#
332513 |
|
15-Apr-2018 |
kp |
MFC r331436:
netpfil: Introduce PFIL_FWD flag
Forwarded packets passed through PFIL_OUT, which made it difficult for firewalls to figure out if they were forwarding or producing packets. This in turn is an issue for pf for IPv6 fragment handling: it needs to call ip6_output() or ip6_forward() to handle the fragments. Figuring out which was difficult (and until now, incorrect). Having pfil distinguish the two removes an ugly piece of code from pf.
Introduce a new variant of the netpfil callbacks with a flags variable, which has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if a packet is forwarded.
|
#
317042 |
|
17-Apr-2017 |
ae |
MFC r316461: Remove "IPFW static rules" rmlock.
Make PFIL's lock global and use it for this purpose. This reduces the number of locks needed to acquire for each packet.
Obtained from: Yandex LLC Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D10154
|
#
316458 |
|
03-Apr-2017 |
ae |
MFC r316013: Make pfil's locking macros private.
Obtained from: Yandex LLC
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
302054 |
|
21-Jun-2016 |
bz |
Get closer to a VIMAGE network stack teardown from top to bottom rather than removing the network interfaces first. This change is rather larger and convoluted as the ordering requirements cannot be separated.
Move the pfil(9) framework to SI_SUB_PROTO_PFIL, move Firewalls and related modules to their own SI_SUB_PROTO_FIREWALL. Move initialization of "physical" interfaces to SI_SUB_DRIVERS, move virtual (cloned) interfaces to SI_SUB_PSEUDO. Move Multicast to SI_SUB_PROTO_MC.
Re-work parts of multicast initialisation and teardown, not taking the huge amount of memory into account if used as a module yet.
For interface teardown we try to do as many of them as we can on SI_SUB_INIT_IF, but for some this makes no sense, e.g., when tunnelling over a higher layer protocol such as IP. In that case the interface has to go along (or before) the higher layer protocol is shutdown.
Kernel hhooks need to go last on teardown as they may be used at various higher layers and we cannot remove them before we cleaned up the higher layers.
For interface teardown there are multiple paths: (a) a cloned interface is destroyed (inside a VIMAGE or in the base system), (b) any interface is moved from a virtual network stack to a different network stack ("vmove"), or (c) a virtual network stack is being shut down. All code paths go through if_detach_internal() where we, depending on the vmove flag or the vnet state, make a decision on how much to shut down; in case we are destroying a VNET the individual protocol layers will cleanup their own parts thus we cannot do so again for each interface as we end up with, e.g., double-frees, destroying locks twice or acquiring already destroyed locks. When calling into protocol cleanups we equally have to tell them whether they need to detach upper layer protocols ("ulp") or not (e.g., in6_ifdetach()).
Provide or enahnce helper functions to do proper cleanup at a protocol rather than at an interface level.
Approved by: re (hrs) Obtained from: projects/vnet Reviewed by: gnn, jhb Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D6747
|
#
301503 |
|
06-Jun-2016 |
bz |
SYSINIT functions do not return a value; switch to void, remove the return value, and mark the unused argument __unused.
Obtained from: projects/vnet MFC after: 2 weeks Sponsored by: The FreeBSD Foundation
|
#
257176 |
|
26-Oct-2013 |
glebius |
The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare to this event, adding if_var.h to files that do need it. Also, include all includes that now are included due to implicit pollution via if_var.h
Sponsored by: Netflix Sponsored by: Nginx, Inc.
|
#
254774 |
|
24-Aug-2013 |
andre |
ename PFIL_LIST_[UN]LOCK() to PFIL_HEADLIST_[UN]LOCK() to avoid confusion with the pfil_head chain locking macros.
|
#
254773 |
|
24-Aug-2013 |
andre |
Resolve the confusion between the head_list and the hook list.
The linked list of pfil hooks is changed to "chain" and this term is applied consistently. The head_list remains with "list" term.
Add KASSERT to vnet_pfil_uninit().
Update and extend comments.
Reviewed by: eri (previous version)
|
#
254771 |
|
24-Aug-2013 |
andre |
Internalize pfil_hook_get(). There are no outside consumers of this API, it is only safe for internal use and even the pfil(9) man page says so in the BUGS section.
Reviewed by: eri
|
#
254770 |
|
24-Aug-2013 |
andre |
Convert one instance of pfil hook callback missed in r254769.
|
#
254769 |
|
24-Aug-2013 |
andre |
Introduce typedef for pfil hook callback function and replace all spelled out occurrences with it.
Reviewed by: eri
|
#
248490 |
|
19-Mar-2013 |
ae |
Fix style and comments.
|
#
242463 |
|
01-Nov-2012 |
ae |
Remove the recently added sysctl variable net.pfil.forward. Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set.
Suggested by: andre
|
#
242079 |
|
25-Oct-2012 |
ae |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
|
#
241888 |
|
22-Oct-2012 |
melifaro |
Make PFIL use per-VNET lock instead of per-AF lock. Since most used packet filters (ipfw and PF) use the same ruleset with the same lock for both AF_INET and AF_INET6 there is no need in more fine-grade locking. However, it is possible to request personal lock by specifying PFIL_FLAG_PRIVATE_LOCK flag in pfil_head structure (see pfil.9 for more details).
Export PFIL lock via rw_lock(9)/rm_lock(9)-like API permitting pfil consumers to use this lock instead of own lock. This help reducing locks on main traffic path.
pfil_assert() is currently not implemented due to absense of rm_assert(). Waiting for some kind of r234648 to be merged in HEAD.
This change is part of bigger patch reducing routing locking.
Sponsored by: Yandex LLC Reviewed by: glebius, ae OK'd by: silence on net@ MFC after: 3 weeks
|
#
198233 |
|
19-Oct-2009 |
rwatson |
Clean up comments, white space, and style in pfil.c (especially new VNET bits).
MFC after: 3 days (not VNET bits)
|
#
198198 |
|
18-Oct-2009 |
rwatson |
Line-wrap pfil.c so that it prints more nicely.
MFC after: 3 days
|
#
197952 |
|
11-Oct-2009 |
julian |
Virtualize the pfil hooks so that different jails may chose different packet filters. ALso allows ipfw to be enabled on on ejail and disabled on another. In 8.0 it's a global setting.
Sitting aroung in tree waiting to commit for: 2 months MFC after: 2 months
|
#
186187 |
|
16-Dec-2008 |
rwatson |
A few locking fixes and cleanups to pfil hook registration, unregistration, and execution:
- Add some brackets for clarity and trim a bit of vertical whitespace. - Remove comments that may not contribute to clarity, such as "Lock" before acquiring a lock and "Get memory" before allocating memory. - During hook registration, don't drop pfil_list_lock between checking for a duplicate and registering the hook, as this leaves a race condition by failing to enforce the "no duplicate hooks" invariant. - Don't lock the hook during registration, since it's not yet in use. - Document assumption that hooks will be quiesced before being unregistered. - Don't write-lock hooks during removal because they are assumed quiesced. - Rename "done" label to "locked_error" to be clear that it's an error path on the way out of hook execution.
MFC after: pretty soon
|
#
173904 |
|
25-Nov-2007 |
mlaier |
pfil(9) locking take 3: Switch to rmlock(9) This has the benefit that rmlocks have proper support for reader recursion (in contrast to rwlock(9) which could potential lead to writer stravation). It also means a significant performance gain, eventhough only visible in microbenchmarks at the moment.
Discussed on: -arch, -net
|
#
155201 |
|
02-Feb-2006 |
csjp |
Somewhat re-factor the read/write locking mechanism associated with the packet filtering mechanisms to use the new rwlock(9) locking API:
- Drop the variables stored in the phil_head structure which were specific to conditions and the home rolled read/write locking mechanism. - Drop some includes which were used for condition variables - Drop the inline functions, and convert them to macros. Also, move these macros into pfil.h - Move pfil list locking macros intp phil.h as well - Rename ph_busy_count to ph_nhooks. This variable will represent the number of IN/OUT hooks registered with the pfil head structure - Define PFIL_HOOKED macro which evaluates to true if there are any hooks to be ran by pfil_run_hooks - In the IP/IP6 stacks, change the ph_busy_count comparison to use the new PFIL_HOOKED macro. - Drop optimization in pfil_run_hooks which checks to see if there are any hooks to be ran, and returns if not. This check is already performed by the IP stacks when they call:
if (!PFIL_HOOKED(ph)) goto skip_hooks;
- Drop in assertion which makes sure that the number of hooks never drops below 0 for good measure. This in theory should never happen, and if it does than there are problems somewhere - Drop special logic around PFIL_WAITOK because rw_wlock(9) does not sleep - Drop variables which support home rolled read/write locking mechanism from the IPFW firewall chain structure. - Swap out the read/write firewall chain lock internal to use the rwlock(9) API instead of our home rolled version - Convert the inlined functions to macros
Reviewed by: mlaier, andre, glebius Thanks to: jhb for the new locking API
|
#
146550 |
|
23-May-2005 |
mlaier |
Fix semantics of ph_busy_count == -1 to pass instead of block.
PR: kern/81128 Submitted by: Joost Bekkers MFC-after: 2 weeks
|
#
139823 |
|
06-Jan-2005 |
imp |
/* -> /*- for license, minor formatting changes
|
#
136258 |
|
08-Oct-2004 |
mlaier |
Change pfil starvation prevention from fail-open to fail-close. We return ENOBUF to indicate the problem, which is an errno that should be handled well everywhere.
Requested & Submitted by: green Silently okay'ed by: The rest of the firewall gang MFC after: 3 days
|
#
135920 |
|
29-Sep-2004 |
mlaier |
Add an additional struct inpcb * argument to pfil(9) in order to enable passing along socket information. This is required to work around a LOR with the socket code which results in an easy reproducible hard lockup with debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do so later. The missing piece is to turn the filter locking into a leaf lock and will follow in a seperate (later) commit.
This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in forseeable future.
Suggested by: rwatson A lot of work by: csjp (he'd be even more helpful w/o mentor-reviews ;) Reviewed by: rwatson, csjp Tested by: -pf, -ipfw, LINT, csjp and myself MFC after: 3 days
LOR IDs: 14 - 17 (not fixed yet)
|
#
135588 |
|
22-Sep-2004 |
mlaier |
Switch order for mtx_unlock and cv_signal as (condvar(9)) sez:
A thread must hold mp while calling cv_signal(), cv_broadcast(), or cv_broadcastpri() even though it isn't passed as an argument.
and is right with this claim.
While here remove a "\" from the macro -> __inline conversion.
Found by: csjp MFC after: 4 days
|
#
120386 |
|
23-Sep-2003 |
sam |
o update PFIL_HOOKS support to current API used by netbsd o revamp IPv4+IPv6+bridge usage to match API changes o remove pfil_head instances from protosw entries (no longer used) o add locking o bump FreeBSD version for 3rd party modules
Heavy lifting by: "Max Laier" <max@love2party.net> Supported by: FreeBSD Foundation Obtained from: NetBSD (bits of pfil.h and pfil.c)
|
#
111119 |
|
19-Feb-2003 |
imp |
Back out M_* changes, per decision of the TRB.
Approved by: trb
|
#
109623 |
|
21-Jan-2003 |
alfred |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
92725 |
|
19-Mar-2002 |
alfred |
Remove __P.
|
#
71999 |
|
04-Feb-2001 |
phk |
Mechanical change to use <sys/queue.h> macro API instead of fondling implementation details.
Created with: sed(1) Reviewed by: md5(1)
|
#
71959 |
|
03-Feb-2001 |
phk |
Use <sys/queue.h> macro api rather than fondle its implementation detals.
Created with: /usr/bin/sed Reviewed by: /sbin/md5
|
#
67882 |
|
29-Oct-2000 |
phk |
Remove unneeded #include <sys/proc.h> lines.
|
#
60317 |
|
10-May-2000 |
darrenr |
Add pfil(9) subroutines and manpage from NetBSD.
|