Page MenuHomeFreeBSD
Files F111123780

D13715.id40434.diff
No OneTemporary
Actions

D13715.id40434.diff
View Options

Index: share/man/man9/pfil.9
===================================================================
--- share/man/man9/pfil.9
+++ share/man/man9/pfil.9
@@ -28,7 +28,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 27, 2017
+.Dd March 10, 2018
.Dt PFIL 9
.Os
.Sh NAME
@@ -37,7 +37,9 @@
.Nm pfil_head_unregister ,
.Nm pfil_head_get ,
.Nm pfil_add_hook ,
+.Nm pfil_add_hook_flags ,
.Nm pfil_remove_hook ,
+.Nm pfil_remove_hook_flags ,
.Nm pfil_run_hooks ,
.Nm pfil_rlock ,
.Nm pfil_runlock ,
@@ -51,6 +53,8 @@
.In net/pfil.h
.Bd -literal
typedef int (*pfil_func_t)(void *arg, struct mbuf **mp, struct ifnet *, int dir, struct inpcb);
+.Bd -literal
+typedef int (*pfil_func_flags_t)(void *arg, struct mbuf **mp, struct ifnet *, int dir, int flags, struct inpcb);
.Ft int
.Fn pfil_head_register "struct pfil_head *head"
.Ft int
@@ -58,11 +62,15 @@
.Ft "struct pfil_head *"
.Fn pfil_head_get "int af" "u_long dlt"
.Ft int
-.Fn pfil_add_hook "pfil_func_t" "void *arg" "int flags" "struct pfil_head *"
+.Fn pfil_add_hook "pfil_func_t" "void *arg" "struct pfil_head *"
+.Ft int
+.Fn pfil_add_hook_flags "pfil_func_flags_t" "void *arg" "int flags" "struct pfil_head *"
.Ft int
-.Fn pfil_remove_hook "pfil_func_t" "void *arg" "int flags" "struct pfil_head *"
+.Fn pfil_remove_hook "pfil_func_t" "void *arg" "struct pfil_head *"
.Ft int
-.Fn pfil_run_hooks "struct pfil_head *head" "struct mbuf **mp" "struct ifnet *" "int dir" "struct inpcb *"
+.Fn pfil_remove_hook_flags "pfil_func_flags_t" "void *arg" "int flags" "struct pfil_head *"
+.Ft int
+.Fn pfil_run_hooks "struct pfil_head *head" "struct mbuf **mp" "struct ifnet *" "int dir" "int flags" "struct inpcb *"
.Ft void
.Fn pfil_rlock "struct pfil_head *" "struct rm_priotracker *"
.Ft void
@@ -116,6 +124,7 @@
and
.Fn pfil_remove_hook
functions, respectively.
+.I
The head is looked up using the
.Fn pfil_head_get
function, which takes the key and data link type that the packet filter
@@ -135,6 +144,10 @@
or
.Dv PFIL_OUT )
that the packet is traveling.
+The
+.Vt flags
+argument will indicate if an outgoing packet is simply being forwarded with the
+value PFIL_FWD.
The filter may change which mbuf the
.Vt "mbuf\ **"
argument references.
Index: sys/net/if_bridge.c
===================================================================
--- sys/net/if_bridge.c
+++ sys/net/if_bridge.c
@@ -3176,7 +3176,8 @@
if (PFIL_HOOKED(&V_link_pfil_hook) && V_pfil_ipfw != 0 &&
dir == PFIL_OUT && ifp != NULL) {
- error = pfil_run_hooks(&V_link_pfil_hook, mp, ifp, dir, NULL);
+ error = pfil_run_hooks(&V_link_pfil_hook, mp, ifp, dir, 0,
+ NULL);
if (*mp == NULL || error != 0) /* packet consumed by filter */
return (error);
@@ -3228,21 +3229,21 @@
*/
if (V_pfil_bridge && dir == PFIL_OUT && bifp != NULL)
error = pfil_run_hooks(&V_inet_pfil_hook, mp, bifp,
- dir, NULL);
+ dir, 0, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
break;
if (V_pfil_member && ifp != NULL)
error = pfil_run_hooks(&V_inet_pfil_hook, mp, ifp,
- dir, NULL);
+ dir, 0, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
break;
if (V_pfil_bridge && dir == PFIL_IN && bifp != NULL)
error = pfil_run_hooks(&V_inet_pfil_hook, mp, bifp,
- dir, NULL);
+ dir, 0, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
break;
@@ -3282,21 +3283,21 @@
case ETHERTYPE_IPV6:
if (V_pfil_bridge && dir == PFIL_OUT && bifp != NULL)
error = pfil_run_hooks(&V_inet6_pfil_hook, mp, bifp,
- dir, NULL);
+ dir, 0, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
break;
if (V_pfil_member && ifp != NULL)
error = pfil_run_hooks(&V_inet6_pfil_hook, mp, ifp,
- dir, NULL);
+ dir, 0, NULL);
if (*mp == NULL || error != 0) /* filter may consume */
break;
if (V_pfil_bridge && dir == PFIL_IN && bifp != NULL)
error = pfil_run_hooks(&V_inet6_pfil_hook, mp, bifp,
- dir, NULL);
+ dir, 0, NULL);
break;
#endif
default:
Index: sys/net/if_enc.c
===================================================================
--- sys/net/if_enc.c
+++ sys/net/if_enc.c
@@ -301,7 +301,7 @@
/* Make a packet looks like it was received on enc(4) */
rcvif = (*ctx->mp)->m_pkthdr.rcvif;
(*ctx->mp)->m_pkthdr.rcvif = ifp;
- if (pfil_run_hooks(ph, ctx->mp, ifp, pdir, ctx->inp) != 0 ||
+ if (pfil_run_hooks(ph, ctx->mp, ifp, pdir, 0, ctx->inp) != 0 ||
*ctx->mp == NULL) {
*ctx->mp = NULL; /* consumed by filter */
return (EACCES);
Index: sys/net/if_ethersubr.c
===================================================================
--- sys/net/if_ethersubr.c
+++ sys/net/if_ethersubr.c
@@ -443,7 +443,8 @@
int i;
if (PFIL_HOOKED(&V_link_pfil_hook)) {
- i = pfil_run_hooks(&V_link_pfil_hook, &m, ifp, PFIL_OUT, NULL);
+ i = pfil_run_hooks(&V_link_pfil_hook, &m, ifp, PFIL_OUT, 0,
+ NULL);
if (i != 0)
return (EACCES);
@@ -776,7 +777,8 @@
/* Do not grab PROMISC frames in case we are re-entered. */
if (PFIL_HOOKED(&V_link_pfil_hook) && !(m->m_flags & M_PROMISC)) {
- i = pfil_run_hooks(&V_link_pfil_hook, &m, ifp, PFIL_IN, NULL);
+ i = pfil_run_hooks(&V_link_pfil_hook, &m, ifp, PFIL_IN, 0,
+ NULL);
if (i != 0 || m == NULL)
return;
Index: sys/net/pfil.h
===================================================================
--- sys/net/pfil.h
+++ sys/net/pfil.h
@@ -48,6 +48,8 @@
typedef int (*pfil_func_t)(void *, struct mbuf **, struct ifnet *, int,
struct inpcb *);
+typedef int (*pfil_func_flags_t)(void *, struct mbuf **, struct ifnet *,
+ int, int, struct inpcb *);
/*
* The packet filter hooks are designed for anything to call them to
@@ -56,13 +58,15 @@
*/
struct packet_filter_hook {
TAILQ_ENTRY(packet_filter_hook) pfil_chain;
- pfil_func_t pfil_func;
- void *pfil_arg;
+ pfil_func_t pfil_func;
+ pfil_func_flags_t pfil_func_flags;
+ void *pfil_arg;
};
#define PFIL_IN 0x00000001
#define PFIL_OUT 0x00000002
#define PFIL_WAITOK 0x00000004
+#define PFIL_FWD 0x00000008
#define PFIL_ALL (PFIL_IN|PFIL_OUT)
typedef TAILQ_HEAD(pfil_chain, packet_filter_hook) pfil_chain_t;
@@ -102,13 +106,15 @@
/* Public functions for pfil hook management by packet filters. */
struct pfil_head *pfil_head_get(int, u_long);
+int pfil_add_hook_flags(pfil_func_flags_t, void *, int, struct pfil_head *);
int pfil_add_hook(pfil_func_t, void *, int, struct pfil_head *);
+int pfil_remove_hook_flags(pfil_func_flags_t, void *, int, struct pfil_head *);
int pfil_remove_hook(pfil_func_t, void *, int, struct pfil_head *);
#define PFIL_HOOKED(p) ((p)->ph_nhooks > 0)
/* Public functions to run the packet inspection by protocols. */
-int pfil_run_hooks(struct pfil_head *, struct mbuf **, struct ifnet *,
- int, struct inpcb *inp);
+int pfil_run_hooks(struct pfil_head *, struct mbuf **, struct ifnet *, int,
+ int, struct inpcb *inp);
/* Public functions for pfil head management by protocols. */
int pfil_head_register(struct pfil_head *);
Index: sys/net/pfil.c
===================================================================
--- sys/net/pfil.c
+++ sys/net/pfil.c
@@ -57,7 +57,8 @@
static struct packet_filter_hook *pfil_chain_get(int, struct pfil_head *);
static int pfil_chain_add(pfil_chain_t *, struct packet_filter_hook *, int);
-static int pfil_chain_remove(pfil_chain_t *, pfil_func_t, void *);
+static int pfil_chain_remove(pfil_chain_t *, void *, void *);
+static int pfil_add_hook_priv(void *, void *, int, struct pfil_head *, bool);
LIST_HEAD(pfilheadhead, pfil_head);
VNET_DEFINE(struct pfilheadhead, pfil_head_list);
@@ -95,7 +96,7 @@
*/
int
pfil_run_hooks(struct pfil_head *ph, struct mbuf **mp, struct ifnet *ifp,
- int dir, struct inpcb *inp)
+ int dir, int flags, struct inpcb *inp)
{
struct rm_priotracker rmpt;
struct packet_filter_hook *pfh;
@@ -106,6 +107,12 @@
KASSERT(ph->ph_nhooks >= 0, ("Pfil hook count dropped < 0"));
for (pfh = pfil_chain_get(dir, ph); pfh != NULL;
pfh = TAILQ_NEXT(pfh, pfil_chain)) {
+ if (pfh->pfil_func_flags != NULL) {
+ rv = (*pfh->pfil_func_flags)(pfh->pfil_arg, &m, ifp,
+ dir, flags, inp);
+ if (rv != 0 || m == NULL)
+ break;
+ }
if (pfh->pfil_func != NULL) {
rv = (*pfh->pfil_func)(pfh->pfil_arg, &m, ifp, dir,
inp);
@@ -255,6 +262,21 @@
return (ph);
}
+/*
+ * pfil_add_hook_flags() adds a function to the packet filter hook. the
+ * flags are:
+ * PFIL_IN call me on incoming packets
+ * PFIL_OUT call me on outgoing packets
+ * PFIL_ALL call me on all of the above
+ * PFIL_WAITOK OK to call malloc with M_WAITOK.
+ */
+int
+pfil_add_hook_flags(pfil_func_flags_t func, void *arg, int flags,
+ struct pfil_head *ph)
+{
+ return (pfil_add_hook_priv(func, arg, flags, ph, true));
+}
+
/*
* pfil_add_hook() adds a function to the packet filter hook. the
* flags are:
@@ -265,6 +287,13 @@
*/
int
pfil_add_hook(pfil_func_t func, void *arg, int flags, struct pfil_head *ph)
+{
+ return (pfil_add_hook_priv(func, arg, flags, ph, false));
+}
+
+static int
+pfil_add_hook_priv(void *func, void *arg, int flags,
+ struct pfil_head *ph, bool hasflags)
{
struct packet_filter_hook *pfh1 = NULL;
struct packet_filter_hook *pfh2 = NULL;
@@ -288,7 +317,8 @@
}
PFIL_WLOCK(ph);
if (flags & PFIL_IN) {
- pfh1->pfil_func = func;
+ pfh1->pfil_func_flags = hasflags ? func : NULL;
+ pfh1->pfil_func = hasflags ? NULL : func;
pfh1->pfil_arg = arg;
err = pfil_chain_add(&ph->ph_in, pfh1, flags & ~PFIL_OUT);
if (err)
@@ -296,7 +326,8 @@
ph->ph_nhooks++;
}
if (flags & PFIL_OUT) {
- pfh2->pfil_func = func;
+ pfh2->pfil_func_flags = hasflags ? func : NULL;
+ pfh2->pfil_func = hasflags ? NULL : func;
pfh2->pfil_arg = arg;
err = pfil_chain_add(&ph->ph_out, pfh2, flags & ~PFIL_IN);
if (err) {
@@ -318,6 +349,17 @@
return (err);
}
+/*
+ * pfil_remove_hook_flags removes a specific function from the packet filter hook
+ * chain.
+ */
+int
+pfil_remove_hook_flags(pfil_func_flags_t func, void *arg, int flags,
+ struct pfil_head *ph)
+{
+ return (pfil_remove_hook((pfil_func_t)func, arg, flags, ph));
+}
+
/*
* pfil_remove_hook removes a specific function from the packet filter hook
* chain.
@@ -354,7 +396,9 @@
* First make sure the hook is not already there.
*/
TAILQ_FOREACH(pfh, chain, pfil_chain)
- if (pfh->pfil_func == pfh1->pfil_func &&
+ if (((pfh->pfil_func != NULL && pfh->pfil_func == pfh1->pfil_func) ||
+ (pfh->pfil_func_flags != NULL &&
+ pfh->pfil_func_flags == pfh1->pfil_func_flags)) &&
pfh->pfil_arg == pfh1->pfil_arg)
return (EEXIST);
@@ -373,12 +417,13 @@
* Internal: Remove a pfil hook from a hook chain.
*/
static int
-pfil_chain_remove(pfil_chain_t *chain, pfil_func_t func, void *arg)
+pfil_chain_remove(pfil_chain_t *chain, void *func, void *arg)
{
struct packet_filter_hook *pfh;
TAILQ_FOREACH(pfh, chain, pfil_chain)
- if (pfh->pfil_func == func && pfh->pfil_arg == arg) {
+ if ((pfh->pfil_func == func || pfh->pfil_func_flags == func) &&
+ pfh->pfil_arg == arg) {
TAILQ_REMOVE(chain, pfh, pfil_chain);
free(pfh, M_IFADDR);
return (0);
Index: sys/net/pfvar.h
===================================================================
--- sys/net/pfvar.h
+++ sys/net/pfvar.h
@@ -1578,13 +1578,13 @@
void pf_free_rule(struct pf_rule *);
#ifdef INET
-int pf_test(int, struct ifnet *, struct mbuf **, struct inpcb *);
+int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *,
struct pf_pdesc *);
#endif /* INET */
#ifdef INET6
-int pf_test6(int, struct ifnet *, struct mbuf **, struct inpcb *);
+int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *);
int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *,
struct pf_pdesc *);
void pf_poolmask(struct pf_addr *, struct pf_addr*,
Index: sys/netinet/ip_fastfwd.c
===================================================================
--- sys/netinet/ip_fastfwd.c
+++ sys/netinet/ip_fastfwd.c
@@ -232,7 +232,7 @@
goto passin;
if (pfil_run_hooks(
- &V_inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, NULL) ||
+ &V_inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN, 0, NULL) ||
m == NULL)
goto drop;
@@ -305,8 +305,8 @@
if (!PFIL_HOOKED(&V_inet_pfil_hook))
goto passout;
- if (pfil_run_hooks(&V_inet_pfil_hook, &m, nh.nh_ifp, PFIL_OUT, NULL) ||
- m == NULL) {
+ if (pfil_run_hooks(&V_inet_pfil_hook, &m, nh.nh_ifp, PFIL_OUT, PFIL_FWD,
+ NULL) || m == NULL) {
goto drop;
}
Index: sys/netinet/ip_input.c
===================================================================
--- sys/netinet/ip_input.c
+++ sys/netinet/ip_input.c
@@ -600,7 +600,7 @@
goto passin;
odst = ip->ip_dst;
- if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_IN, NULL) != 0)
+ if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_IN, 0, NULL) != 0)
return;
if (m == NULL) /* consumed by filter */
return;
Index: sys/netinet/ip_output.c
===================================================================
--- sys/netinet/ip_output.c
+++ sys/netinet/ip_output.c
@@ -117,7 +117,7 @@
/* Run through list of hooks for output packets. */
odst.s_addr = ip->ip_dst.s_addr;
- *error = pfil_run_hooks(&V_inet_pfil_hook, mp, ifp, PFIL_OUT, inp);
+ *error = pfil_run_hooks(&V_inet_pfil_hook, mp, ifp, PFIL_OUT, 0, inp);
m = *mp;
if ((*error) != 0 || m == NULL)
return 1; /* Finished */
Index: sys/netinet6/ip6_fastfwd.c
===================================================================
--- sys/netinet6/ip6_fastfwd.c
+++ sys/netinet6/ip6_fastfwd.c
@@ -157,7 +157,7 @@
*/
if (!PFIL_HOOKED(&V_inet6_pfil_hook))
goto passin;
- if (pfil_run_hooks(&V_inet6_pfil_hook, &m, rcvif, PFIL_IN,
+ if (pfil_run_hooks(&V_inet6_pfil_hook, &m, rcvif, PFIL_IN, 0,
NULL) != 0 || m == NULL)
goto dropin;
/*
@@ -201,7 +201,7 @@
if (!PFIL_HOOKED(&V_inet6_pfil_hook))
goto passout;
if (pfil_run_hooks(&V_inet6_pfil_hook, &m, nh.nh_ifp, PFIL_OUT,
- NULL) != 0 || m == NULL)
+ PFIL_FWD, NULL) != 0 || m == NULL)
goto dropout;
/*
Index: sys/netinet6/ip6_forward.c
===================================================================
--- sys/netinet6/ip6_forward.c
+++ sys/netinet6/ip6_forward.c
@@ -324,8 +324,9 @@
goto pass;
odst = ip6->ip6_dst;
- /* Run through list of hooks for output packets. */
- error = pfil_run_hooks(&V_inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT, NULL);
+ /* Run through list of hooks for forwarded packets. */
+ error = pfil_run_hooks(&V_inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT,
+ PFIL_FWD, NULL);
if (error != 0 || m == NULL)
goto freecopy; /* consumed by filter */
ip6 = mtod(m, struct ip6_hdr *);
Index: sys/netinet6/ip6_input.c
===================================================================
--- sys/netinet6/ip6_input.c
+++ sys/netinet6/ip6_input.c
@@ -761,7 +761,7 @@
odst = ip6->ip6_dst;
if (pfil_run_hooks(&V_inet6_pfil_hook, &m,
- m->m_pkthdr.rcvif, PFIL_IN, NULL))
+ m->m_pkthdr.rcvif, PFIL_IN, 0, NULL))
return;
if (m == NULL) /* consumed by filter */
return;
Index: sys/netinet6/ip6_output.c
===================================================================
--- sys/netinet6/ip6_output.c
+++ sys/netinet6/ip6_output.c
@@ -785,7 +785,7 @@
odst = ip6->ip6_dst;
/* Run through list of hooks for output packets. */
- error = pfil_run_hooks(&V_inet6_pfil_hook, &m, ifp, PFIL_OUT, inp);
+ error = pfil_run_hooks(&V_inet6_pfil_hook, &m, ifp, PFIL_OUT, 0, inp);
if (error != 0 || m == NULL)
goto done;
/* adjust pointer */
Index: sys/netpfil/pf/pf.h
===================================================================
--- sys/netpfil/pf/pf.h
+++ sys/netpfil/pf/pf.h
@@ -45,7 +45,7 @@
#endif
#endif
-enum { PF_INOUT, PF_IN, PF_OUT, PF_FWD };
+enum { PF_INOUT, PF_IN, PF_OUT };
enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER };
enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
Index: sys/netpfil/pf/pf.c
===================================================================
--- sys/netpfil/pf/pf.c
+++ sys/netpfil/pf/pf.c
@@ -70,6 +70,7 @@
#include <net/radix_mpath.h>
#include <net/vnet.h>
+#include <net/pfil.h>
#include <net/pfvar.h>
#include <net/if_pflog.h>
#include <net/if_pfsync.h>
@@ -5506,7 +5507,7 @@
goto bad;
if (oifp != ifp) {
- if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS)
+ if (pf_test(PF_OUT, 0, ifp, &m0, NULL) != PF_PASS)
goto bad;
else if (m0 == NULL)
goto done;
@@ -5668,7 +5669,7 @@
goto bad;
if (oifp != ifp) {
- if (pf_test6(PF_FWD, ifp, &m0, NULL) != PF_PASS)
+ if (pf_test6(PF_OUT, PFIL_FWD, ifp, &m0, NULL) != PF_PASS)
goto bad;
else if (m0 == NULL)
goto done;
@@ -5858,7 +5859,7 @@
#ifdef INET
int
-pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
+pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
{
struct pfi_kif *kif;
u_short action, reason = 0, log = 0;
@@ -6245,7 +6246,7 @@
#ifdef INET6
int
-pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
+pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp)
{
struct pfi_kif *kif;
u_short action, reason = 0, log = 0;
@@ -6257,28 +6258,9 @@
struct pf_ruleset *ruleset = NULL;
struct pf_pdesc pd;
int off, terminal = 0, dirndx, rh_cnt = 0, pqid = 0;
- int fwdir = dir;
M_ASSERTPKTHDR(m);
- /* Detect packet forwarding.
- * If the input interface is different from the output interface we're
- * forwarding.
- * We do need to be careful about bridges. If the
- * net.link.bridge.pfil_bridge sysctl is set we can be filtering on a
- * bridge, so if the input interface is a bridge member and the output
- * interface is its bridge or a member of the same bridge we're not
- * actually forwarding but bridging.
- */
- if (dir == PF_OUT && m->m_pkthdr.rcvif && ifp != m->m_pkthdr.rcvif &&
- (m->m_pkthdr.rcvif->if_bridge == NULL ||
- (m->m_pkthdr.rcvif->if_bridge != ifp->if_softc &&
- m->m_pkthdr.rcvif->if_bridge != ifp->if_bridge)))
- fwdir = PF_FWD;
-
- if (dir == PF_FWD)
- dir = PF_OUT;
-
if (!V_pf_status.running)
return (PF_PASS);
@@ -6656,7 +6638,7 @@
PF_STATE_UNLOCK(s);
/* If reassembled packet passed, create new fragments. */
- if (action == PF_PASS && *m0 && fwdir == PF_FWD &&
+ if (action == PF_PASS && *m0 && (pflags & PFIL_FWD) &&
(mtag = m_tag_find(m, PF_REASSEMBLED, NULL)) != NULL)
action = pf_refragment6(ifp, m0, mtag);
Index: sys/netpfil/pf/pf_ioctl.c
===================================================================
--- sys/netpfil/pf/pf_ioctl.c
+++ sys/netpfil/pf/pf_ioctl.c
@@ -165,15 +165,15 @@
*/
#ifdef INET
static int pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp,
- int dir, struct inpcb *inp);
+ int dir, int flags, struct inpcb *inp);
static int pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp,
- int dir, struct inpcb *inp);
+ int dir, int flags, struct inpcb *inp);
#endif
#ifdef INET6
static int pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp,
- int dir, struct inpcb *inp);
+ int dir, int flags, struct inpcb *inp);
static int pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp,
- int dir, struct inpcb *inp);
+ int dir, int flags, struct inpcb *inp);
#endif
static int hook_pf(void);
@@ -3649,12 +3649,12 @@
#ifdef INET
static int
-pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
+pf_check_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, int flags,
struct inpcb *inp)
{
int chk;
- chk = pf_test(PF_IN, ifp, m, inp);
+ chk = pf_test(PF_IN, flags, ifp, m, inp);
if (chk && *m) {
m_freem(*m);
*m = NULL;
@@ -3666,12 +3666,12 @@
}
static int
-pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
+pf_check_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, int flags,
struct inpcb *inp)
{
int chk;
- chk = pf_test(PF_OUT, ifp, m, inp);
+ chk = pf_test(PF_OUT, flags, ifp, m, inp);
if (chk && *m) {
m_freem(*m);
*m = NULL;
@@ -3685,7 +3685,7 @@
#ifdef INET6
static int
-pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
+pf_check6_in(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, int flags,
struct inpcb *inp)
{
int chk;
@@ -3696,7 +3696,7 @@
* filtering we have change this to lo0 as it is the case in IPv4.
*/
CURVNET_SET(ifp->if_vnet);
- chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? V_loif : ifp, m, inp);
+ chk = pf_test6(PF_IN, flags, (*m)->m_flags & M_LOOP ? V_loif : ifp, m, inp);
CURVNET_RESTORE();
if (chk && *m) {
m_freem(*m);
@@ -3708,13 +3708,13 @@
}
static int
-pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir,
+pf_check6_out(void *arg, struct mbuf **m, struct ifnet *ifp, int dir, int flags,
struct inpcb *inp)
{
int chk;
CURVNET_SET(ifp->if_vnet);
- chk = pf_test6(PF_OUT, ifp, m, inp);
+ chk = pf_test6(PF_OUT, flags, ifp, m, inp);
CURVNET_RESTORE();
if (chk && *m) {
m_freem(*m);
@@ -3743,22 +3743,22 @@
pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
if (pfh_inet == NULL)
return (ESRCH); /* XXX */
- pfil_add_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
- pfil_add_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
+ pfil_add_hook_flags(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet);
+ pfil_add_hook_flags(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet);
#endif
#ifdef INET6
pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
if (pfh_inet6 == NULL) {
#ifdef INET
- pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
+ pfil_remove_hook_flags(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
pfh_inet);
- pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
+ pfil_remove_hook_flags(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
pfh_inet);
#endif
return (ESRCH); /* XXX */
}
- pfil_add_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
- pfil_add_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
+ pfil_add_hook_flags(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6);
+ pfil_add_hook_flags(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6);
#endif
V_pf_pfil_hooked = 1;
@@ -3782,18 +3782,18 @@
pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
if (pfh_inet == NULL)
return (ESRCH); /* XXX */
- pfil_remove_hook(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
+ pfil_remove_hook_flags(pf_check_in, NULL, PFIL_IN | PFIL_WAITOK,
pfh_inet);
- pfil_remove_hook(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
+ pfil_remove_hook_flags(pf_check_out, NULL, PFIL_OUT | PFIL_WAITOK,
pfh_inet);
#endif
#ifdef INET6
pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
if (pfh_inet6 == NULL)
return (ESRCH); /* XXX */
- pfil_remove_hook(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK,
+ pfil_remove_hook_flags(pf_check6_in, NULL, PFIL_IN | PFIL_WAITOK,
pfh_inet6);
- pfil_remove_hook(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK,
+ pfil_remove_hook_flags(pf_check6_out, NULL, PFIL_OUT | PFIL_WAITOK,
pfh_inet6);
#endif

File Metadata

Mime Type
text/plain
Expires
Fri, Feb 28, 6:17 PM (15 h, 17 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
16889010
Default Alt Text
D13715.id40434.diff (22 KB)

Event Timeline