Index: sys/net/pfil.h =================================================================== --- sys/net/pfil.h +++ sys/net/pfil.h @@ -36,6 +36,7 @@ #define _NET_PFIL_H_ #include +#include enum pfil_types { PFIL_TYPE_IP4, @@ -187,6 +188,18 @@ const char *pa_headname; }; +typedef CK_STAILQ_HEAD(pfil_chain, pfil_link) pfil_chain_t; +struct pfil_head { + int head_nhooksin; + int head_nhooksout; + pfil_chain_t head_in; + pfil_chain_t head_out; + int head_flags; + enum pfil_types head_type; + LIST_ENTRY(pfil_head) head_list; + const char *head_name; +}; + /* Public functions for pfil head management by inspection points. */ pfil_head_t pfil_head_register(struct pfil_head_args *); void pfil_head_unregister(pfil_head_t); @@ -194,6 +207,12 @@ /* Public functions to run the packet inspection by inspection points. */ int pfil_run_hooks(struct pfil_head *, pfil_packet_t, struct ifnet *, int, struct inpcb *inp); +int pfil_run_hooks_simple(pfil_chain_t *, pfil_packet_t, struct ifnet *, int, + struct inpcb *inp); +#define pfil_run_hooks_in(head, packet, ifp, inp) \ + pfil_run_hooks_simple(&(head)->head_in, packet, ifp, PFIL_IN, inp) +#define pfil_run_hooks_out(head, packet, ifp, inp) \ + pfil_run_hooks_simple(&(head)->head_out, packet, ifp, PFIL_OUT, inp) /* * Minimally exposed structure to avoid function call in case of absence * of any filters by protocols and macros to do the check. Index: sys/net/pfil.c =================================================================== --- sys/net/pfil.c +++ sys/net/pfil.c @@ -89,18 +89,6 @@ struct epoch_context link_epoch_ctx; }; -typedef CK_STAILQ_HEAD(pfil_chain, pfil_link) pfil_chain_t; -struct pfil_head { - int head_nhooksin; - int head_nhooksout; - pfil_chain_t head_in; - pfil_chain_t head_out; - int head_flags; - enum pfil_types head_type; - LIST_ENTRY(pfil_head) head_list; - const char *head_name; -}; - LIST_HEAD(pfilheadhead, pfil_head); VNET_DEFINE_STATIC(struct pfilheadhead, pfil_head_list) = LIST_HEAD_INITIALIZER(pfil_head_list); @@ -198,6 +186,24 @@ return (rv); } +int +pfil_run_hooks_simple(pfil_chain_t *pch, pfil_packet_t p, struct ifnet *ifp, + int flags, struct inpcb *inp) +{ + struct pfil_link *link; + pfil_return_t rv; + + NET_EPOCH_ASSERT(); + + rv = PFIL_PASS; + CK_STAILQ_FOREACH(link, pch, link_chain) { + rv = (*link->link_func)(p, ifp, flags, link->link_ruleset, inp); + if (rv == PFIL_DROPPED || rv == PFIL_CONSUMED) + break; + } + return (rv); +} + /* * pfil_head_register() registers a pfil_head with the packet filter hook * mechanism. Index: sys/netinet/ip_fastfwd.c =================================================================== --- sys/netinet/ip_fastfwd.c +++ sys/netinet/ip_fastfwd.c @@ -318,7 +318,7 @@ if (!PFIL_HOOKED_IN(V_inet_pfil_head)) goto passin; - if (pfil_run_hooks(V_inet_pfil_head, &m, m->m_pkthdr.rcvif, PFIL_IN, + if (pfil_run_hooks_in(V_inet_pfil_head, &m, m->m_pkthdr.rcvif, NULL) != PFIL_PASS) goto drop; @@ -410,8 +410,8 @@ if (!PFIL_HOOKED_OUT(V_inet_pfil_head)) goto passout; - if (pfil_run_hooks(V_inet_pfil_head, &m, nh->nh_ifp, - PFIL_OUT, NULL) != PFIL_PASS) + if (pfil_run_hooks_out(V_inet_pfil_head, &m, nh->nh_ifp, + NULL) != PFIL_PASS) goto drop; M_ASSERTVALID(m); Index: sys/netinet/ip_input.c =================================================================== --- sys/netinet/ip_input.c +++ sys/netinet/ip_input.c @@ -615,7 +615,7 @@ goto passin; odst = ip->ip_dst; - if (pfil_run_hooks(V_inet_pfil_head, &m, ifp, PFIL_IN, NULL) != + if (pfil_run_hooks_in(V_inet_pfil_head, &m, ifp, NULL) != PFIL_PASS) return; if (m == NULL) /* consumed by filter */ Index: sys/netinet6/ip6_fastfwd.c =================================================================== --- sys/netinet6/ip6_fastfwd.c +++ sys/netinet6/ip6_fastfwd.c @@ -164,7 +164,7 @@ */ if (!PFIL_HOOKED_IN(V_inet6_pfil_head)) goto passin; - if (pfil_run_hooks(V_inet6_pfil_head, &m, rcvif, PFIL_IN, NULL) != + if (pfil_run_hooks_in(V_inet6_pfil_head, &m, rcvif, NULL) != PFIL_PASS) goto dropin; /* @@ -214,7 +214,7 @@ /* * Outgoing packet firewall processing. */ - if (pfil_run_hooks(V_inet6_pfil_head, &m, nh->nh_ifp, PFIL_OUT, + if (pfil_run_hooks_out(V_inet6_pfil_head, &m, nh->nh_ifp, NULL) != PFIL_PASS) goto dropout; Index: sys/netinet6/ip6_forward.c =================================================================== --- sys/netinet6/ip6_forward.c +++ sys/netinet6/ip6_forward.c @@ -313,7 +313,7 @@ odst = ip6->ip6_dst; /* Run through list of hooks for forwarded packets. */ - if (pfil_run_hooks(V_inet6_pfil_head, &m, nh->nh_ifp, PFIL_OUT, + if (pfil_run_hooks_out(V_inet6_pfil_head, &m, nh->nh_ifp, NULL) != PFIL_PASS) goto freecopy; ip6 = mtod(m, struct ip6_hdr *); Index: sys/netinet6/ip6_input.c =================================================================== --- sys/netinet6/ip6_input.c +++ sys/netinet6/ip6_input.c @@ -737,7 +737,7 @@ goto passin; odst = ip6->ip6_dst; - if (pfil_run_hooks(V_inet6_pfil_head, &m, m->m_pkthdr.rcvif, PFIL_IN, + if (pfil_run_hooks_in(V_inet6_pfil_head, &m, m->m_pkthdr.rcvif, NULL) != PFIL_PASS) return; ip6 = mtod(m, struct ip6_hdr *); Index: sys/netinet6/ip6_output.c =================================================================== --- sys/netinet6/ip6_output.c +++ sys/netinet6/ip6_output.c @@ -1014,7 +1014,7 @@ odst = ip6->ip6_dst; /* Run through list of hooks for output packets. */ - switch (pfil_run_hooks(V_inet6_pfil_head, &m, ifp, PFIL_OUT, inp)) { + switch (pfil_run_hooks_out(V_inet6_pfil_head, &m, ifp, inp)) { case PFIL_PASS: ip6 = mtod(m, struct ip6_hdr *); break;