socsvn commit: r273685 - soc2014/dpl/netmap-ipfwjit/sys/netpfil/ipfw

Fri Sep 5 11:18:11 UTC 2014

Author: dpl
Date: Fri Sep  5 11:18:09 2014
New Revision: 273685
URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=273685

Log:
  Moved JIT compilation to the ipfw_chk handler.

Modified:
  soc2014/dpl/netmap-ipfwjit/sys/netpfil/ipfw/ip_fw2.c
  soc2014/dpl/netmap-ipfwjit/sys/netpfil/ipfw/ip_fw_pfil.c

Modified: soc2014/dpl/netmap-ipfwjit/sys/netpfil/ipfw/ip_fw2.c
==============================================================================

--- soc2014/dpl/netmap-ipfwjit/sys/netpfil/ipfw/ip_fw2.c	Fri Sep  5 07:42:34 2014	(r273684)
+++ soc2014/dpl/netmap-ipfwjit/sys/netpfil/ipfw/ip_fw2.c	Fri Sep  5 11:18:09 2014	(r273685)
@@ -124,12 +124,6 @@
 /* Use 128 tables by default */
 static unsigned int default_fw_tables = IPFW_TABLES_DEFAULT;
 
-/* JIT compiling API */
-funcptr compile_code(struct ip_fw_args *, struct ip_fw_chain *);
-
-/* Pointer to the actual compiled code */
-int (*compiledfuncptr)(struct ip_fw_args *, struct ip_fw_chain *) = 0;
-
 /*
  * Each rule belongs to one of 32 different sets (0..31).
  * The variable set_disable contains one bit per set.
@@ -271,19 +265,6 @@
 
 	args->f_id.fib = M_GETFIB(m); /* note mbuf not altered) */
 
-
-	/* If we haven't, JIT-compile the actions to be executed per-rule */
-	if (compiledfuncptr == 0) {
-		IPFW_PF_RLOCK(chain);
-		if (! V_ipfw_vnet_ready) { /* shutting down, leave NOW. */
-			IPFW_PF_RUNLOCK(chain);
-			return (IP_FW_PASS);	/* accept */
-		}
-		compiledfuncptr = compile_code(args, chain);
-		IPFW_PF_RUNLOCK(chain);
-	} else
-		return compiledfuncptr(args, chain);
-
 	/*
 	 * Local variables holding state while processing a packet:
 	 *

Modified: soc2014/dpl/netmap-ipfwjit/sys/netpfil/ipfw/ip_fw_pfil.c
==============================================================================
--- soc2014/dpl/netmap-ipfwjit/sys/netpfil/ipfw/ip_fw_pfil.c	Fri Sep  5 07:42:34 2014	(r273684)
+++ soc2014/dpl/netmap-ipfwjit/sys/netpfil/ipfw/ip_fw_pfil.c	Fri Sep  5 11:18:09 2014	(r273685)
@@ -87,8 +87,19 @@
 int ipfw_check_frame(void *, struct mbuf **, struct ifnet *, int,
 	struct inpcb *);
 
-#ifdef SYSCTL_NODE
+/* JIT compilation */
+typedef int (*funcptr)();
+funcptr compile_code(struct ip_fw_args *, struct ip_fw_chain *);
+/* Pointer to the actual compiled code */
+int (*compiledfuncptr)(struct ip_fw_args *, struct ip_fw_chain *) = 0;
+struct ip_fw_chain *chain = &V_layer3_chain;
+
+/* ipfw_vnet_ready controls when we are open for business */
+VNET_DEFINE(int, ipfw_vnet_ready);
+#define	V_ipfw_vnet_ready	VNET(ipfw_vnet_ready)
+
 
+#ifdef SYSCTL_NODE
 SYSBEGIN(f1)
 
 SYSCTL_DECL(_net_inet_ip_fw);
@@ -108,10 +119,38 @@
     ipfw_chg_hook, "I", "Pass ether pkts through firewall");
 
 SYSEND
-
 #endif /* SYSCTL_NODE */
 
 /*
+ * Handles the compilation and execution of the
+ * JIT compiled code.
+ *
+ * dpl TODO: Threaded compilation.
+ */
+int
+ipfw_chk_wrapper(struct ip_fw_args *args)
+{
+	int ret;
+
+	/* If we haven't, JIT-compile the actions to be executed per-rule */
+	if (compiledfuncptr == 0) {
+		IPFW_PF_RLOCK(chain);
+		if (! V_ipfw_vnet_ready) { /* shutting down, leave NOW. */
+			IPFW_PF_RUNLOCK(chain);
+			return (IP_FW_PASS);	/* accept */
+		}
+		compiledfuncptr = compile_code(args, chain);
+		ret = compiledfuncptr(args, chain);
+		IPFW_PF_RUNLOCK(chain);
+	} else {
+		IPFW_PF_RLOCK(chain);
+		ret = compiledfuncptr(args, chain);
+		IPFW_PF_RUNLOCK(chain);
+	}
+	return (ret);
+}
+
+/*
  * The pfilter hook to pass packets to ipfw_chk and then to
  * dummynet, divert, netgraph or other modules.
  * The packet may be consumed.
@@ -146,7 +185,7 @@
 	args.oif = dir == DIR_OUT ? ifp : NULL;
 	args.inp = inp;
 
-	ipfw = ipfw_chk(&args);
+	ipfw = ipfw_chk_wrapper(&args);
 	*m0 = args.m;
 
 	KASSERT(*m0 != NULL || ipfw == IP_FW_DENY, ("%s: m0 is NULL",
@@ -339,7 +378,7 @@
 	args.next_hop6 = NULL;	/* we do not support forward yet	*/
 	args.eh = &save_eh;	/* MAC header for bridged/MAC packets	*/
 	args.inp = NULL;	/* used by ipfw uid/gid/jail rules	*/
-	i = ipfw_chk(&args);
+	i = ipfw_chk_wrapper(&args);
 	m = args.m;
 	if (m != NULL) {
 		/*
