micro optimaize for pfil_run_hooks(), ok'ed by ozaki-r@n.o and ryo@n.o.

That can improve IPv4 forwarding throughput 5% - 10%.

pfil(9): Assert pfil lists are not run in interrupt context.

All the paths leading to this should have been dispensed with by now.
The network stack runs in thread or softint context these days; hard
interrupt context is used only to put packets on queues deferred to
softint.

pfil(9): Assert sleepable when editing pfil lists.

These might sleep to wait for users to drain.

pfil_psz gets dropped by the compiler because it is unused if !NET_MPSAFE,
so add an #ifdef around it, not to leak memory. Found by kLSan.

Remove inappropriate place for __predict_false.

Ok mrg@ maya@.

Skip pfil_run_hooks if no packet filter configured in kernel.

Fix wrong memory order and switch pfil to atomic_load/store_*.

branches: 1.35.14; 1.35.20;
need to membar_producer() *before* switching.

pointed out by riastradh@, thanks

Call pserialize_perform and psref_target_destroy only if NET_MPSAFE

They shouldn't be used with holding softnet_lock.

Add curlwp_bind

It is necessary for example when we use tun(4). Without it the following
panic occurs:

panic: kernel diagnostic assertion "(kpreempt_disabled() || cpu_softintr_p() || ISSET(curlwp->l_pflag, LP_BOUND))" failed: file "/usr/src/sys/kern/subr_psref.c", line 291 passive references are CPU-local, but preemption is enabled and the caller is not in a softint or CPU-bound LWP
Backtrace:
vpanic()
ch_voltag_convert_in()
psref_release()
pfil_run_arg.isra.0()
if_initialize()
if_attach()
tun_clone_create()
tunopen()
cdev_open()
spec_open()
VOP_OPEN()
vn_open()
do_open()
do_sys_openat()
sys_open()
syscall()

Make pfil(9) MP-safe (applying psref(9))

branches: 1.31.2;
* pfil_add_hook() no longer treats PFIL_IFADDR and PFIL_IFNET. delete them from pfil_flag_cases[].
* add/fix KASSERT
* fix comment

Not to use ph_inout[2]. dir (= PFIL_IN or PFIL_OUT) is 1 or 2, not 0 or 1.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

branches: 1.28.8; 1.28.12;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.

pfil(9): Assert pfil lists are not run in interrupt context.

All the paths leading to this should have been dispensed with by now.
The network stack runs in thread or softint context these days; hard
interrupt context is used only to put packets on queues deferred to
softint.

pfil(9): Assert sleepable when editing pfil lists.

These might sleep to wait for users to drain.

pfil_psz gets dropped by the compiler because it is unused if !NET_MPSAFE,
so add an #ifdef around it, not to leak memory. Found by kLSan.

Remove inappropriate place for __predict_false.

Ok mrg@ maya@.

Skip pfil_run_hooks if no packet filter configured in kernel.

Fix wrong memory order and switch pfil to atomic_load/store_*.

branches: 1.35.14; 1.35.20;
need to membar_producer() *before* switching.

pointed out by riastradh@, thanks

Call pserialize_perform and psref_target_destroy only if NET_MPSAFE

They shouldn't be used with holding softnet_lock.

Add curlwp_bind

It is necessary for example when we use tun(4). Without it the following
panic occurs:

panic: kernel diagnostic assertion "(kpreempt_disabled() || cpu_softintr_p() || ISSET(curlwp->l_pflag, LP_BOUND))" failed: file "/usr/src/sys/kern/subr_psref.c", line 291 passive references are CPU-local, but preemption is enabled and the caller is not in a softint or CPU-bound LWP
Backtrace:
vpanic()
ch_voltag_convert_in()
psref_release()
pfil_run_arg.isra.0()
if_initialize()
if_attach()
tun_clone_create()
tunopen()
cdev_open()
spec_open()
VOP_OPEN()
vn_open()
do_open()
do_sys_openat()
sys_open()
syscall()

Make pfil(9) MP-safe (applying psref(9))

branches: 1.31.2;
* pfil_add_hook() no longer treats PFIL_IFADDR and PFIL_IFNET. delete them from pfil_flag_cases[].
* add/fix KASSERT
* fix comment

Not to use ph_inout[2]. dir (= PFIL_IN or PFIL_OUT) is 1 or 2, not 0 or 1.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

branches: 1.28.8; 1.28.12;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.

pfil_psz gets dropped by the compiler because it is unused if !NET_MPSAFE,
so add an #ifdef around it, not to leak memory. Found by kLSan.

Remove inappropriate place for __predict_false.

Ok mrg@ maya@.

Skip pfil_run_hooks if no packet filter configured in kernel.

Fix wrong memory order and switch pfil to atomic_load/store_*.

branches: 1.35.14; 1.35.20;
need to membar_producer() *before* switching.

pointed out by riastradh@, thanks

Call pserialize_perform and psref_target_destroy only if NET_MPSAFE

They shouldn't be used with holding softnet_lock.

Add curlwp_bind

It is necessary for example when we use tun(4). Without it the following
panic occurs:

panic: kernel diagnostic assertion "(kpreempt_disabled() || cpu_softintr_p() || ISSET(curlwp->l_pflag, LP_BOUND))" failed: file "/usr/src/sys/kern/subr_psref.c", line 291 passive references are CPU-local, but preemption is enabled and the caller is not in a softint or CPU-bound LWP
Backtrace:
vpanic()
ch_voltag_convert_in()
psref_release()
pfil_run_arg.isra.0()
if_initialize()
if_attach()
tun_clone_create()
tunopen()
cdev_open()
spec_open()
VOP_OPEN()
vn_open()
do_open()
do_sys_openat()
sys_open()
syscall()

Make pfil(9) MP-safe (applying psref(9))

branches: 1.31.2;
* pfil_add_hook() no longer treats PFIL_IFADDR and PFIL_IFNET. delete them from pfil_flag_cases[].
* add/fix KASSERT
* fix comment

Not to use ph_inout[2]. dir (= PFIL_IN or PFIL_OUT) is 1 or 2, not 0 or 1.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

branches: 1.28.8; 1.28.12;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.

Remove inappropriate place for __predict_false.

Ok mrg@ maya@.

Skip pfil_run_hooks if no packet filter configured in kernel.

Fix wrong memory order and switch pfil to atomic_load/store_*.

branches: 1.35.14; 1.35.20;
need to membar_producer() *before* switching.

pointed out by riastradh@, thanks

Call pserialize_perform and psref_target_destroy only if NET_MPSAFE

They shouldn't be used with holding softnet_lock.

Add curlwp_bind

It is necessary for example when we use tun(4). Without it the following
panic occurs:

panic: kernel diagnostic assertion "(kpreempt_disabled() || cpu_softintr_p() || ISSET(curlwp->l_pflag, LP_BOUND))" failed: file "/usr/src/sys/kern/subr_psref.c", line 291 passive references are CPU-local, but preemption is enabled and the caller is not in a softint or CPU-bound LWP
Backtrace:
vpanic()
ch_voltag_convert_in()
psref_release()
pfil_run_arg.isra.0()
if_initialize()
if_attach()
tun_clone_create()
tunopen()
cdev_open()
spec_open()
VOP_OPEN()
vn_open()
do_open()
do_sys_openat()
sys_open()
syscall()

Make pfil(9) MP-safe (applying psref(9))

branches: 1.31.2;
* pfil_add_hook() no longer treats PFIL_IFADDR and PFIL_IFNET. delete them from pfil_flag_cases[].
* add/fix KASSERT
* fix comment

Not to use ph_inout[2]. dir (= PFIL_IN or PFIL_OUT) is 1 or 2, not 0 or 1.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

branches: 1.28.8; 1.28.12;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.

Fix wrong memory order and switch pfil to atomic_load/store_*.

need to membar_producer() *before* switching.

pointed out by riastradh@, thanks

Call pserialize_perform and psref_target_destroy only if NET_MPSAFE

They shouldn't be used with holding softnet_lock.

Add curlwp_bind

It is necessary for example when we use tun(4). Without it the following
panic occurs:

panic: kernel diagnostic assertion "(kpreempt_disabled() || cpu_softintr_p() || ISSET(curlwp->l_pflag, LP_BOUND))" failed: file "/usr/src/sys/kern/subr_psref.c", line 291 passive references are CPU-local, but preemption is enabled and the caller is not in a softint or CPU-bound LWP
Backtrace:
vpanic()
ch_voltag_convert_in()
psref_release()
pfil_run_arg.isra.0()
if_initialize()
if_attach()
tun_clone_create()
tunopen()
cdev_open()
spec_open()
VOP_OPEN()
vn_open()
do_open()
do_sys_openat()
sys_open()
syscall()

Make pfil(9) MP-safe (applying psref(9))

branches: 1.31.2;
* pfil_add_hook() no longer treats PFIL_IFADDR and PFIL_IFNET. delete them from pfil_flag_cases[].
* add/fix KASSERT
* fix comment

Not to use ph_inout[2]. dir (= PFIL_IN or PFIL_OUT) is 1 or 2, not 0 or 1.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

branches: 1.28.8; 1.28.12;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.

need to membar_producer() *before* switching.

pointed out by riastradh@, thanks

Call pserialize_perform and psref_target_destroy only if NET_MPSAFE

They shouldn't be used with holding softnet_lock.

Add curlwp_bind

It is necessary for example when we use tun(4). Without it the following
panic occurs:

panic: kernel diagnostic assertion "(kpreempt_disabled() || cpu_softintr_p() || ISSET(curlwp->l_pflag, LP_BOUND))" failed: file "/usr/src/sys/kern/subr_psref.c", line 291 passive references are CPU-local, but preemption is enabled and the caller is not in a softint or CPU-bound LWP
Backtrace:
vpanic()
ch_voltag_convert_in()
psref_release()
pfil_run_arg.isra.0()
if_initialize()
if_attach()
tun_clone_create()
tunopen()
cdev_open()
spec_open()
VOP_OPEN()
vn_open()
do_open()
do_sys_openat()
sys_open()
syscall()

Make pfil(9) MP-safe (applying psref(9))

* pfil_add_hook() no longer treats PFIL_IFADDR and PFIL_IFNET. delete them from pfil_flag_cases[].
* add/fix KASSERT
* fix comment

Not to use ph_inout[2]. dir (= PFIL_IN or PFIL_OUT) is 1 or 2, not 0 or 1.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

branches: 1.28.8; 1.28.12;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.

Call pserialize_perform and psref_target_destroy only if NET_MPSAFE

They shouldn't be used with holding softnet_lock.

Add curlwp_bind

It is necessary for example when we use tun(4). Without it the following
panic occurs:

panic: kernel diagnostic assertion "(kpreempt_disabled() || cpu_softintr_p() || ISSET(curlwp->l_pflag, LP_BOUND))" failed: file "/usr/src/sys/kern/subr_psref.c", line 291 passive references are CPU-local, but preemption is enabled and the caller is not in a softint or CPU-bound LWP
Backtrace:
vpanic()
ch_voltag_convert_in()
psref_release()
pfil_run_arg.isra.0()
if_initialize()
if_attach()
tun_clone_create()
tunopen()
cdev_open()
spec_open()
VOP_OPEN()
vn_open()
do_open()
do_sys_openat()
sys_open()
syscall()

Make pfil(9) MP-safe (applying psref(9))

* pfil_add_hook() no longer treats PFIL_IFADDR and PFIL_IFNET. delete them from pfil_flag_cases[].
* add/fix KASSERT
* fix comment

Not to use ph_inout[2]. dir (= PFIL_IN or PFIL_OUT) is 1 or 2, not 0 or 1.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

branches: 1.28.12;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.

Make pfil(9) MP-safe (applying psref(9))

* pfil_add_hook() no longer treats PFIL_IFADDR and PFIL_IFNET. delete them from pfil_flag_cases[].
* add/fix KASSERT
* fix comment

Not to use ph_inout[2]. dir (= PFIL_IN or PFIL_OUT) is 1 or 2, not 0 or 1.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

branches: 1.28.12;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.

* pfil_add_hook() no longer treats PFIL_IFADDR and PFIL_IFNET. delete them from pfil_flag_cases[].
* add/fix KASSERT
* fix comment

Not to use ph_inout[2]. dir (= PFIL_IN or PFIL_OUT) is 1 or 2, not 0 or 1.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

branches: 1.28.12;
- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.

pfil(9) improvements to handle address changes:

Add:
PFIL_IFADDR call on interface reconfig (mbuf is ioctl #)
PFIL_IFNET call on interface attach/detach (mbuf is PFIL_IFNET_*)

from rmind@

- Rewrite parts of pfil(9): use array to store hooks and thus be more cache
friendly (there are only few hooks in the system). Make the structures
opaque and the interface more strict.
- Remove PFIL_HOOKS option by making pfil(9) mandatory.

branches: 1.27.30; 1.27.40; 1.27.46;
Cosmetic: use LIST_FOREACH(). Join lines.

Cosmetic: use TAILQ_FOREACH(). Join lines.

branches: 1.25.2;
remove clause #3 from my license where there are no other
copyright holders involved.

branches: 1.24.70; 1.24.72; 1.24.74; 1.24.76;
merge ktrace-lwp.

- rename PFIL_NEWIF to PFIL_IFNET, and handle interface detach events
as well.
- use it for pf(4).

mostly from Peter Postma. PR/26403.

pfil_run_hooks: don't dereference 'mp' unless it's a pointer.

prepare PF-related hooks. reviewed by matt, perry, christos

branches: 1.20.16;
add RCSIDs

branches: 1.19.2; 1.19.4;
Back out the sledgehammer damage applied by wiz while I was out for
the holiday.

Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.

Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.

Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.

For pfil_add_hook(..., PFIL_ALL, ...), if we fail to add the output filter,
make sure to remove the input filter.

only call pfil_list_add with one of PFIL_IN or PFIL_OUT defined

return int from pfil_add_hook and pfil_remove_hook to indicate failure
or success, rather than panic'ing

fix from Mike Pelley to add filters in the reverse order for output
compared with input.

pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".

Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc. The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list. This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also. The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.

branches: 1.9.2;
pass a pointer to the list, rather than passing a copy of it, when removing
functions from the pfil hook lists. this fixes the "missing function" problem.
also, re-add support for WAITOK that was lost several deltas ago.

branches: 1.8.2;
call pfil_list_add with the right flag, to ensure it goes into the right list.
from mike@pelley.com in PR#7802.

branches: 1.7.8; 1.7.10; 1.7.12;
convert pfil(9) in and out lists from <sys/queue.h> LISTs to TAILQs, and
change pfil_add_hook to put output filters at the tail of the queue,
while continuing to place input filters at the head of the queue. update
the two users of these functions, and document these changes.

fixes PR#4593.

branches: 1.6.2;
remove advertising clause from all my licenses.

branches: 1.5.10;
remove pfil_bad.

backout previous kprintf change

- printf -> kprintf, sprintf -> ksprintf

minor copyright update.

move the packet filter hooks in to a saner location. while i'm here, rename
PACKET_FILTER to PFIL_HOOKS.