diff --git a/sys/dev/qlxge/qls_hw.c b/sys/dev/qlxge/qls_hw.c --- a/sys/dev/qlxge/qls_hw.c +++ b/sys/dev/qlxge/qls_hw.c @@ -527,11 +527,13 @@ { #if defined(INET) || defined(INET6) struct ether_vlan_header *eh; +#if defined(INET) struct ip *ip; + struct tcphdr *th; +#endif #if defined(INET6) struct ip6_hdr *ip6; #endif - struct tcphdr *th; uint32_t ehdrlen, ip_hlen; int ret = 0; uint16_t etype; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -898,7 +898,7 @@ struct pf_threshold conn_rate; u_int32_t creation; u_int32_t expire; - sa_family_t af; + ip_af_t af; u_int8_t ruletype; struct mtx *lock; }; @@ -942,18 +942,19 @@ u_int8_t pad[1]; }; +#ifdef _KERNEL /* Keep synced with struct pf_udp_endpoint. */ struct pf_udp_endpoint_cmp { struct pf_addr addr; uint16_t port; - sa_family_t af; + ip_af_t af; uint8_t pad[1]; }; struct pf_udp_endpoint { struct pf_addr addr; uint16_t port; - sa_family_t af; + ip_af_t af; uint8_t pad[1]; struct pf_udp_mapping *mapping; @@ -969,7 +970,7 @@ struct pf_state_key_cmp { struct pf_addr addr[2]; u_int16_t port[2]; - sa_family_t af; + ip_af_t af; u_int8_t proto; u_int8_t pad[2]; }; @@ -977,13 +978,14 @@ struct pf_state_key { struct pf_addr addr[2]; u_int16_t port[2]; - sa_family_t af; + ip_af_t af; u_int8_t proto; u_int8_t pad[2]; LIST_ENTRY(pf_state_key) entry; TAILQ_HEAD(, pf_kstate) states[2]; }; +#endif /* Keep synced with struct pf_kstate. */ struct pf_state_cmp { @@ -1228,7 +1230,7 @@ typedef int pfsync_defer_t(struct pf_kstate *, struct mbuf *); typedef void pfsync_detach_ifnet_t(struct ifnet *); typedef void pflow_export_state_t(const struct pf_kstate *); -typedef bool pf_addr_filter_func_t(const sa_family_t, const struct pf_addr *); +typedef bool pf_addr_filter_func_t(const ip_af_t, const struct pf_addr *); VNET_DECLARE(pfsync_state_import_t *, pfsync_state_import_ptr); #define V_pfsync_state_import_ptr VNET(pfsync_state_import_ptr) @@ -1619,7 +1621,7 @@ * state code. Easier than tags */ #define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ #define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */ - sa_family_t af; + ip_af_t af; u_int8_t proto; u_int8_t tos; u_int8_t dir; /* direction */ @@ -2324,7 +2326,7 @@ u_int); extern struct pf_udp_mapping *pf_udp_mapping_find(struct pf_udp_endpoint_cmp *endpoint); -extern struct pf_udp_mapping *pf_udp_mapping_create(sa_family_t af, +extern struct pf_udp_mapping *pf_udp_mapping_create(ip_af_t af, struct pf_addr *src_addr, uint16_t src_port, struct pf_addr *nat_addr, uint16_t nat_port); extern int pf_udp_mapping_insert(struct pf_udp_mapping @@ -2332,7 +2334,7 @@ extern void pf_udp_mapping_release(struct pf_udp_mapping *mapping); extern struct pf_ksrc_node *pf_find_src_node(struct pf_addr *, - struct pf_krule *, sa_family_t, + struct pf_krule *, ip_af_t, struct pf_srchash **, bool); extern void pf_unlink_src_node(struct pf_ksrc_node *); extern u_int pf_free_src_nodes(struct pf_ksrc_node_list *); @@ -2350,9 +2352,9 @@ VNET_DECLARE(struct pf_krule, pf_default_rule); #define V_pf_default_rule VNET(pf_default_rule) extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, - sa_family_t); + ip_af_t); void pf_free_rule(struct pf_krule *); -int pf_setup_pdesc(sa_family_t, int, +int pf_setup_pdesc(ip_af_t, int, struct pf_pdesc *, struct mbuf *, u_short *, u_short *, struct pfi_kkif *, struct pf_krule **, struct pf_krule **, @@ -2362,7 +2364,7 @@ int pf_test_eth(int, int, struct ifnet *, struct mbuf **, struct inpcb *); int pf_scan_sctp(struct mbuf *, int, struct pf_pdesc *, struct pfi_kkif *); #if defined(INET) || defined(INET6) -int pf_test(sa_family_t, int, int, struct ifnet *, struct mbuf **, struct inpcb *, +int pf_test(ip_af_t, int, int, struct ifnet *, struct mbuf **, struct inpcb *, struct pf_rule_actions *); #endif #ifdef INET @@ -2374,8 +2376,8 @@ int pf_normalize_ip6(struct mbuf **, struct pfi_kkif *, u_short *, struct pf_pdesc *); void pf_poolmask(struct pf_addr *, struct pf_addr*, - struct pf_addr *, struct pf_addr *, sa_family_t); -void pf_addr_inc(struct pf_addr *, sa_family_t); + struct pf_addr *, struct pf_addr *, ip_af_t); +void pf_addr_inc(struct pf_addr *, ip_af_t); int pf_max_frag_size(struct mbuf *); int pf_refragment6(struct ifnet *, struct mbuf **, struct m_tag *, bool); #endif /* INET6 */ @@ -2387,7 +2389,7 @@ u_int32_t pf_new_isn(struct pf_kstate *); void *pf_pull_hdr(const struct mbuf *, int, void *, int, u_short *, u_short *, - sa_family_t); + ip_af_t); void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); void pf_change_proto_a(struct mbuf *, void *, u_int16_t *, u_int32_t, u_int8_t); @@ -2398,9 +2400,9 @@ bool, u_int8_t); void pf_send_deferred_syn(struct pf_kstate *); int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, - struct pf_addr *, sa_family_t); + struct pf_addr *, ip_af_t); int pf_match_addr_range(struct pf_addr *, struct pf_addr *, - struct pf_addr *, sa_family_t); + struct pf_addr *, ip_af_t); int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); void pf_normalize_init(void); @@ -2421,16 +2423,16 @@ pf_state_expires(const struct pf_kstate *); void pf_purge_expired_fragments(void); void pf_purge_fragments(uint32_t); -int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *, +int pf_routable(struct pf_addr *addr, ip_af_t af, struct pfi_kkif *, int); int pf_socket_lookup(struct pf_pdesc *, struct mbuf *); struct pf_state_key *pf_alloc_state_key(int); void pfr_initialize(void); void pfr_cleanup(void); -int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); -void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, +int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, ip_af_t); +void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, ip_af_t, u_int64_t, int, int, int); -int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, sa_family_t, +int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, ip_af_t, pf_addr_filter_func_t); void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *); struct pfr_ktable * @@ -2481,8 +2483,8 @@ int pfi_kkif_match(struct pfi_kkif *, struct pfi_kkif *); void pfi_kkif_purge(void); int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *, - sa_family_t); -int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t); + ip_af_t); +int pfi_dynaddr_setup(struct pf_addr_wrap *, ip_af_t); void pfi_dynaddr_remove(struct pfi_dynaddr *); void pfi_dynaddr_copyout(struct pf_addr_wrap *); void pfi_update_status(const char *, struct pf_status *); @@ -2493,16 +2495,16 @@ int pf_match_tag(struct mbuf *, struct pf_krule *, int *, int); int pf_tag_packet(struct mbuf *, struct pf_pdesc *, int); int pf_addr_cmp(struct pf_addr *, struct pf_addr *, - sa_family_t); + ip_af_t); -u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, sa_family_t); -u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, sa_family_t); -struct mbuf *pf_build_tcp(const struct pf_krule *, sa_family_t, +u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, ip_af_t); +u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, ip_af_t); +struct mbuf *pf_build_tcp(const struct pf_krule *, ip_af_t, const struct pf_addr *, const struct pf_addr *, u_int16_t, u_int16_t, u_int32_t, u_int32_t, u_int8_t, u_int16_t, u_int16_t, u_int8_t, bool, u_int16_t, u_int16_t, int); -void pf_send_tcp(const struct pf_krule *, sa_family_t, +void pf_send_tcp(const struct pf_krule *, ip_af_t, const struct pf_addr *, const struct pf_addr *, u_int16_t, u_int16_t, u_int32_t, u_int32_t, u_int8_t, u_int16_t, u_int16_t, u_int8_t, bool, @@ -2606,7 +2608,7 @@ int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t); #ifdef _KERNEL -void pf_print_host(struct pf_addr *, u_int16_t, sa_family_t); +void pf_print_host(struct pf_addr *, u_int16_t, ip_af_t); void pf_step_into_anchor(struct pf_kanchor_stackframe *, int *, struct pf_kruleset **, int, struct pf_krule **, diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -187,7 +187,7 @@ struct pf_sctp_endpoint; RB_HEAD(pf_sctp_endpoints, pf_sctp_endpoint); struct pf_sctp_source { - sa_family_t af; + ip_af_t af; struct pf_addr addr; TAILQ_ENTRY(pf_sctp_source) entry; }; @@ -247,7 +247,7 @@ struct pf_overload_entry { SLIST_ENTRY(pf_overload_entry) next; struct pf_addr addr; - sa_family_t af; + ip_af_t af; uint8_t dir; struct pf_krule *rule; }; @@ -293,7 +293,7 @@ static void pf_change_ap(struct mbuf *, struct pf_addr *, u_int16_t *, u_int16_t *, u_int16_t *, struct pf_addr *, - u_int16_t, u_int8_t, sa_family_t); + u_int16_t, u_int8_t, ip_af_t); static int pf_modulate_sack(struct mbuf *, int, struct pf_pdesc *, struct tcphdr *, struct pf_state_peer *); int pf_icmp_mapping(struct pf_pdesc *, u_int8_t, int *, @@ -301,9 +301,9 @@ static void pf_change_icmp(struct pf_addr *, u_int16_t *, struct pf_addr *, struct pf_addr *, u_int16_t, u_int16_t *, u_int16_t *, u_int16_t *, - u_int16_t *, u_int8_t, sa_family_t); + u_int16_t *, u_int8_t, ip_af_t); static void pf_send_icmp(struct mbuf *, u_int8_t, u_int8_t, - sa_family_t, struct pf_krule *, int); + ip_af_t, struct pf_krule *, int); static void pf_detach_state(struct pf_kstate *); static int pf_state_key_attach(struct pf_state_key *, struct pf_state_key *, struct pf_kstate *); @@ -362,10 +362,10 @@ struct pf_pdesc *, u_short *); static int pf_test_state_other(struct pf_kstate **, struct pfi_kkif *, struct mbuf *, struct pf_pdesc *); -static u_int16_t pf_calc_mss(struct pf_addr *, sa_family_t, +static u_int16_t pf_calc_mss(struct pf_addr *, ip_af_t, int, u_int16_t); static int pf_check_proto_cksum(struct mbuf *, int, int, - u_int8_t, sa_family_t); + u_int8_t, ip_af_t); static void pf_print_state_parts(struct pf_kstate *, struct pf_state_key *, struct pf_state_key *); static void pf_patch_8(struct mbuf *, u_int16_t *, u_int8_t *, u_int8_t, @@ -380,7 +380,7 @@ struct pf_krule *); static void pf_overload_task(void *v, int pending); static u_short pf_insert_src_node(struct pf_ksrc_node **, - struct pf_krule *, struct pf_addr *, sa_family_t); + struct pf_krule *, struct pf_addr *, ip_af_t); static u_int pf_purge_expired_states(u_int, int); static void pf_purge_unlinked_rules(void); static int pf_mtag_uminit(void *, int, int); @@ -545,7 +545,7 @@ } int -pf_addr_cmp(struct pf_addr *a, struct pf_addr *b, sa_family_t af) +pf_addr_cmp(struct pf_addr *a, struct pf_addr *b, ip_af_t af) { switch (af) { @@ -577,22 +577,22 @@ return (-1); break; #endif /* INET6 */ - default: - panic("%s: unknown address family %u", __func__, af); } return (0); } static bool -pf_is_loopback(sa_family_t af, struct pf_addr *addr) +pf_is_loopback(ip_af_t af, struct pf_addr *addr) { switch (af) { +#ifdef INET case AF_INET: return IN_LOOPBACK(ntohl(addr->v4.s_addr)); +#endif +#ifdef INET6 case AF_INET6: return IN6_IS_ADDR_LOOPBACK(&addr->v6); - default: - panic("Unknown af %d", af); +#endif } } @@ -664,26 +664,34 @@ default: if (PF_ANEQ(pd->src, &nk->addr[pd->sidx], pd->af)) { switch (pd->af) { +#ifdef INET case AF_INET: pf_change_a(&pd->src->v4.s_addr, pd->ip_sum, nk->addr[pd->sidx].v4.s_addr, 0); break; +#endif +#ifdef INET6 case AF_INET6: PF_ACPY(pd->src, &nk->addr[pd->sidx], pd->af); break; +#endif } } if (PF_ANEQ(pd->dst, &nk->addr[pd->didx], pd->af)) { switch (pd->af) { +#ifdef INET case AF_INET: pf_change_a(&pd->dst->v4.s_addr, pd->ip_sum, nk->addr[pd->didx].v4.s_addr, 0); break; +#endif +#ifdef INET6 case AF_INET6: PF_ACPY(pd->dst, &nk->addr[pd->didx], pd->af); break; +#endif } } break; @@ -703,21 +711,23 @@ } static __inline uint32_t -pf_hashsrc(struct pf_addr *addr, sa_family_t af) +pf_hashsrc(struct pf_addr *addr, ip_af_t af) { uint32_t h; switch (af) { +#ifdef INET case AF_INET: h = murmur3_32_hash32((uint32_t *)&addr->v4, sizeof(addr->v4)/sizeof(uint32_t), V_pf_hashseed); break; +#endif +#ifdef INET6 case AF_INET6: h = murmur3_32_hash32((uint32_t *)&addr->v6, sizeof(addr->v6)/sizeof(uint32_t), V_pf_hashseed); break; - default: - panic("%s: unknown address family %u", __func__, af); +#endif } return (h & V_pf_srchashmask); @@ -770,7 +780,7 @@ #ifdef INET6 void -pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, sa_family_t af) +pf_addrcpy(struct pf_addr *dst, struct pf_addr *src, ip_af_t af) { switch (af) { #ifdef INET @@ -969,7 +979,7 @@ * allocate and insert a new one. */ struct pf_ksrc_node * -pf_find_src_node(struct pf_addr *src, struct pf_krule *rule, sa_family_t af, +pf_find_src_node(struct pf_addr *src, struct pf_krule *rule, ip_af_t af, struct pf_srchash **sh, bool returnlocked) { struct pf_ksrc_node *n; @@ -1006,7 +1016,7 @@ static u_short pf_insert_src_node(struct pf_ksrc_node **sn, struct pf_krule *rule, - struct pf_addr *src, sa_family_t af) + struct pf_addr *src, ip_af_t af) { u_short reason = 0; struct pf_srchash *sh = NULL; @@ -1882,7 +1892,7 @@ } struct pf_udp_mapping * -pf_udp_mapping_create(sa_family_t af, struct pf_addr *src_addr, uint16_t src_port, +pf_udp_mapping_create(ip_af_t af, struct pf_addr *src_addr, uint16_t src_port, struct pf_addr *nat_addr, uint16_t nat_port) { struct pf_udp_mapping *mapping; @@ -2011,7 +2021,7 @@ } static bool -pf_isforlocal(struct mbuf *m, int af) +pf_isforlocal(struct mbuf *m, ip_af_t af) { switch (af) { #ifdef INET @@ -2032,8 +2042,6 @@ return (! (ia->ia6_flags & IN6_IFF_NOTREADY)); } #endif - default: - panic("Unsupported af %d", af); } return (false); @@ -2759,7 +2767,7 @@ } void -pf_print_host(struct pf_addr *addr, u_int16_t p, sa_family_t af) +pf_print_host(struct pf_addr *addr, u_int16_t p, ip_af_t af) { switch (af) { #ifdef INET @@ -3095,7 +3103,7 @@ static void pf_change_ap(struct mbuf *m, struct pf_addr *a, u_int16_t *p, u_int16_t *ic, u_int16_t *pc, struct pf_addr *an, u_int16_t pn, u_int8_t u, - sa_family_t af) + ip_af_t af) { struct pf_addr ao; u_int16_t po = *p; @@ -3201,7 +3209,7 @@ static void pf_change_icmp(struct pf_addr *ia, u_int16_t *ip, struct pf_addr *oa, struct pf_addr *na, u_int16_t np, u_int16_t *pc, u_int16_t *h2c, - u_int16_t *ic, u_int16_t *hc, u_int8_t u, sa_family_t af) + u_int16_t *ic, u_int16_t *hc, u_int8_t u, ip_af_t af) { struct pf_addr oia, ooa; @@ -3349,7 +3357,7 @@ } struct mbuf * -pf_build_tcp(const struct pf_krule *r, sa_family_t af, +pf_build_tcp(const struct pf_krule *r, ip_af_t af, const struct pf_addr *saddr, const struct pf_addr *daddr, u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, u_int8_t tcp_flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, @@ -3386,8 +3394,6 @@ len = sizeof(struct ip6_hdr) + tlen; break; #endif /* INET6 */ - default: - panic("%s: unsupported af %d", __func__, af); } m = m_gethdr(M_NOWAIT, MT_DATA); @@ -3501,7 +3507,7 @@ } static void -pf_send_sctp_abort(sa_family_t af, struct pf_pdesc *pd, +pf_send_sctp_abort(ip_af_t af, struct pf_pdesc *pd, uint8_t ttl, int rtableid) { struct mbuf *m; @@ -3615,7 +3621,7 @@ } void -pf_send_tcp(const struct pf_krule *r, sa_family_t af, +pf_send_tcp(const struct pf_krule *r, ip_af_t af, const struct pf_addr *saddr, const struct pf_addr *daddr, u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, u_int8_t tcp_flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, @@ -3661,7 +3667,7 @@ { struct pf_addr * const saddr = pd->src; struct pf_addr * const daddr = pd->dst; - sa_family_t af = pd->af; + ip_af_t af = pd->af; /* undo NAT changes, if they have taken place */ if (nr != NULL) { @@ -3765,7 +3771,7 @@ } static void -pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, +pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, ip_af_t af, struct pf_krule *r, int rtableid) { struct pf_send_entry *pfse; @@ -3839,7 +3845,7 @@ */ int pf_match_addr(u_int8_t n, struct pf_addr *a, struct pf_addr *m, - struct pf_addr *b, sa_family_t af) + struct pf_addr *b, ip_af_t af) { int match = 0; @@ -3875,7 +3881,7 @@ */ int pf_match_addr_range(struct pf_addr *b, struct pf_addr *e, - struct pf_addr *a, sa_family_t af) + struct pf_addr *a, ip_af_t af) { switch (af) { #ifdef INET @@ -4218,7 +4224,7 @@ #ifdef INET6 void pf_poolmask(struct pf_addr *naddr, struct pf_addr *raddr, - struct pf_addr *rmask, struct pf_addr *saddr, sa_family_t af) + struct pf_addr *rmask, struct pf_addr *saddr, ip_af_t af) { switch (af) { #ifdef INET @@ -4241,7 +4247,7 @@ } void -pf_addr_inc(struct pf_addr *addr, sa_family_t af) +pf_addr_inc(struct pf_addr *addr, ip_af_t af) { switch (af) { #ifdef INET @@ -4382,9 +4388,6 @@ } break; #endif /* INET6 */ - - default: - return (-1); } INP_RLOCK_ASSERT(inp); pd->lookup.uid = inp->inp_cred->cr_uid; @@ -4395,7 +4398,7 @@ } u_int8_t -pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) +pf_get_wscale(struct mbuf *m, int off, u_int16_t th_off, ip_af_t af) { int hlen; u_int8_t hdr[60]; @@ -4435,7 +4438,7 @@ } u_int16_t -pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, sa_family_t af) +pf_get_mss(struct mbuf *m, int off, u_int16_t th_off, ip_af_t af) { int hlen; u_int8_t hdr[60]; @@ -4473,7 +4476,7 @@ } static u_int16_t -pf_calc_mss(struct pf_addr *addr, sa_family_t af, int rtableid, u_int16_t offer) +pf_calc_mss(struct pf_addr *addr, ip_af_t af, int rtableid, u_int16_t offer) { struct nhop_object *nh; #ifdef INET6 @@ -4885,7 +4888,7 @@ struct pf_krule *nr = NULL; struct pf_addr * const saddr = pd->src; struct pf_addr * const daddr = pd->dst; - sa_family_t af = pd->af; + ip_af_t af = pd->af; struct pf_krule *r, *a = NULL; struct pf_kruleset *ruleset = NULL; struct pf_krule_slist match_rules; @@ -5604,7 +5607,7 @@ struct pf_kruleset *ruleset = NULL; struct pf_krule_slist match_rules; struct pf_krule_item *ri; - sa_family_t af = pd->af; + ip_af_t af = pd->af; u_short reason; int tag = -1; int asd = 0; @@ -7704,7 +7707,7 @@ */ void * pf_pull_hdr(const struct mbuf *m, int off, void *p, int len, - u_short *actionp, u_short *reasonp, sa_family_t af) + u_short *actionp, u_short *reasonp, ip_af_t af) { switch (af) { #ifdef INET @@ -7750,7 +7753,7 @@ } int -pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *kif, +pf_routable(struct pf_addr *addr, ip_af_t af, struct pfi_kkif *kif, int rtableid) { struct ifnet *ifp; @@ -8249,7 +8252,7 @@ * Also, set csum_data to 0xffff to force cksum validation. */ static int -pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, sa_family_t af) +pf_check_proto_cksum(struct mbuf *m, int off, int len, u_int8_t p, ip_af_t af) { u_int16_t sum = 0; int hw_assist = 0; @@ -8300,6 +8303,7 @@ if (!hw_assist) { switch (af) { +#ifdef INET case AF_INET: if (p == IPPROTO_ICMP) { if (m->m_len < off) @@ -8315,6 +8319,7 @@ sum = in4_cksum(m, p, off, len); } break; +#endif #ifdef INET6 case AF_INET6: if (m->m_len < sizeof(struct ip6_hdr)) @@ -8322,8 +8327,6 @@ sum = in6_cksum(m, p, off, len); break; #endif /* INET6 */ - default: - return (1); } } if (sum) { @@ -8410,20 +8413,21 @@ dnflow->f_id.proto = pd->proto; dnflow->f_id.extra = dnflow->rule.info; switch (pd->af) { +#ifdef INET case AF_INET: dnflow->f_id.addr_type = 4; dnflow->f_id.src_ip = ntohl(pd->src->v4.s_addr); dnflow->f_id.dst_ip = ntohl(pd->dst->v4.s_addr); break; +#endif +#ifdef INET6 case AF_INET6: dnflow->flags |= IPFW_ARGS_IP6; dnflow->f_id.addr_type = 6; dnflow->f_id.src_ip6 = pd->src->v6; dnflow->f_id.dst_ip6 = pd->dst->v6; break; - default: - panic("Invalid AF"); - break; +#endif } return (true); @@ -8556,7 +8560,7 @@ } int -pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, +pf_setup_pdesc(ip_af_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, u_short *action, u_short *reason, struct pfi_kkif *kif, struct pf_krule **a, struct pf_krule **r, struct pf_kruleset **ruleset, int *off, int *hdrlen, struct pf_rule_actions *default_actions) @@ -8697,8 +8701,6 @@ break; } #endif - default: - panic("pf_setup_pdesc called with illegal af %u", af); } switch (pd->proto) { @@ -8889,14 +8891,18 @@ #if defined(INET) || defined(INET6) int -pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, +pf_test(ip_af_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp, struct pf_rule_actions *default_actions) { struct pfi_kkif *kif; u_short action, reason = 0; struct mbuf *m = *m0; +#ifdef INET struct ip *h = NULL; +#endif +#ifdef INET6 struct ip6_hdr *h6 = NULL; +#endif struct m_tag *mtag; struct pf_krule *a = NULL, *r = &V_pf_default_rule; struct pf_kstate *s = NULL; @@ -8909,6 +8915,13 @@ PF_RULES_RLOCK_TRACKER; KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: bad direction %d\n", __func__, dir)); +#if defined(INET) && defined(INET6) + KASSERT(af == AF_INET || af == AF_INET6, ("Unsupported af %d", af)); +#elif defined(INET) + KASSERT(af == AF_INET, ("Unsupported af %d", af)); +#elif defined(INET6) + KASSERT(af == AF_INET6, ("Unsupported af %d", af)); +#endif M_ASSERTPKTHDR(m); if (!V_pf_status.running) @@ -8997,8 +9010,6 @@ ttl = h6->ip6_hlim; break; #endif - default: - panic("Unknown af %d", af); } if (pf_setup_pdesc(af, dir, &pd, m, &action, &reason, kif, &a, &r, @@ -9085,8 +9096,6 @@ } break; #endif - default: - panic("Unknown af %d", af); } switch (pd.proto) { @@ -9294,10 +9303,18 @@ else pd.pf_mtag->qid = pd.act.qid; /* Add hints for ecn. */ - if (af == AF_INET) + switch (af) { +#ifdef INET + case AF_INET: pd.pf_mtag->hdr = h; - else + break; +#endif +#ifdef INET6 + case AF_INET6: pd.pf_mtag->hdr = h6; + break; +#endif + } } } #endif /* ALTQ */ @@ -9314,6 +9331,7 @@ pf_is_loopback(af, pd.dst)) m->m_flags |= M_SKIP_FIREWALL; +#ifdef INET if (af == AF_INET && __predict_false(ip_divert_ptr != NULL) && action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) { mtag = m_tag_alloc(MTAG_PF_DIVERT, 0, @@ -9356,9 +9374,12 @@ ("pf: failed to allocate divert tag\n")); } } +#endif +#ifdef INET6 /* XXX: Anybody working on it?! */ if (af == AF_INET6 && r->divert.port) printf("pf: divert(9) is not supported for IPv6\n"); +#endif /* this flag will need revising if the pkt is forwarded */ if (pd.pf_mtag) @@ -9413,8 +9434,6 @@ pf_route6(m0, r, kif->pfik_ifp, s, &pd, inp); break; #endif - default: - panic("Unknown af %d", af); } goto out; } diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c --- a/sys/netpfil/pf/pf_if.c +++ b/sys/netpfil/pf/pf_if.c @@ -465,7 +465,7 @@ } int -pfi_match_addr(struct pfi_dynaddr *dyn, struct pf_addr *a, sa_family_t af) +pfi_match_addr(struct pfi_dynaddr *dyn, struct pf_addr *a, ip_af_t af) { switch (af) { #ifdef INET @@ -494,13 +494,11 @@ } break; #endif /* INET6 */ - default: - return (0); } } int -pfi_dynaddr_setup(struct pf_addr_wrap *aw, sa_family_t af) +pfi_dynaddr_setup(struct pf_addr_wrap *aw, ip_af_t af) { struct epoch_tracker et; struct pfi_dynaddr *dyn; diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -128,7 +128,7 @@ static void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *); static int pf_commit_rules(u_int32_t, int, char *); static int pf_addr_setup(struct pf_kruleset *, - struct pf_addr_wrap *, sa_family_t); + struct pf_addr_wrap *, ip_af_t); static void pf_src_node_copy(const struct pf_ksrc_node *, struct pf_src_node *); #ifdef ALTQ @@ -1509,7 +1509,7 @@ static int pf_addr_setup(struct pf_kruleset *ruleset, struct pf_addr_wrap *addr, - sa_family_t af) + ip_af_t af) { int error = 0; @@ -3759,9 +3759,9 @@ #undef ERROUT DIOCCHANGERULE_error: + pf_krule_free(newrule); PF_RULES_WUNLOCK(); PF_CONFIG_UNLOCK(); - pf_krule_free(newrule); pf_kkif_free(kif); break; } diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -71,7 +71,7 @@ struct pf_addr *, uint16_t, struct pf_addr *, uint16_t, struct pf_addr *, uint16_t *, uint16_t, uint16_t, struct pf_ksrc_node **, struct pf_udp_mapping **); -static bool pf_islinklocal(const sa_family_t, const struct pf_addr *); +static bool pf_islinklocal(const ip_af_t, const struct pf_addr *); #define mix(a,b,c) \ do { \ @@ -403,7 +403,7 @@ } static bool -pf_islinklocal(const sa_family_t af, const struct pf_addr *addr) +pf_islinklocal(const ip_af_t af, const struct pf_addr *addr) { if (af == AF_INET6 && IN6_IS_ADDR_LINKLOCAL(&addr->v6)) return (true); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -57,7 +57,7 @@ uint32_t creatorid; char ifname[IFNAMSIZ]; uint16_t proto; - sa_family_t af; + ip_af_t af; struct pf_addr addr; struct pf_addr mask; }; @@ -81,15 +81,19 @@ NL_DECLARE_PARSER(state_parser, struct genlmsghdr, nlf_p_generic, nla_p_state); static void -dump_addr(struct nl_writer *nw, int attr, const struct pf_addr *addr, int af) +dump_addr(struct nl_writer *nw, int attr, const struct pf_addr *addr, ip_af_t af) { switch (af) { +#ifdef INET case AF_INET: nlattr_add(nw, attr, 4, &addr->v4); break; +#endif +#ifdef INET6 case AF_INET6: nlattr_add(nw, attr, 16, &addr->v6); break; +#endif }; } @@ -145,7 +149,7 @@ { struct nl_writer *nw = npt->nw; int error = 0; - int af; + ip_af_t af; struct pf_state_key *key; PF_STATE_LOCK_ASSERT(s); @@ -240,7 +244,7 @@ PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) { - sa_family_t af = s->key[PF_SK_WIRE]->af; + ip_af_t af = s->key[PF_SK_WIRE]->af; if (s->timeout == PFTM_UNLINKED) continue; @@ -766,7 +770,9 @@ error = nl_parse_nlmsg(hdr, &addrule_parser, npt, &attrs); if (error != 0) { + PF_RULES_WLOCK(); pf_free_rule(attrs.rule); + PF_RULES_WUNLOCK(); return (error); } diff --git a/sys/netpfil/pf/pf_nv.h b/sys/netpfil/pf/pf_nv.h --- a/sys/netpfil/pf/pf_nv.h +++ b/sys/netpfil/pf/pf_nv.h @@ -70,6 +70,7 @@ PF_NV_DEF_UINT(uint64, uint64_t, UINT64_MAX); int pf_nvbool(const nvlist_t *, const char *, bool *); +int pf_nvipaf(const nvlist_t *, const char *, ip_af_t *); int pf_nvbinary(const nvlist_t *, const char *, void *, size_t); int pf_nvint(const nvlist_t *, const char *, int *); int pf_nvstring(const nvlist_t *, const char *, char *, size_t); diff --git a/sys/netpfil/pf/pf_syncookies.c b/sys/netpfil/pf/pf_syncookies.c --- a/sys/netpfil/pf/pf_syncookies.c +++ b/sys/netpfil/pf/pf_syncookies.c @@ -435,16 +435,18 @@ SipHash_SetKey(&ctx, V_pf_syncookie_status.key[cookie.flags.oddeven]); switch (pd->af) { +#ifdef INET case AF_INET: SipHash_Update(&ctx, pd->src, sizeof(pd->src->v4)); SipHash_Update(&ctx, pd->dst, sizeof(pd->dst->v4)); break; +#endif +#ifdef INET6 case AF_INET6: SipHash_Update(&ctx, pd->src, sizeof(pd->src->v6)); SipHash_Update(&ctx, pd->dst, sizeof(pd->dst->v6)); break; - default: - panic("unknown address family"); +#endif } SipHash_Update(&ctx, pd->sport, sizeof(*pd->sport)); diff --git a/sys/netpfil/pf/pf_table.c b/sys/netpfil/pf/pf_table.c --- a/sys/netpfil/pf/pf_table.c +++ b/sys/netpfil/pf/pf_table.c @@ -2036,7 +2036,7 @@ } int -pfr_match_addr(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af) +pfr_match_addr(struct pfr_ktable *kt, struct pf_addr *a, ip_af_t af) { struct pfr_kentry *ke = NULL; int match; @@ -2089,7 +2089,7 @@ } void -pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af, +pfr_update_stats(struct pfr_ktable *kt, struct pf_addr *a, ip_af_t af, u_int64_t len, int dir_out, int op_pass, int notrule) { struct pfr_kentry *ke = NULL; @@ -2240,7 +2240,7 @@ int pfr_pool_get(struct pfr_ktable *kt, int *pidx, struct pf_addr *counter, - sa_family_t af, pf_addr_filter_func_t filter) + ip_af_t af, pf_addr_filter_func_t filter) { struct pf_addr addr, cur, mask, umask_addr; union sockaddr_union uaddr, umask; @@ -2251,14 +2251,18 @@ MPASS(counter != NULL); switch (af) { +#ifdef INET case AF_INET: uaddr.sin.sin_len = sizeof(struct sockaddr_in); uaddr.sin.sin_family = AF_INET; break; +#endif +#ifdef INET6 case AF_INET6: uaddr.sin6.sin6_len = sizeof(struct sockaddr_in6); uaddr.sin6.sin6_family = AF_INET6; break; +#endif } pfr_sockaddr_to_pf_addr(&uaddr, &addr); @@ -2311,14 +2315,18 @@ for (;;) { /* we don't want to use a nested block */ switch (af) { +#ifdef INET case AF_INET: ke2 = (struct pfr_kentry *)rn_match(&uaddr, &kt->pfrkt_ip4->rh); break; +#endif +#ifdef INET6 case AF_INET6: ke2 = (struct pfr_kentry *)rn_match(&uaddr, &kt->pfrkt_ip6->rh); break; +#endif } /* no need to check KENTRY_RNF_ROOT() here */ if (ke2 == ke) {