#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
254774 |
|
24-Aug-2013 |
andre |
ename PFIL_LIST_[UN]LOCK() to PFIL_HEADLIST_[UN]LOCK() to avoid confusion with the pfil_head chain locking macros.
|
#
254773 |
|
24-Aug-2013 |
andre |
Resolve the confusion between the head_list and the hook list.
The linked list of pfil hooks is changed to "chain" and this term is applied consistently. The head_list remains with "list" term.
Add KASSERT to vnet_pfil_uninit().
Update and extend comments.
Reviewed by: eri (previous version)
|
#
254771 |
|
24-Aug-2013 |
andre |
Internalize pfil_hook_get(). There are no outside consumers of this API, it is only safe for internal use and even the pfil(9) man page says so in the BUGS section.
Reviewed by: eri
|
#
254770 |
|
24-Aug-2013 |
andre |
Convert one instance of pfil hook callback missed in r254769.
|
#
254769 |
|
24-Aug-2013 |
andre |
Introduce typedef for pfil hook callback function and replace all spelled out occurrences with it.
Reviewed by: eri
|
#
248490 |
|
19-Mar-2013 |
ae |
Fix style and comments.
|
#
242463 |
|
01-Nov-2012 |
ae |
Remove the recently added sysctl variable net.pfil.forward. Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set.
Suggested by: andre
|
#
242079 |
|
25-Oct-2012 |
ae |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
|
#
241888 |
|
22-Oct-2012 |
melifaro |
Make PFIL use per-VNET lock instead of per-AF lock. Since most used packet filters (ipfw and PF) use the same ruleset with the same lock for both AF_INET and AF_INET6 there is no need in more fine-grade locking. However, it is possible to request personal lock by specifying PFIL_FLAG_PRIVATE_LOCK flag in pfil_head structure (see pfil.9 for more details).
Export PFIL lock via rw_lock(9)/rm_lock(9)-like API permitting pfil consumers to use this lock instead of own lock. This help reducing locks on main traffic path.
pfil_assert() is currently not implemented due to absense of rm_assert(). Waiting for some kind of r234648 to be merged in HEAD.
This change is part of bigger patch reducing routing locking.
Sponsored by: Yandex LLC Reviewed by: glebius, ae OK'd by: silence on net@ MFC after: 3 weeks
|
#
198233 |
|
19-Oct-2009 |
rwatson |
Clean up comments, white space, and style in pfil.c (especially new VNET bits).
MFC after: 3 days (not VNET bits)
|
#
198198 |
|
18-Oct-2009 |
rwatson |
Line-wrap pfil.c so that it prints more nicely.
MFC after: 3 days
|
#
197952 |
|
11-Oct-2009 |
julian |
Virtualize the pfil hooks so that different jails may chose different packet filters. ALso allows ipfw to be enabled on on ejail and disabled on another. In 8.0 it's a global setting.
Sitting aroung in tree waiting to commit for: 2 months MFC after: 2 months
|
#
186187 |
|
16-Dec-2008 |
rwatson |
A few locking fixes and cleanups to pfil hook registration, unregistration, and execution:
- Add some brackets for clarity and trim a bit of vertical whitespace. - Remove comments that may not contribute to clarity, such as "Lock" before acquiring a lock and "Get memory" before allocating memory. - During hook registration, don't drop pfil_list_lock between checking for a duplicate and registering the hook, as this leaves a race condition by failing to enforce the "no duplicate hooks" invariant. - Don't lock the hook during registration, since it's not yet in use. - Document assumption that hooks will be quiesced before being unregistered. - Don't write-lock hooks during removal because they are assumed quiesced. - Rename "done" label to "locked_error" to be clear that it's an error path on the way out of hook execution.
MFC after: pretty soon
|
#
173904 |
|
25-Nov-2007 |
mlaier |
pfil(9) locking take 3: Switch to rmlock(9) This has the benefit that rmlocks have proper support for reader recursion (in contrast to rwlock(9) which could potential lead to writer stravation). It also means a significant performance gain, eventhough only visible in microbenchmarks at the moment.
Discussed on: -arch, -net
|
#
155201 |
|
02-Feb-2006 |
csjp |
Somewhat re-factor the read/write locking mechanism associated with the packet filtering mechanisms to use the new rwlock(9) locking API:
- Drop the variables stored in the phil_head structure which were specific to conditions and the home rolled read/write locking mechanism. - Drop some includes which were used for condition variables - Drop the inline functions, and convert them to macros. Also, move these macros into pfil.h - Move pfil list locking macros intp phil.h as well - Rename ph_busy_count to ph_nhooks. This variable will represent the number of IN/OUT hooks registered with the pfil head structure - Define PFIL_HOOKED macro which evaluates to true if there are any hooks to be ran by pfil_run_hooks - In the IP/IP6 stacks, change the ph_busy_count comparison to use the new PFIL_HOOKED macro. - Drop optimization in pfil_run_hooks which checks to see if there are any hooks to be ran, and returns if not. This check is already performed by the IP stacks when they call:
if (!PFIL_HOOKED(ph)) goto skip_hooks;
- Drop in assertion which makes sure that the number of hooks never drops below 0 for good measure. This in theory should never happen, and if it does than there are problems somewhere - Drop special logic around PFIL_WAITOK because rw_wlock(9) does not sleep - Drop variables which support home rolled read/write locking mechanism from the IPFW firewall chain structure. - Swap out the read/write firewall chain lock internal to use the rwlock(9) API instead of our home rolled version - Convert the inlined functions to macros
Reviewed by: mlaier, andre, glebius Thanks to: jhb for the new locking API
|
#
146550 |
|
23-May-2005 |
mlaier |
Fix semantics of ph_busy_count == -1 to pass instead of block.
PR: kern/81128 Submitted by: Joost Bekkers MFC-after: 2 weeks
|
#
139823 |
|
06-Jan-2005 |
imp |
/* -> /*- for license, minor formatting changes
|
#
136258 |
|
08-Oct-2004 |
mlaier |
Change pfil starvation prevention from fail-open to fail-close. We return ENOBUF to indicate the problem, which is an errno that should be handled well everywhere.
Requested & Submitted by: green Silently okay'ed by: The rest of the firewall gang MFC after: 3 days
|
#
135920 |
|
29-Sep-2004 |
mlaier |
Add an additional struct inpcb * argument to pfil(9) in order to enable passing along socket information. This is required to work around a LOR with the socket code which results in an easy reproducible hard lockup with debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do so later. The missing piece is to turn the filter locking into a leaf lock and will follow in a seperate (later) commit.
This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in forseeable future.
Suggested by: rwatson A lot of work by: csjp (he'd be even more helpful w/o mentor-reviews ;) Reviewed by: rwatson, csjp Tested by: -pf, -ipfw, LINT, csjp and myself MFC after: 3 days
LOR IDs: 14 - 17 (not fixed yet)
|
#
135588 |
|
22-Sep-2004 |
mlaier |
Switch order for mtx_unlock and cv_signal as (condvar(9)) sez:
A thread must hold mp while calling cv_signal(), cv_broadcast(), or cv_broadcastpri() even though it isn't passed as an argument.
and is right with this claim.
While here remove a "\" from the macro -> __inline conversion.
Found by: csjp MFC after: 4 days
|
#
120386 |
|
23-Sep-2003 |
sam |
o update PFIL_HOOKS support to current API used by netbsd o revamp IPv4+IPv6+bridge usage to match API changes o remove pfil_head instances from protosw entries (no longer used) o add locking o bump FreeBSD version for 3rd party modules
Heavy lifting by: "Max Laier" <max@love2party.net> Supported by: FreeBSD Foundation Obtained from: NetBSD (bits of pfil.h and pfil.c)
|
#
111119 |
|
19-Feb-2003 |
imp |
Back out M_* changes, per decision of the TRB.
Approved by: trb
|
#
109623 |
|
21-Jan-2003 |
alfred |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
92725 |
|
19-Mar-2002 |
alfred |
Remove __P.
|
#
71999 |
|
04-Feb-2001 |
phk |
Mechanical change to use <sys/queue.h> macro API instead of fondling implementation details.
Created with: sed(1) Reviewed by: md5(1)
|
#
71959 |
|
03-Feb-2001 |
phk |
Use <sys/queue.h> macro api rather than fondle its implementation detals.
Created with: /usr/bin/sed Reviewed by: /sbin/md5
|
#
67882 |
|
29-Oct-2000 |
phk |
Remove unneeded #include <sys/proc.h> lines.
|
#
60317 |
|
10-May-2000 |
darrenr |
Add pfil(9) subroutines and manpage from NetBSD.
|