svn commit: r201735 - in head/sys/netinet: . ipfw

Luigi Rizzo luigi at FreeBSD.org
Thu Jan 7 10:39:16 UTC 2010


Author: luigi
Date: Thu Jan  7 10:39:15 2010
New Revision: 201735
URL: http://svn.freebsd.org/changeset/base/201735

Log:
  Following up on a request from Ermal Luci to make
  ip_divert work as a client of pf(4),
  make ip_divert not depend on ipfw.
  
  This is achieved by moving to ip_var.h the struct ipfw_rule_ref
  (which is part of the mtag for all reinjected packets) and other
  declarations of global variables, and moving to raw_ip.c global
  variables for filter and divert hooks.
  
  Note that names and locations could be made more generic
  (ipfw_rule_ref is really a generic reference robust to reconfigurations;
  the packet filter is not necessarily ipfw; filters and their clients
  are not necessarily limited to ipv4), but _right now_ most
  of this stuff works on ipfw and ipv4, so i don't feel like
  doing a gratuitous renaming, at least for the time being.

Modified:
  head/sys/netinet/ip_divert.c
  head/sys/netinet/ip_var.h
  head/sys/netinet/ipfw/ip_fw_private.h
  head/sys/netinet/raw_ip.c

Modified: head/sys/netinet/ip_divert.c
==============================================================================
--- head/sys/netinet/ip_divert.c	Thu Jan  7 10:27:52 2010	(r201734)
+++ head/sys/netinet/ip_divert.c	Thu Jan  7 10:39:15 2010	(r201735)
@@ -32,14 +32,10 @@ __FBSDID("$FreeBSD$");
 
 #if !defined(KLD_MODULE)
 #include "opt_inet.h"
-#include "opt_ipfw.h"
 #include "opt_sctp.h"
 #ifndef INET
 #error "IPDIVERT requires INET."
 #endif
-#ifndef IPFIREWALL
-#error "IPDIVERT requires IPFIREWALL"
-#endif
 #endif
 
 #include <sys/param.h>
@@ -55,10 +51,10 @@ __FBSDID("$FreeBSD$");
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
+#include <net/vnet.h>
 
 #include <net/if.h>
 #include <net/netisr.h> 
-#include <net/vnet.h>
 
 #include <netinet/in.h>
 #include <netinet/in_pcb.h>
@@ -66,8 +62,6 @@ __FBSDID("$FreeBSD$");
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
 #include <netinet/ip_var.h>
-#include <netinet/ip_fw.h>
-#include <netinet/ipfw/ip_fw_private.h>
 #ifdef SCTP
 #include <netinet/sctp_crc32.h>
 #endif
@@ -85,27 +79,29 @@ __FBSDID("$FreeBSD$");
 #define	DIVRCVQ		(65536 + 100)
 
 /*
- * Divert sockets work in conjunction with ipfw, see the divert(4)
- * manpage for features.
- * Internally, packets selected by ipfw in ip_input() or ip_output(),
- * and never diverted before, are passed to the input queue of the
- * divert socket with a given 'divert_port' number (as specified in
- * the matching ipfw rule), and they are tagged with a 16 bit cookie
- * (representing the rule number of the matching ipfw rule), which
- * is passed to process reading from the socket.
+ * Divert sockets work in conjunction with ipfw or other packet filters,
+ * see the divert(4) manpage for features.
+ * Packets are selected by the packet filter and tagged with an
+ * MTAG_IPFW_RULE tag carrying the 'divert port' number (as set by
+ * the packet filter) and information on the matching filter rule for
+ * subsequent reinjection. The divert_port is used to put the packet
+ * on the corresponding divert socket, while the rule number is passed
+ * up (at least partially) as the sin_port in the struct sockaddr.
  *
- * Packets written to the divert socket are again tagged with a cookie
- * (usually the same as above) and a destination address.
- * If the destination address is INADDR_ANY then the packet is
- * treated as outgoing and sent to ip_output(), otherwise it is
- * treated as incoming and sent to ip_input().
- * In both cases, the packet is tagged with the cookie.
+ * Packets written to the divert socket carry in sin_addr a
+ * destination address, and in sin_port the number of the filter rule
+ * after which to continue processing.
+ * If the destination address is INADDR_ANY, the packet is treated as
+ * as outgoing and sent to ip_output(); otherwise it is treated as
+ * incoming and sent to ip_input().
+ * Further, sin_zero carries some information on the interface,
+ * which can be used in the reinject -- see comments in the code.
  *
  * On reinjection, processing in ip_input() and ip_output()
  * will be exactly the same as for the original packet, except that
- * ipfw processing will start at the rule number after the one
- * written in the cookie (so, tagging a packet with a cookie of 0
- * will cause it to be effectively considered as a standard packet).
+ * packet filter processing will start at the rule number after the one
+ * written in the sin_port (ipfw does not allow a rule #0, so sin_port=0
+ * will apply the entire ruleset to the packet).
  */
 
 /* Internal variables. */

Modified: head/sys/netinet/ip_var.h
==============================================================================
--- head/sys/netinet/ip_var.h	Thu Jan  7 10:27:52 2010	(r201734)
+++ head/sys/netinet/ip_var.h	Thu Jan  7 10:39:15 2010	(r201735)
@@ -249,7 +249,43 @@ VNET_DECLARE(struct pfil_head, inet_pfil
 
 void	in_delayed_cksum(struct mbuf *m);
 
-/* ipfw and dummynet hooks. Most are declared in raw_ip.c */
+/* Hooks for ipfw, dummynet, divert etc. Most are declared in raw_ip.c */
+/*
+ * Reference to an ipfw or packet filter rule that can be carried
+ * outside critical sections.
+ * A rule is identified by rulenum:rule_id which is ordered.
+ * In version chain_id the rule can be found in slot 'slot', so
+ * we don't need a lookup if chain_id == chain->id.
+ *
+ * On exit from the firewall this structure refers to the rule after
+ * the matching one (slot points to the new rule; rulenum:rule_id-1
+ * is the matching rule), and additional info (e.g. info often contains
+ * the insn argument or tablearg in the low 16 bits, in host format).
+ * On entry, the structure is valid if slot>0, and refers to the starting
+ * rules. 'info' contains the reason for reinject, e.g. divert port,
+ * divert direction, and so on.
+ */
+struct ipfw_rule_ref {
+	uint32_t	slot;		/* slot for matching rule	*/
+	uint32_t	rulenum;	/* matching rule number		*/
+	uint32_t	rule_id;	/* matching rule id		*/
+	uint32_t	chain_id;	/* ruleset id			*/
+	uint32_t	info;		/* see below			*/
+};
+
+enum {
+	IPFW_INFO_MASK	= 0x0000ffff,
+	IPFW_INFO_OUT	= 0x00000000,	/* outgoing, just for convenience */
+	IPFW_INFO_IN	= 0x80000000,	/* incoming, overloads dir */
+	IPFW_ONEPASS	= 0x40000000,	/* One-pass, do not reinject */
+	IPFW_IS_MASK	= 0x30000000,	/* which source ? */
+	IPFW_IS_DIVERT	= 0x20000000,
+	IPFW_IS_DUMMYNET =0x10000000,
+	IPFW_IS_PIPE	= 0x08000000,	/* pip1=1, queue = 0 */
+};
+#define MTAG_IPFW	1148380143	/* IPFW-tagged cookie */
+#define MTAG_IPFW_RULE	1262273568	/* rule reference */
+
 struct ip_fw_args;
 typedef int	(*ip_fw_chk_ptr_t)(struct ip_fw_args *args);
 typedef int	(*ip_fw_ctl_ptr_t)(struct sockopt *);
@@ -258,9 +294,14 @@ VNET_DECLARE(ip_fw_ctl_ptr_t, ip_fw_ctl_
 #define	V_ip_fw_chk_ptr		VNET(ip_fw_chk_ptr)
 #define	V_ip_fw_ctl_ptr		VNET(ip_fw_ctl_ptr)
 
+/* Divert hooks. */
+extern void	(*ip_divert_ptr)(struct mbuf *m, int incoming);
+/* ng_ipfw hooks -- XXX make it the same as divert and dummynet */
+extern int	(*ng_ipfw_input_p)(struct mbuf **, int,
+			struct ip_fw_args *, int);
+
 extern int	(*ip_dn_ctl_ptr)(struct sockopt *);
-extern int	(*ip_dn_io_ptr)(struct mbuf **m, int dir, struct ip_fw_args *fwa);
-extern void	(*ip_dn_ruledel_ptr)(void *);		/* in ip_fw2.c */
+extern int	(*ip_dn_io_ptr)(struct mbuf **, int, struct ip_fw_args *);
 
 VNET_DECLARE(int, ip_do_randomid);
 #define	V_ip_do_randomid	VNET(ip_do_randomid)

Modified: head/sys/netinet/ipfw/ip_fw_private.h
==============================================================================
--- head/sys/netinet/ipfw/ip_fw_private.h	Thu Jan  7 10:27:52 2010	(r201734)
+++ head/sys/netinet/ipfw/ip_fw_private.h	Thu Jan  7 10:39:15 2010	(r201735)
@@ -35,8 +35,6 @@
 
 #ifdef _KERNEL
 
-#define MTAG_IPFW	1148380143	/* IPFW-tagged cookie */
-#define MTAG_IPFW_RULE	1262273568	/* rule reference */
 
 /* Return values from ipfw_chk() */
 enum {
@@ -66,38 +64,6 @@ struct _ip6dn_args {
        struct route_in6 ro_pmtu_or;
 };
 
-/*
- * Reference to an ipfw rule that can be carried outside critical sections.
- * A rule is identified by rulenum:rule_id which is ordered.
- * In version chain_id the rule can be found in slot 'slot', so
- * we don't need a lookup if chain_id == chain->id.
- *
- * On exit from the firewall this structure refers to the rule after
- * the matching one (slot points to the new rule; rulenum:rule_id-1
- * is the matching rule), and additional info (e.g. info often contains
- * the insn argument or tablearg in the low 16 bits, in host format).
- * On entry, the structure is valid if slot>0, and refers to the starting
- * rules. 'info' contains the reason for reinject, e.g. divert port,
- * divert direction, and so on.
- */
-struct ipfw_rule_ref {
-	uint32_t	slot;		/* slot for matching rule	*/
-	uint32_t	rulenum;	/* matching rule number		*/
-	uint32_t	rule_id;	/* matching rule id		*/
-	uint32_t	chain_id;	/* ruleset id			*/
-	uint32_t	info;		/* see below			*/
-};
-
-enum {
-	IPFW_INFO_MASK	= 0x0000ffff,
-	IPFW_INFO_OUT	= 0x00000000,	/* outgoing, just for convenience */
-	IPFW_INFO_IN	= 0x80000000,	/* incoming, overloads dir */
-	IPFW_ONEPASS	= 0x40000000,	/* One-pass, do not reinject */
-	IPFW_IS_MASK	= 0x30000000,	/* which source ? */
-	IPFW_IS_DIVERT	= 0x20000000,
-	IPFW_IS_DUMMYNET =0x10000000,
-	IPFW_IS_PIPE	= 0x08000000,	/* pip1=1, queue = 0 */
-};
 
 /*
  * Arguments for calling ipfw_chk() and dummynet_io(). We put them
@@ -289,10 +255,7 @@ int ipfw_del_table_entry(struct ip_fw_ch
 int ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt);
 int ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl);
 
-/* hooks for divert */
-extern void (*ip_divert_ptr)(struct mbuf *m, int incoming);
-
-/* In ip_fw_nat.c */
+/* In ip_fw_nat.c -- XXX to be moved to ip_var.h */
 
 extern struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int);
 
@@ -307,14 +270,5 @@ extern ipfw_nat_cfg_t *ipfw_nat_del_ptr;
 extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr;
 extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr;
 
-/* netgraph prototypes */
-
-typedef int ng_ipfw_input_t(struct mbuf **, int, struct ip_fw_args *, int);
-extern  ng_ipfw_input_t *ng_ipfw_input_p;
-#define NG_IPFW_LOADED  (ng_ipfw_input_p != NULL)
-
-#define TAGSIZ  (sizeof(struct ng_ipfw_tag) - sizeof(struct m_tag))
-
-
 #endif /* _KERNEL */
 #endif /* _IPFW2_PRIVATE_H */

Modified: head/sys/netinet/raw_ip.c
==============================================================================
--- head/sys/netinet/raw_ip.c	Thu Jan  7 10:27:52 2010	(r201734)
+++ head/sys/netinet/raw_ip.c	Thu Jan  7 10:39:15 2010	(r201735)
@@ -80,14 +80,18 @@ VNET_DEFINE(struct inpcbinfo, ripcbinfo)
 #define	V_ripcbinfo		VNET(ripcbinfo)
 
 /*
- * Control and data hooks for ipfw and dummynet.
+ * Control and data hooks for ipfw, dummynet, divert and so on.
  * The data hooks are not used here but it is convenient
  * to keep them all in one place.
  */
 VNET_DEFINE(ip_fw_chk_ptr_t, ip_fw_chk_ptr) = NULL;
 VNET_DEFINE(ip_fw_ctl_ptr_t, ip_fw_ctl_ptr) = NULL;
-int (*ip_dn_ctl_ptr)(struct sockopt *) = NULL;
-int (*ip_dn_io_ptr)(struct mbuf **m, int dir, struct ip_fw_args *fwa) = NULL;
+
+int	(*ip_dn_ctl_ptr)(struct sockopt *);
+int	(*ip_dn_io_ptr)(struct mbuf **, int, struct ip_fw_args *);
+void	(*ip_divert_ptr)(struct mbuf *, int);
+int	(*ng_ipfw_input_p)(struct mbuf **, int,
+			struct ip_fw_args *, int);
 
 /*
  * Hooks for multicast routing. They all default to NULL, so leave them not


More information about the svn-src-all mailing list