svn commit: r340544 - in stable/11: sbin/ipfw sys/conf sys/modules/ipfw_nat64 sys/netpfil/ipfw/nat64

Andrey V. Elsukov ae at FreeBSD.org
Sun Nov 18 01:04:55 UTC 2018 

Author: ae
Date: Sun Nov 18 01:04:53 2018
New Revision: 340544
URL: https://svnweb.freebsd.org/changeset/base/340544

Log:
  Revert r340541. It requires VNET_DEFINE_STATIC() macro that is not yet
  merged into stable/11.

Modified:
  stable/11/sbin/ipfw/ipfw.8
  stable/11/sys/conf/options
  stable/11/sys/modules/ipfw_nat64/Makefile
  stable/11/sys/netpfil/ipfw/nat64/ip_fw_nat64.c
  stable/11/sys/netpfil/ipfw/nat64/nat64_translate.c
  stable/11/sys/netpfil/ipfw/nat64/nat64_translate.h
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sbin/ipfw/ipfw.8
==============================================================================
--- stable/11/sbin/ipfw/ipfw.8	Sun Nov 18 00:52:27 2018	(r340543)
+++ stable/11/sbin/ipfw/ipfw.8	Sun Nov 18 01:04:53 2018	(r340544)
@@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd October 21, 2018
+.Dd September 27, 2018
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -3284,14 +3284,9 @@ Make sure that ND6 neighbor solicitation (ICMPv6 type 
 advertisement (ICMPv6 type 136) messages will not be handled by translation
 rules.
 .Pp
-After translation NAT64 translator by default sends packets through
-corresponding netisr queue.
+After translation NAT64 translator sends packets through corresponding netisr
+queue.
 Thus translator host should be configured as IPv4 and IPv6 router.
-Also this means, that a packet is handled by firewall twice.
-First time an original packet is handled and consumed by translator,
-and then it is handled again as translated packet.
-This behavior can be changed by sysctl variable 
-.Va net.inet.ip.fw.nat64_direct_output .
 .Pp
 The stateful NAT64 configuration command is the following:
 .Bd -ragged -offset indent
@@ -3914,41 +3909,6 @@ Default is no.
 Controls whether bridged packets are passed to
 .Nm .
 Default is no.
-.It Va net.inet.ip.fw.nat64_allow_private : No 0
-Defines how
-.Nm nat64
-handles private IPv4 addresses:
-.Bl -tag -width indent
-.It Cm 0
-Packets with private IPv4 will not be handled by translator
-.It Cm 1
-Translator will accept and process packets with private IPv4 addresses.
-.El
-.It Va net.inet.ip.fw.nat64_debug : No 0
-Controls debugging messages produced by
-.Nm ipfw_nat64
-module.
-.It Va net.inet.ip.fw.nat64_direct_output : No 0
-Controls the output method used by
-.Nm ipfw_nat64
-module:
-.Bl -tag -width indent
-.It Cm 0
-A packet is handled by 
-.Nm ipfw
-twice.
-First time an original packet is handled by
-.Nm ipfw
-and consumed by
-.Nm ipfw_nat64
-translator.
-Then translated packet is queued via netisr to input processing again.
-.It Cm 1
-A packet is handled by
-.Nm ipfw
-only once, and after translation it will be pushed directly to outgoing
-interface.
-.El
 .El
 .Sh INTERNAL DIAGNOSTICS
 There are some commands that may be useful to understand current state

Modified: stable/11/sys/conf/options
==============================================================================
--- stable/11/sys/conf/options	Sun Nov 18 00:52:27 2018	(r340543)
+++ stable/11/sys/conf/options	Sun Nov 18 01:04:53 2018	(r340544)
@@ -422,6 +422,7 @@ IPFIREWALL		opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_NAT		opt_ipfw.h
 IPFIREWALL_NAT64	opt_ipfw.h
+IPFIREWALL_NAT64_DIRECT_OUTPUT	opt_ipfw.h
 IPFIREWALL_NPTV6	opt_ipfw.h
 IPFIREWALL_VERBOSE	opt_ipfw.h
 IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h

Modified: stable/11/sys/modules/ipfw_nat64/Makefile
==============================================================================
--- stable/11/sys/modules/ipfw_nat64/Makefile	Sun Nov 18 00:52:27 2018	(r340543)
+++ stable/11/sys/modules/ipfw_nat64/Makefile	Sun Nov 18 01:04:53 2018	(r340544)
@@ -6,5 +6,8 @@ KMOD=	ipfw_nat64
 SRCS=	ip_fw_nat64.c nat64_translate.c
 SRCS+=	nat64lsn.c nat64lsn_control.c
 SRCS+=	nat64stl.c nat64stl_control.c
+SRCS+=	opt_ipfw.h
+
+#CFLAGS+=	-DIPFIREWALL_NAT64_DIRECT_OUTPUT
 
 .include <bsd.kmod.mk>

Modified: stable/11/sys/netpfil/ipfw/nat64/ip_fw_nat64.c
==============================================================================
--- stable/11/sys/netpfil/ipfw/nat64/ip_fw_nat64.c	Sun Nov 18 00:52:27 2018	(r340543)
+++ stable/11/sys/netpfil/ipfw/nat64/ip_fw_nat64.c	Sun Nov 18 01:04:53 2018	(r340544)
@@ -48,7 +48,6 @@ __FBSDID("$FreeBSD$");
 #include <netpfil/ipfw/ip_fw_private.h>
 
 #include "ip_fw_nat64.h"
-#include "nat64_translate.h"
 
 VNET_DEFINE(int, nat64_debug) = 0;
 VNET_DEFINE(int, nat64_allow_private) = 0;
@@ -57,26 +56,8 @@ SYSCTL_DECL(_net_inet_ip_fw);
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, nat64_debug, CTLFLAG_VNET | CTLFLAG_RW,
     &VNET_NAME(nat64_debug), 0, "Debug level for NAT64 module");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, nat64_allow_private,
-    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(nat64_allow_private), 0,
+    CTLFLAG_VNET |CTLFLAG_RW, &VNET_NAME(nat64_allow_private), 0,
     "Allow use of non-global IPv4 addresses with NAT64");
-
-static int
-sysctl_direct_output(SYSCTL_HANDLER_ARGS)
-{
-	uint32_t value;
-	int error;
-
-	value = nat64_get_output_method();
-	error = sysctl_handle_32(oidp, &value, 0, req);
-	/* Read operation or some error */
-	if ((error != 0) || (req->newptr == NULL))
-		return (error);
-	nat64_set_output_method(value);
-	return (0);
-}
-SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, nat64_direct_output,
-    CTLFLAG_VNET | CTLTYPE_U32 | CTLFLAG_RW, 0, 0, sysctl_direct_output, "IU",
-    "Use if_output directly instead of deffered netisr-based processing");
 
 static int
 vnet_ipfw_nat64_init(const void *arg __unused)

Modified: stable/11/sys/netpfil/ipfw/nat64/nat64_translate.c
==============================================================================
--- stable/11/sys/netpfil/ipfw/nat64/nat64_translate.c	Sun Nov 18 00:52:27 2018	(r340543)
+++ stable/11/sys/netpfil/ipfw/nat64/nat64_translate.c	Sun Nov 18 01:04:53 2018	(r340544)
@@ -25,6 +25,8 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include "opt_ipfw.h"
+
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
@@ -69,53 +71,6 @@ __FBSDID("$FreeBSD$");
 #include "ip_fw_nat64.h"
 #include "nat64_translate.h"
 
-
-typedef int (*nat64_output_t)(struct ifnet *, struct mbuf *,
-    struct sockaddr *, struct nat64_counters *, void *);
-typedef int (*nat64_output_one_t)(struct mbuf *, struct nat64_counters *,
-    void *);
-
-static int nat64_find_route4(struct nhop4_basic *, struct sockaddr_in *,
-    struct mbuf *);
-static int nat64_find_route6(struct nhop6_basic *, struct sockaddr_in6 *,
-    struct mbuf *);
-static int nat64_output_one(struct mbuf *, struct nat64_counters *, void *);
-static int nat64_output(struct ifnet *, struct mbuf *, struct sockaddr *,
-    struct nat64_counters *, void *);
-static int nat64_direct_output_one(struct mbuf *, struct nat64_counters *,
-    void *);
-static int nat64_direct_output(struct ifnet *, struct mbuf *,
-    struct sockaddr *, struct nat64_counters *, void *);
-
-struct nat64_methods {
-	nat64_output_t		output;
-	nat64_output_one_t	output_one;
-};
-static const struct nat64_methods nat64_netisr = {
-	.output = nat64_output,
-	.output_one = nat64_output_one
-};
-static const struct nat64_methods nat64_direct = {
-	.output = nat64_direct_output,
-	.output_one = nat64_direct_output_one
-};
-VNET_DEFINE_STATIC(const struct nat64_methods *, nat64out) = &nat64_netisr;
-#define	V_nat64out	VNET(nat64out)
-
-void
-nat64_set_output_method(int direct)
-{
-
-	V_nat64out = direct != 0 ? &nat64_direct: &nat64_netisr;
-}
-
-int
-nat64_get_output_method(void)
-{
-
-	return (V_nat64out == &nat64_direct ? 1: 0);
-}
-
 static void
 nat64_log(struct pfloghdr *logdata, struct mbuf *m, sa_family_t family)
 {
@@ -125,8 +80,14 @@ nat64_log(struct pfloghdr *logdata, struct mbuf *m, sa
 	ipfw_bpf_mtap2(logdata, PFLOG_HDRLEN, m);
 }
 
-static int
-nat64_direct_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
+#ifdef IPFIREWALL_NAT64_DIRECT_OUTPUT
+static NAT64NOINLINE int nat64_find_route4(struct nhop4_basic *,
+    struct sockaddr_in *, struct mbuf *);
+static NAT64NOINLINE int nat64_find_route6(struct nhop6_basic *,
+    struct sockaddr_in6 *, struct mbuf *);
+
+static NAT64NOINLINE int
+nat64_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
     struct nat64_counters *stats, void *logdata)
 {
 	int error;
@@ -139,9 +100,8 @@ nat64_direct_output(struct ifnet *ifp, struct mbuf *m,
 	return (error);
 }
 
-static int
-nat64_direct_output_one(struct mbuf *m, struct nat64_counters *stats,
-    void *logdata)
+static NAT64NOINLINE int
+nat64_output_one(struct mbuf *m, struct nat64_counters *stats, void *logdata)
 {
 	struct nhop6_basic nh6;
 	struct nhop4_basic nh4;
@@ -193,8 +153,8 @@ nat64_direct_output_one(struct mbuf *m, struct nat64_c
 		NAT64STAT_INC(stats, oerrors);
 	return (error);
 }
-
-static int
+#else /* !IPFIREWALL_NAT64_DIRECT_OUTPUT */
+static NAT64NOINLINE int
 nat64_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
     struct nat64_counters *stats, void *logdata)
 {
@@ -225,12 +185,13 @@ nat64_output(struct ifnet *ifp, struct mbuf *m, struct
 	return (ret);
 }
 
-static int
+static NAT64NOINLINE int
 nat64_output_one(struct mbuf *m, struct nat64_counters *stats, void *logdata)
 {
 
 	return (nat64_output(NULL, m, NULL, stats, logdata));
 }
+#endif /* !IPFIREWALL_NAT64_DIRECT_OUTPUT */
 
 /*
  * Check the given IPv6 prefix and length according to RFC6052:
@@ -463,10 +424,12 @@ nat64_init_ip4hdr(const struct ip6_hdr *ip6, const str
 	ip->ip_hl = sizeof(*ip) >> 2;
 	ip->ip_tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
 	ip->ip_len = htons(sizeof(*ip) + plen);
+#ifdef IPFIREWALL_NAT64_DIRECT_OUTPUT
+	ip->ip_ttl = ip6->ip6_hlim - IPV6_HLIMDEC;
+#else
+	/* Forwarding code will decrement TTL. */
 	ip->ip_ttl = ip6->ip6_hlim;
-	/* Forwarding code will decrement TTL for netisr based output. */
-	if (V_nat64out == &nat64_direct)
-		ip->ip_ttl -= IPV6_HLIMDEC;
+#endif
 	ip->ip_sum = 0;
 	ip->ip_p = (proto == IPPROTO_ICMPV6) ? IPPROTO_ICMP: proto;
 	ip_fillid(ip);
@@ -684,7 +647,7 @@ nat64_icmp6_reflect(struct mbuf *m, uint8_t type, uint
 	icmp6->icmp6_cksum = in6_cksum(n, IPPROTO_ICMPV6,
 	    sizeof(struct ip6_hdr), plen);
 	m_freem(m);
-	V_nat64out->output_one(n, stats, logdata);
+	nat64_output_one(n, stats, logdata);
 	return;
 freeit:
 	NAT64STAT_INC(stats, dropped);
@@ -787,7 +750,7 @@ nat64_icmp_reflect(struct mbuf *m, uint8_t type,
 	icmp->icmp_cksum = in_cksum_skip(n, sizeof(struct ip) + plen,
 	    sizeof(struct ip));
 	m_freem(m);
-	V_nat64out->output_one(n, stats, logdata);
+	nat64_output_one(n, stats, logdata);
 	return;
 freeit:
 	NAT64STAT_INC(stats, dropped);
@@ -1204,10 +1167,12 @@ nat64_do_handle_ip4(struct mbuf *m, struct in6_addr *s
 
 	ip6.ip6_flow = htonl(ip->ip_tos << 20);
 	ip6.ip6_vfc |= IPV6_VERSION;
+#ifdef IPFIREWALL_NAT64_DIRECT_OUTPUT
+	ip6.ip6_hlim = ip->ip_ttl - IPTTLDEC;
+#else
+	/* Forwarding code will decrement HLIM. */
 	ip6.ip6_hlim = ip->ip_ttl;
-	/* Forwarding code will decrement TTL for netisr based output. */
-	if (V_nat64out == &nat64_direct)
-		ip6.ip6_hlim -= IPTTLDEC;
+#endif
 	ip6.ip6_plen = htons(plen);
 	ip6.ip6_nxt = (proto == IPPROTO_ICMP) ? IPPROTO_ICMPV6: proto;
 	/* Convert checksums. */
@@ -1240,7 +1205,7 @@ nat64_do_handle_ip4(struct mbuf *m, struct in6_addr *s
 	mbufq_init(&mq, 255);
 	nat64_fragment6(&cfg->stats, &ip6, &mq, m, nh.nh_mtu, ip_id, ip_off);
 	while ((m = mbufq_dequeue(&mq)) != NULL) {
-		if (V_nat64out->output(nh.nh_ifp, m, (struct sockaddr *)&dst,
+		if (nat64_output(nh.nh_ifp, m, (struct sockaddr *)&dst,
 		    &cfg->stats, logdata) != 0)
 			break;
 		NAT64STAT_INC(&cfg->stats, opcnt46);
@@ -1450,8 +1415,9 @@ nat64_handle_icmp6(struct mbuf *m, int hlen, uint32_t 
 	ip.ip_dst.s_addr = aaddr;
 	ip.ip_src.s_addr = nat64_extract_ip4(cfg, &ip6i->ip6_src);
 	/* XXX: Make fake ulp header */
-	if (V_nat64out == &nat64_direct) /* init_ip4hdr will decrement it */
-		ip6i->ip6_hlim += IPV6_HLIMDEC;
+#ifdef IPFIREWALL_NAT64_DIRECT_OUTPUT
+	ip6i->ip6_hlim += IPV6_HLIMDEC; /* init_ip4hdr will decrement it */
+#endif
 	nat64_init_ip4hdr(ip6i, ip6f, plen, proto, &ip);
 	m_adj(m, hlen - sizeof(struct ip));
 	bcopy(&ip, mtod(m, void *), sizeof(ip));
@@ -1621,7 +1587,7 @@ nat64_do_handle_ip6(struct mbuf *m, uint32_t aaddr, ui
 
 	m_adj(m, hlen - sizeof(ip));
 	bcopy(&ip, mtod(m, void *), sizeof(ip));
-	if (V_nat64out->output(nh.nh_ifp, m, (struct sockaddr *)&dst,
+	if (nat64_output(nh.nh_ifp, m, (struct sockaddr *)&dst,
 	    &cfg->stats, logdata) == 0)
 		NAT64STAT_INC(&cfg->stats, opcnt64);
 	return (NAT64RETURN);

Modified: stable/11/sys/netpfil/ipfw/nat64/nat64_translate.h
==============================================================================
--- stable/11/sys/netpfil/ipfw/nat64/nat64_translate.h	Sun Nov 18 00:52:27 2018	(r340543)
+++ stable/11/sys/netpfil/ipfw/nat64/nat64_translate.h	Sun Nov 18 01:04:53 2018	(r340544)
@@ -1,6 +1,6 @@
 /*-
- * Copyright (c) 2015-2018 Yandex LLC
- * Copyright (c) 2015-2018 Andrey V. Elsukov <ae at FreeBSD.org>
+ * Copyright (c) 2015-2016 Yandex LLC
+ * Copyright (c) 2015-2016 Andrey V. Elsukov <ae at FreeBSD.org>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -141,9 +141,6 @@ void nat64_embed_ip4(const struct nat64_config *cfg, i
     struct in6_addr *ip6);
 in_addr_t nat64_extract_ip4(const struct nat64_config *cfg,
     const struct in6_addr *ip6);
-
-void nat64_set_output_method(int);
-int nat64_get_output_method(void);
 
 #endif

More information about the svn-src-all mailing list