_LOCK_ASSERT(ifq); @@ -713,8 +713,8 @@ hfsc_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) return (ENOBUFS); } cl = NULL; - if ((t = m_tag_find(m, PACKET_TAG_PF_QID, NULL)) != NULL) - cl = clh_to_clp(hif, ((struct altq_tag *)(t+1))->qid); + if ((t = pf_find_mtag(m)) != NULL) + cl = clh_to_clp(hif, t->qid); #ifdef ALTQ3_COMPAT else if ((ifq->altq_flags & ALTQF_CLASSIFY) && pktattr != NULL) cl = pktattr->pattr_class; diff --git a/sys/contrib/altq/altq/altq_priq.c b/sys/contrib/altq/altq/altq_priq.c index 28b0ddb..ec789c5a 100644 --- a/sys/contrib/altq/altq/altq_priq.c +++ b/sys/contrib/altq/altq/altq_priq.c @@ -461,7 +461,7 @@ priq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) { struct priq_if *pif = (struct priq_if *)ifq->altq_disc; struct priq_class *cl; - struct m_tag *t; + struct pf_mtag *t; int len; IFQ_LOCK_ASSERT(ifq); @@ -481,8 +481,8 @@ priq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) return (ENOBUFS); } cl = NULL; - if ((t = m_tag_find(m, PACKET_TAG_PF_QID, NULL)) != NULL) - cl = clh_to_clp(pif, ((struct altq_tag *)(t+1))->qid); + if ((t = pf_find_mtag(m)) != NULL) + cl = clh_to_clp(pif, t->qid); #ifdef ALTQ3_COMPAT else if ((ifq->altq_flags & ALTQF_CLASSIFY) && pktattr != NULL) cl = pktattr->pattr_class; diff --git a/sys/contrib/altq/altq/altq_red.c b/sys/contrib/altq/altq/altq_red.c index 6010033..f6b7e31 100644 --- a/sys/contrib/altq/altq/altq_red.c +++ b/sys/contrib/altq/altq/altq_red.c @@ -514,16 +514,12 @@ int mark_ecn(struct mbuf *m, struct altq_pktattr *pktattr, int flags) { struct mbuf *m0; - struct m_tag *t; - struct altq_tag *at; + struct pf_mtag *at; void *hdr; int af; - t = m_tag_find(m, PACKET_TAG_PF_QID, NULL); - if (t != NULL) { - at = (struct altq_tag *)(t + 1); - if (at == NULL) - return (0); + at = pf_find_mtag(m); + if (at != NULL) { af = at->af; hdr = at->hdr; #ifdef ALTQ3_COMPAT diff --git a/sys/contrib/pf/net/pf_mtag.h b/sys/contrib/pf/net/pf_mtag.h new file mode 100644 index 0000000..a0ebf7e --- /dev/null +++ b/sys/contrib/pf/net/pf_mtag.h @@ -0,0 +1,82 @@ +/* $FreeBSD$ */ +/* + * Copyright (c) 2001 Daniel Hartmeier + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _NET_PF_MTAG_H_ +#define _NET_PF_MTAG_H_ + +#ifdef _KERNEL + +#define PF_TAG_GENERATED 0x01 +#define PF_TAG_FRAGCACHE 0x02 +#define PF_TAG_TRANSLATE_LOCALHOST 0x04 + +struct pf_mtag { + void *hdr; /* saved hdr pos in mbuf, for ECN */ + u_int rtableid; /* alternate routing table id */ + u_int32_t qid; /* queue id */ + u_int16_t tag; /* tag id */ + u_int8_t flags; + u_int8_t routed; + sa_family_t af; /* for ECN */ +}; + +static __inline struct pf_mtag *pf_find_mtag(struct mbuf *); +static __inline struct pf_mtag *pf_get_mtag(struct mbuf *); + +static __inline struct pf_mtag * +pf_find_mtag(struct mbuf *m) +{ + struct m_tag *mtag; + + if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) + return (NULL); + + return ((struct pf_mtag *)(mtag + 1)); +} + +static __inline struct pf_mtag * +pf_get_mtag(struct mbuf *m) +{ + struct m_tag *mtag; + + if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) { + mtag = m_tag_get(PACKET_TAG_PF, sizeof(struct pf_mtag), + M_NOWAIT); + if (mtag == NULL) + return (NULL); + bzero(mtag + 1, sizeof(struct pf_mtag)); + m_tag_prepend(m, mtag); + } + + return ((struct pf_mtag *)(mtag + 1)); +} +#endif /* _KERNEL */ +#endif /* _NET_PF_MTAG_H_ */ diff --git a/sys/modules/ipfw/Makefile b/sys/modules/ipfw/Makefile index 92bad75..e208e1d 100644 --- a/sys/modules/ipfw/Makefile +++ b/sys/modules/ipfw/Makefile @@ -9,6 +9,7 @@ SRCS= ip_fw2.c ip_fw_pfil.c SRCS+= opt_inet6.h opt_ipsec.h opt_mac.h CFLAGS+= -DIPFIREWALL +CFLAGS+= -I${.CURDIR}/../../contrib/pf # #If you want it verbose #CFLAGS+= -DIPFIREWALL_VERBOSE diff --git a/sys/modules/pf/Makefile b/sys/modules/pf/Makefile index 4c29a0b..ce67414 100644 --- a/sys/modules/pf/Makefile +++ b/sys/modules/pf/Makefile @@ -7,6 +7,7 @@ KMOD= pf SRCS = pf.c pf_if.c pf_subr.c pf_osfp.c pf_ioctl.c pf_norm.c pf_table.c \ + pf_ruleset.c \ in4_cksum.c \ opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_mac.h @@ -23,6 +24,11 @@ opt_inet6.h: opt_bpf.h: echo "#define DEV_BPF 1" > opt_bpf.h + +# pflog can be loaded as a module, have the additional checks turned on +opt_pf.h: + echo "#define DEV_PF 1" > opt_pf.h + echo "#define DEF_PFLOG 1" >> opt_pf.h .endif .include diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c index 29014fa..7c8eb25 100644 --- a/sys/net/if_ethersubr.c +++ b/sys/net/if_ethersubr.c @@ -60,6 +60,7 @@ #include #include #include +#include #if defined(INET) || defined(INET6) #include @@ -151,6 +152,7 @@ ether_output(struct ifnet *ifp, struct mbuf *m, int error, hdrcmplt = 0; u_char esrc[ETHER_ADDR_LEN], edst[ETHER_ADDR_LEN]; struct ether_header *eh; + struct pf_mtag *t; int loop_copy = 1; int hlen; /* link layer header length */ @@ -301,7 +303,7 @@ ether_output(struct ifnet *ifp, struct mbuf *m, * reasons and compatibility with the original behavior. */ if ((ifp->if_flags & IFF_SIMPLEX) && loop_copy && - m_tag_find(m, PACKET_TAG_PF_ROUTED, NULL) == NULL) { + ((t = pf_find_mtag(m)) == NULL || !t->routed)) { int csum_flags = 0; if (m->m_pkthdr.csum_flags & CSUM_IP) diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 72c11ac..e53e2e8 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -66,6 +66,7 @@ #include #include #include +#include #include #include #include @@ -3058,24 +3059,21 @@ check_body: break; case O_ALTQ: { - struct altq_tag *at; + struct pf_mtag *at; ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd; match = 1; - mtag = m_tag_find(m, PACKET_TAG_PF_QID, NULL); - if (mtag != NULL) + at = pf_find_mtag(m); + if (at != NULL && at->qid != 0) break; - mtag = m_tag_get(PACKET_TAG_PF_QID, - sizeof(struct altq_tag), - M_NOWAIT); - if (mtag == NULL) { + at = pf_get_mtag(m); + if (at == NULL) { /* * Let the packet fall back to the * default ALTQ. */ break; } - at = (struct altq_tag *)(mtag+1); at->qid = altq->qid; if (is_ipv4) at->af = AF_INET; diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h index 12c9fb4..715b6f4 100644 --- a/sys/netinet6/in6.h +++ b/sys/netinet6/in6.h @@ -350,6 +350,11 @@ extern const struct in6_addr in6addr_linklocal_allrouters; #define IN6_IS_SCOPE_LINKLOCAL(a) \ ((IN6_IS_ADDR_LINKLOCAL(a)) || \ (IN6_IS_ADDR_MC_LINKLOCAL(a))) +#define IN6_IS_SCOPE_EMBED(a) \ + ((IN6_IS_ADDR_LINKLOCAL(a)) || \ + (IN6_IS_ADDR_MC_LINKLOCAL(a)) || \ + (IN6_IS_ADDR_MC_INTFACELOCAL(a))) + #define IFA6_IS_DEPRECATED(a) \ ((a)->ia6_lifetime.ia6t_pltime != ND6_INFINITE_LIFETIME && \ diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 10e7915..bff95b5 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -833,12 +833,8 @@ struct mbuf *m_unshare(struct mbuf *, int how); #define PACKET_TAG_DIVERT 17 /* divert info */ #define PACKET_TAG_IPFORWARD 18 /* ipforward info */ #define PACKET_TAG_MACLABEL (19 | MTAG_PERSISTENT) /* MAC label */ -#define PACKET_TAG_PF_ROUTED 21 /* PF routed, avoid loops */ -#define PACKET_TAG_PF_FRAGCACHE 22 /* PF fragment cached */ -#define PACKET_TAG_PF_QID 23 /* PF ALTQ queue id */ -#define PACKET_TAG_PF_TAG 24 /* PF tagged */ +#define PACKET_TAG_PF 21 /* PF + ALTQ information */ #define PACKET_TAG_RTSOCKFAM 25 /* rtsock sa family */ -#define PACKET_TAG_PF_TRANSLATE_LOCALHOST 26 /* PF translate localhost */ #define PACKET_TAG_IPOPTIONS 27 /* Saved IP options */ #define PACKET_TAG_CARP 28 /* CARP info */ -- cgit v1.1