PFIL_MEMPTR for ipfw link level hook


PFIL_MEMPTR for ipfw link level hook

With new pfil(9) KPI it is possible to pass a void pointer with length
instead of mbuf pointer to a packet filter. Until this commit no filters
supported that, so pfil run through a shim function pfil_fake_mbuf().

Now the ipfw(4) hook named "default-link", that is instantiated when
net.link.ether.ipfw sysctl is on, supports processing pointer/length
packets natively.

  • ip_fw_args now has union for either mbuf or void *, and if flags have non-zero length, then we use the void *.
  • through ipfw_chk() we handle mem/mbuf cases differently.
  • ether_header goes away from args. It is ipfw_chk() responsibility to do parsing of Ethernet header.
  • ipfw_log() now uses different bpf APIs to log packets.

Although ipfw_chk() is now capable to process pointer/length packets,
this commit adds support for the link level hook only, see
ipfw_check_frame(). Potentially the IP processing hook ipfw_check_packet()
can be improved too, but that requires more changes since the hook
supports more complex actions: NAT, divert, etc.

Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D19357


glebiusAuthored on Mar 14 2019, 10:52 PM
R10:dc0fa4f7122f: Remove 'dir' argument from dummynet_io(). This makes it possible to make