Changeset View
Changeset View
Standalone View
Standalone View
sys/netpfil/pf/pf.c
Show First 20 Lines • Show All 3,807 Lines • ▼ Show 20 Lines | if (r->qid != 0) { | ||||
mtag = pf_get_mtag(m); | mtag = pf_get_mtag(m); | ||||
if (mtag == NULL) { | if (mtag == NULL) { | ||||
counter_u64_add(V_pf_status.counters[PFRES_MEMORY], 1); | counter_u64_add(V_pf_status.counters[PFRES_MEMORY], 1); | ||||
return (PF_DROP); | return (PF_DROP); | ||||
} | } | ||||
mtag->qid = r->qid; | mtag->qid = r->qid; | ||||
} | } | ||||
/* Dummynet */ | |||||
if (r->dnpipe) { | |||||
/** While dummynet supports handling Ethernet packets directly | |||||
* it still wants some L3/L4 information, and we're not set up | |||||
* to provide that here. Instead we'll do what we do for ALTQ | |||||
* and merely mark the packet with the dummynet queue/pipe number. | |||||
**/ | |||||
mtag = pf_get_mtag(m); | |||||
if (mtag == NULL) { | |||||
counter_u64_add(V_pf_status.counters[PFRES_MEMORY], 1); | |||||
return (PF_DROP); | |||||
} | |||||
mtag->dnpipe = r->dnpipe; | |||||
mtag->dnflags = r->dnflags; | |||||
} | |||||
action = r->action; | action = r->action; | ||||
return (action); | return (action); | ||||
} | } | ||||
static int | static int | ||||
pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, | pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, | ||||
struct pfi_kkif *kif, struct mbuf *m, int off, struct pf_pdesc *pd, | struct pfi_kkif *kif, struct mbuf *m, int off, struct pf_pdesc *pd, | ||||
▲ Show 20 Lines • Show All 2,686 Lines • ▼ Show 20 Lines | |||||
static bool | static bool | ||||
pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd, | pf_pdesc_to_dnflow(int dir, const struct pf_pdesc *pd, | ||||
const struct pf_krule *r, const struct pf_kstate *s, | const struct pf_krule *r, const struct pf_kstate *s, | ||||
struct ip_fw_args *dnflow) | struct ip_fw_args *dnflow) | ||||
{ | { | ||||
int dndir = r->direction; | int dndir = r->direction; | ||||
if (s && dndir == PF_INOUT) | if (s && dndir == PF_INOUT) { | ||||
dndir = s->direction; | dndir = s->direction; | ||||
} else if (dndir == PF_INOUT) { | |||||
/* Assume primary direction. Happens when we've set dnpipe in | |||||
* the ethernet level code. */ | |||||
dndir = dir; | |||||
} | |||||
memset(dnflow, 0, sizeof(*dnflow)); | memset(dnflow, 0, sizeof(*dnflow)); | ||||
if (pd->dport != NULL) | if (pd->dport != NULL) | ||||
dnflow->f_id.dst_port = ntohs(*pd->dport); | dnflow->f_id.dst_port = ntohs(*pd->dport); | ||||
if (pd->sport != NULL) | if (pd->sport != NULL) | ||||
dnflow->f_id.src_port = ntohs(*pd->sport); | dnflow->f_id.src_port = ntohs(*pd->sport); | ||||
if (dir == PF_IN) | if (dir == PF_IN) | ||||
dnflow->flags |= IPFW_ARGS_IN; | dnflow->flags |= IPFW_ARGS_IN; | ||||
else | else | ||||
dnflow->flags |= IPFW_ARGS_OUT; | dnflow->flags |= IPFW_ARGS_OUT; | ||||
if (dir != dndir && pd->act.dnrpipe) { | if (dir != dndir && pd->act.dnrpipe) { | ||||
dnflow->rule.info = pd->act.dnrpipe; | dnflow->rule.info = pd->act.dnrpipe; | ||||
} | } | ||||
else if (dir == dndir) { | else if (dir == dndir) { | ||||
dnflow->rule.info = pd->act.dnpipe; | dnflow->rule.info = pd->act.dnpipe; | ||||
} | } | ||||
else { | else { | ||||
return (false); | return (false); | ||||
} | } | ||||
dnflow->rule.info |= IPFW_IS_DUMMYNET; | dnflow->rule.info |= IPFW_IS_DUMMYNET; | ||||
if (r->free_flags & PFRULE_DN_IS_PIPE) | if (r->free_flags & PFRULE_DN_IS_PIPE || pd->act.flags & PFRULE_DN_IS_PIPE) | ||||
dnflow->rule.info |= IPFW_IS_PIPE; | dnflow->rule.info |= IPFW_IS_PIPE; | ||||
dnflow->f_id.proto = pd->proto; | dnflow->f_id.proto = pd->proto; | ||||
dnflow->f_id.extra = dnflow->rule.info; | dnflow->f_id.extra = dnflow->rule.info; | ||||
switch (pd->af) { | switch (pd->af) { | ||||
case AF_INET: | case AF_INET: | ||||
dnflow->f_id.addr_type = 4; | dnflow->f_id.addr_type = 4; | ||||
dnflow->f_id.src_ip = ntohl(pd->src->v4.s_addr); | dnflow->f_id.src_ip = ntohl(pd->src->v4.s_addr); | ||||
▲ Show 20 Lines • Show All 77 Lines • ▼ Show 20 Lines | if (kif->pfik_flags & PFI_IFLAG_SKIP) | ||||
return (PF_PASS); | return (PF_PASS); | ||||
if (m->m_flags & M_SKIP_FIREWALL) | if (m->m_flags & M_SKIP_FIREWALL) | ||||
return (PF_PASS); | return (PF_PASS); | ||||
memset(&pd, 0, sizeof(pd)); | memset(&pd, 0, sizeof(pd)); | ||||
pd.pf_mtag = pf_find_mtag(m); | pd.pf_mtag = pf_find_mtag(m); | ||||
if (pd.pf_mtag && pd.pf_mtag->dnpipe) { | |||||
pd.act.dnpipe = pd.pf_mtag->dnpipe; | |||||
pd.act.flags = pd.pf_mtag->dnflags; | |||||
} | |||||
if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL && | if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL && | ||||
pd.pf_mtag->flags & PF_TAG_DUMMYNET) { | pd.pf_mtag->flags & PF_TAG_DUMMYNET) { | ||||
/* Dummynet re-injects packets after they've | /* Dummynet re-injects packets after they've | ||||
* completed their delay. We've already | * completed their delay. We've already | ||||
* processed them, so pass unconditionally. */ | * processed them, so pass unconditionally. */ | ||||
/* But only once. We may see the packet multiple times (e.g. | /* But only once. We may see the packet multiple times (e.g. | ||||
* PFIL_IN/PFIL_OUT). */ | * PFIL_IN/PFIL_OUT). */ | ||||
▲ Show 20 Lines • Show All 482 Lines • ▼ Show 20 Lines | pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb *inp) | ||||
if (kif->pfik_flags & PFI_IFLAG_SKIP) | if (kif->pfik_flags & PFI_IFLAG_SKIP) | ||||
return (PF_PASS); | return (PF_PASS); | ||||
if (m->m_flags & M_SKIP_FIREWALL) | if (m->m_flags & M_SKIP_FIREWALL) | ||||
return (PF_PASS); | return (PF_PASS); | ||||
memset(&pd, 0, sizeof(pd)); | memset(&pd, 0, sizeof(pd)); | ||||
pd.pf_mtag = pf_find_mtag(m); | pd.pf_mtag = pf_find_mtag(m); | ||||
if (pd.pf_mtag && pd.pf_mtag->dnpipe) { | |||||
pd.act.dnpipe = pd.pf_mtag->dnpipe; | |||||
pd.act.flags = pd.pf_mtag->dnflags; | |||||
} | |||||
if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL && | if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL && | ||||
pd.pf_mtag->flags & PF_TAG_DUMMYNET) { | pd.pf_mtag->flags & PF_TAG_DUMMYNET) { | ||||
pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET; | pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET; | ||||
/* Dummynet re-injects packets after they've | /* Dummynet re-injects packets after they've | ||||
* completed their delay. We've already | * completed their delay. We've already | ||||
* processed them, so pass unconditionally. */ | * processed them, so pass unconditionally. */ | ||||
return (PF_PASS); | return (PF_PASS); | ||||
▲ Show 20 Lines • Show All 413 Lines • Show Last 20 Lines |