#
ffeab76b |
|
26-Jan-2024 |
Kristof Provost <kp@FreeBSD.org> |
pfil: PFIL_PASS never frees the mbuf pfil hooks (i.e. firewalls) may pass, modify or free the mbuf passed to them. (E.g. when rejecting a packet, or when gathering up packets for reassembly). If the hook returns PFIL_PASS the mbuf must still be present. Assert this in pfil_mem_common() and ensure that ipfilter follows this convention. pf and ipfw already did. Similarly, if the hook returns PFIL_DROPPED or PFIL_CONSUMED the mbuf must have been freed (or now be owned by the firewall for further processing, like packet scheduling or reassembly). This allows us to remove a few extraneous NULL checks. Suggested by: tuexen Reviewed by: tuexen, zlei Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D43617
|
#
c1c55da4 |
|
21-Dec-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
pfil: don't leak pfil_head_t on interface detach PR: 256714 Submitted by: jcaplan@blackberry.com
|
#
71625ec9 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c comment pattern Remove /^/[*/]\s*\$FreeBSD\$.*\n/
|
#
b52b61c0 |
|
12-Mar-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: distinguish forwarding and output cases for pf_refragment6() Re-introduce PFIL_FWD, because pf's pf_refragment6() needs to know if we're ip6_forward()-ing or ip6_output()-ing. ip6_forward() relies on m->m_pkthdr.rcvif, at least for link-local traffic (for in6_get_unicast_scopeid()). rcvif is not set for locally generated traffic (e.g. from icmp6_reflect()), so we need to call the correct output function. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revisi: https://reviews.freebsd.org/D39061
|
#
caf32b26 |
|
14-Feb-2023 |
Gleb Smirnoff <glebius@FreeBSD.org> |
pfil: add pfil_mem_{in,out}() and retire pfil_run_hooks() The 0b70e3e78b0 changed the original design of a single entry point into pfil(9) chains providing separate functions for the filtering points that always provide mbufs and know the direction of a flow. The motivation was to reduce branching. The logical continuation would be to do the same for the filtering points that always provide a memory pointer and retire the single entry point. o Hooks now provide two functions: one for mbufs and optional for memory pointers. o pfil_hook_args() has a new member and pfil_add_hook() has a requirement to zero out uninitialized data. Bump PFIL_VERSION. o As it was before, a hook function for a memory pointer may realloc into an mbuf. Such mbuf would be returned via a pointer that must be provided in argument. o The only hook that supports memory pointers is ipfw:default-link. It is rewritten to provide two functions. o All remaining uses of pfil_run_hooks() are converted to pfil_mem_in(). o Transparent union of pfil_packet_t and tricks to fix pointer alignment are retired. Internal pfil_realloc() reduces down to m_devget() and thus is retired, too. Reviewed by: mjg, ocochard Differential revision: https://reviews.freebsd.org/D37977
|
#
0b70e3e7 |
|
02-Sep-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: add pfil_mbuf_{in,out} This shaves a lot of branching due to MEMPTR flag. Reviewed by: glebius Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36454
|
#
c681cce9 |
|
14-Nov-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: whack "set but not used" warnings in net/pfil.c Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
e87ad0ab |
|
22-Jan-2020 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Since now drivers that support pfil run their interrupts in the network epoch, stop entering it in pfil_run_hooks(). Assert the epoch there.
|
#
66c6c556 |
|
16-Jan-2020 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Change argument order of epoch_call() to more natural, first function, then its argument. Reviewed by: imp, cem, jhb
|
#
c9341022 |
|
10-Mar-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Most Ethernet drivers that potentially can run a pfil(9) hook with PFIL_MEMPTR flag are intentionally providing a memory address that isn't aligned to pointer alignment. This is done to align an IPv4 or IPv6 header that is expected to follow Ethernet header. When we return PFIL_REALLOCED we store a pointer to allocated mbuf at this address. With this change the KPI changes to store the pointer at aligned address, which usually yields in +2 bytes. Provide two inlines: pfil_packet_align() to get aligned pfil_packet_t for a misaligned one pfil_mem2mbuf() to read out mbuf pointer from misaligned pfil_packet_t Provide function pfil_realloc(), not used yet, that would convert a memory pfil_packet_t to an mbuf one. Reported by: hps Reviewed by: hps, gallatin
|
#
b9fdb4b3 |
|
10-Mar-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Properly handle a case when a first filter returns PFIL_REALLOCED, then second one returns PFIL_PASS.
|
#
3ca1c423 |
|
03-Feb-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Teach pfil_ioctl() about VIMAGE. Submitted by: gallatin
|
#
b252313f |
|
31-Jan-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
New pfil(9) KPI together with newborn pfil API and control utility. The KPI have been reviewed and cleansed of features that were planned back 20 years ago and never implemented. The pfil(9) internals have been made opaque to protocols with only returned types and function declarations exposed. The KPI is made more strict, but at the same time more extensible, as kernel uses same command structures that userland ioctl uses. In nutshell [KA]PI is about declaring filtering points, declaring filters and linking and unlinking them together. New [KA]PI makes it possible to reconfigure pfil(9) configuration: change order of hooks, rehook filter from one filtering point to a different one, disconnect a hook on output leaving it on input only, prepend/append a filter to existing list of filters. Now it possible for a single packet filter to provide multiple rulesets that may be linked to different points. Think of per-interface ACLs in Cisco or Juniper. None of existing packet filters yet support that, however limited usage is already possible, e.g. default ruleset can be moved to single interface, as soon as interface would pride their filtering points. Another future feature is possiblity to create pfil heads, that provide not an mbuf pointer but just a memory pointer with length. That would allow filtering at very early stages of a packet lifecycle, e.g. when packet has just been received by a NIC and no mbuf was yet allocated. Differential Revision: https://reviews.freebsd.org/D18951
|
#
f712b161 |
|
31-Jan-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Revert r316461: Remove "IPFW static rules" rmlock, and use pfil's global lock. The pfil(9) system is about to be converted to epoch(9) synchronization, so we need [temporarily] go back with ipfw internal locking. Discussed with: ae
|
#
effaab88 |
|
23-Mar-2018 |
Kristof Provost <kp@FreeBSD.org> |
netpfil: Introduce PFIL_FWD flag Forwarded packets passed through PFIL_OUT, which made it difficult for firewalls to figure out if they were forwarding or producing packets. This in turn is an issue for pf for IPv6 fragment handling: it needs to call ip6_output() or ip6_forward() to handle the fragments. Figuring out which was difficult (and until now, incorrect). Having pfil distinguish the two removes an ugly piece of code from pf. Introduce a new variant of the netpfil callbacks with a flags variable, which has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if a packet is forwarded. Reviewed by: ae, kevans Differential Revision: https://reviews.freebsd.org/D13715
|
#
fe267a55 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: general adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.
|
#
88d950a6 |
|
03-Apr-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove "IPFW static rules" rmlock. Make PFIL's lock global and use it for this purpose. This reduces the number of locks needed to acquire for each packet. Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC No objection from: #network Differential Revision: https://reviews.freebsd.org/D10154
|
#
af48c203 |
|
27-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
ake pfil's locking macros private. Obtained from: Yandex LLC MFC after: 1 week
|
#
89856f7e |
|
21-Jun-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Get closer to a VIMAGE network stack teardown from top to bottom rather than removing the network interfaces first. This change is rather larger and convoluted as the ordering requirements cannot be separated. Move the pfil(9) framework to SI_SUB_PROTO_PFIL, move Firewalls and related modules to their own SI_SUB_PROTO_FIREWALL. Move initialization of "physical" interfaces to SI_SUB_DRIVERS, move virtual (cloned) interfaces to SI_SUB_PSEUDO. Move Multicast to SI_SUB_PROTO_MC. Re-work parts of multicast initialisation and teardown, not taking the huge amount of memory into account if used as a module yet. For interface teardown we try to do as many of them as we can on SI_SUB_INIT_IF, but for some this makes no sense, e.g., when tunnelling over a higher layer protocol such as IP. In that case the interface has to go along (or before) the higher layer protocol is shutdown. Kernel hhooks need to go last on teardown as they may be used at various higher layers and we cannot remove them before we cleaned up the higher layers. For interface teardown there are multiple paths: (a) a cloned interface is destroyed (inside a VIMAGE or in the base system), (b) any interface is moved from a virtual network stack to a different network stack ("vmove"), or (c) a virtual network stack is being shut down. All code paths go through if_detach_internal() where we, depending on the vmove flag or the vnet state, make a decision on how much to shut down; in case we are destroying a VNET the individual protocol layers will cleanup their own parts thus we cannot do so again for each interface as we end up with, e.g., double-frees, destroying locks twice or acquiring already destroyed locks. When calling into protocol cleanups we equally have to tell them whether they need to detach upper layer protocols ("ulp") or not (e.g., in6_ifdetach()). Provide or enahnce helper functions to do proper cleanup at a protocol rather than at an interface level. Approved by: re (hrs) Obtained from: projects/vnet Reviewed by: gnn, jhb Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D6747
|
#
b9dbac48 |
|
06-Jun-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
SYSINIT functions do not return a value; switch to void, remove the return value, and mark the unused argument __unused. Obtained from: projects/vnet MFC after: 2 weeks Sponsored by: The FreeBSD Foundation
|
#
1f12da0e |
|
22-Jan-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Just checkpoint the WIP in order to be able to make the tree update easier. Note: this is currently not in a usable state as certain teardown parts are not called and the DOMAIN rework is missing. More to come soon and find its way to head. Obtained from: P4 //depot/user/bz/vimage/... Sponsored by: The FreeBSD Foundation
|
#
76039bc8 |
|
26-Oct-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare to this event, adding if_var.h to files that do need it. Also, include all includes that now are included due to implicit pollution via if_var.h Sponsored by: Netflix Sponsored by: Nginx, Inc.
|
#
737003b3 |
|
24-Aug-2013 |
Andre Oppermann <andre@FreeBSD.org> |
ename PFIL_LIST_[UN]LOCK() to PFIL_HEADLIST_[UN]LOCK() to avoid confusion with the pfil_head chain locking macros.
|
#
8da01399 |
|
24-Aug-2013 |
Andre Oppermann <andre@FreeBSD.org> |
Resolve the confusion between the head_list and the hook list. The linked list of pfil hooks is changed to "chain" and this term is applied consistently. The head_list remains with "list" term. Add KASSERT to vnet_pfil_uninit(). Update and extend comments. Reviewed by: eri (previous version)
|
#
887c60fc |
|
24-Aug-2013 |
Andre Oppermann <andre@FreeBSD.org> |
Internalize pfil_hook_get(). There are no outside consumers of this API, it is only safe for internal use and even the pfil(9) man page says so in the BUGS section. Reviewed by: eri
|
#
f13e611f |
|
24-Aug-2013 |
Andre Oppermann <andre@FreeBSD.org> |
Convert one instance of pfil hook callback missed in r254769.
|
#
25da5060 |
|
24-Aug-2013 |
Andre Oppermann <andre@FreeBSD.org> |
Introduce typedef for pfil hook callback function and replace all spelled out occurrences with it. Reviewed by: eri
|
#
5474386b |
|
18-Mar-2013 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix style and comments.
|
#
ffdbf9da |
|
01-Nov-2012 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove the recently added sysctl variable net.pfil.forward. Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set. Suggested by: andre
|
#
c1de64a4 |
|
25-Oct-2012 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
|
#
4dab1a18 |
|
22-Oct-2012 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Make PFIL use per-VNET lock instead of per-AF lock. Since most used packet filters (ipfw and PF) use the same ruleset with the same lock for both AF_INET and AF_INET6 there is no need in more fine-grade locking. However, it is possible to request personal lock by specifying PFIL_FLAG_PRIVATE_LOCK flag in pfil_head structure (see pfil.9 for more details). Export PFIL lock via rw_lock(9)/rm_lock(9)-like API permitting pfil consumers to use this lock instead of own lock. This help reducing locks on main traffic path. pfil_assert() is currently not implemented due to absense of rm_assert(). Waiting for some kind of r234648 to be merged in HEAD. This change is part of bigger patch reducing routing locking. Sponsored by: Yandex LLC Reviewed by: glebius, ae OK'd by: silence on net@ MFC after: 3 weeks
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
2ae7ec29 |
|
07-Feb-2010 |
Julian Elischer <julian@FreeBSD.org> |
MFC of 197952 and 198075 Virtualize the pfil hooks so that different jails may chose different packet filters. ALso allows ipfw to be enabled on on ejail and disabled on another. In 8.0 it's a global setting. and Unbreak the VIMAGE build with IPSEC, broken with r197952 by virtualizing the pfil hooks. For consistency add the V_ to virtualize the pfil hooks in here as well.
|
#
cbdd92bd |
|
21-Oct-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Merge r198233 from head to stable/8: Clean up comments, white space, and style in pfil.c (VNET changes not MFC'd) Approved by: re (kib)
|
#
5e2ef993 |
|
21-Oct-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Merge r198198 from head to stable/8: Line-wrap pfil.c so that it prints more nicely. Approved by: re (kensmith)
|
#
cee81198 |
|
19-Oct-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Clean up comments, white space, and style in pfil.c (especially new VNET bits). MFC after: 3 days (not VNET bits)
|
#
33c89765 |
|
18-Oct-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Line-wrap pfil.c so that it prints more nicely. MFC after: 3 days
|
#
0b4b0b0f |
|
10-Oct-2009 |
Julian Elischer <julian@FreeBSD.org> |
Virtualize the pfil hooks so that different jails may chose different packet filters. ALso allows ipfw to be enabled on on ejail and disabled on another. In 8.0 it's a global setting. Sitting aroung in tree waiting to commit for: 2 months MFC after: 2 months
|
#
d2c205d5 |
|
16-Dec-2008 |
Robert Watson <rwatson@FreeBSD.org> |
A few locking fixes and cleanups to pfil hook registration, unregistration, and execution: - Add some brackets for clarity and trim a bit of vertical whitespace. - Remove comments that may not contribute to clarity, such as "Lock" before acquiring a lock and "Get memory" before allocating memory. - During hook registration, don't drop pfil_list_lock between checking for a duplicate and registering the hook, as this leaves a race condition by failing to enforce the "no duplicate hooks" invariant. - Don't lock the hook during registration, since it's not yet in use. - Document assumption that hooks will be quiesced before being unregistered. - Don't write-lock hooks during removal because they are assumed quiesced. - Rename "done" label to "locked_error" to be clear that it's an error path on the way out of hook execution. MFC after: pretty soon
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
1030a1a9 |
|
24-Nov-2007 |
Max Laier <mlaier@FreeBSD.org> |
pfil(9) locking take 3: Switch to rmlock(9) This has the benefit that rmlocks have proper support for reader recursion (in contrast to rwlock(9) which could potential lead to writer stravation). It also means a significant performance gain, eventhough only visible in microbenchmarks at the moment. Discussed on: -arch, -net
|
#
604afec4 |
|
01-Feb-2006 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Somewhat re-factor the read/write locking mechanism associated with the packet filtering mechanisms to use the new rwlock(9) locking API: - Drop the variables stored in the phil_head structure which were specific to conditions and the home rolled read/write locking mechanism. - Drop some includes which were used for condition variables - Drop the inline functions, and convert them to macros. Also, move these macros into pfil.h - Move pfil list locking macros intp phil.h as well - Rename ph_busy_count to ph_nhooks. This variable will represent the number of IN/OUT hooks registered with the pfil head structure - Define PFIL_HOOKED macro which evaluates to true if there are any hooks to be ran by pfil_run_hooks - In the IP/IP6 stacks, change the ph_busy_count comparison to use the new PFIL_HOOKED macro. - Drop optimization in pfil_run_hooks which checks to see if there are any hooks to be ran, and returns if not. This check is already performed by the IP stacks when they call: if (!PFIL_HOOKED(ph)) goto skip_hooks; - Drop in assertion which makes sure that the number of hooks never drops below 0 for good measure. This in theory should never happen, and if it does than there are problems somewhere - Drop special logic around PFIL_WAITOK because rw_wlock(9) does not sleep - Drop variables which support home rolled read/write locking mechanism from the IPFW firewall chain structure. - Swap out the read/write firewall chain lock internal to use the rwlock(9) API instead of our home rolled version - Convert the inlined functions to macros Reviewed by: mlaier, andre, glebius Thanks to: jhb for the new locking API
|
#
d274e6b6 |
|
23-May-2005 |
Max Laier <mlaier@FreeBSD.org> |
Fix semantics of ph_busy_count == -1 to pass instead of block. PR: kern/81128 Submitted by: Joost Bekkers MFC-after: 2 weeks
|
#
c398230b |
|
06-Jan-2005 |
Warner Losh <imp@FreeBSD.org> |
/* -> /*- for license, minor formatting changes
|
#
85bba445 |
|
07-Oct-2004 |
Max Laier <mlaier@FreeBSD.org> |
Change pfil starvation prevention from fail-open to fail-close. We return ENOBUF to indicate the problem, which is an errno that should be handled well everywhere. Requested & Submitted by: green Silently okay'ed by: The rest of the firewall gang MFC after: 3 days
|
#
d6a8d588 |
|
28-Sep-2004 |
Max Laier <mlaier@FreeBSD.org> |
Add an additional struct inpcb * argument to pfil(9) in order to enable passing along socket information. This is required to work around a LOR with the socket code which results in an easy reproducible hard lockup with debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do so later. The missing piece is to turn the filter locking into a leaf lock and will follow in a seperate (later) commit. This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in forseeable future. Suggested by: rwatson A lot of work by: csjp (he'd be even more helpful w/o mentor-reviews ;) Reviewed by: rwatson, csjp Tested by: -pf, -ipfw, LINT, csjp and myself MFC after: 3 days LOR IDs: 14 - 17 (not fixed yet)
|
#
fa97ea31 |
|
22-Sep-2004 |
Max Laier <mlaier@FreeBSD.org> |
Switch order for mtx_unlock and cv_signal as (condvar(9)) sez: A thread must hold mp while calling cv_signal(), cv_broadcast(), or cv_broadcastpri() even though it isn't passed as an argument. and is right with this claim. While here remove a "\" from the macro -> __inline conversion. Found by: csjp MFC after: 4 days
|
#
134ea224 |
|
23-Sep-2003 |
Sam Leffler <sam@FreeBSD.org> |
o update PFIL_HOOKS support to current API used by netbsd o revamp IPv4+IPv6+bridge usage to match API changes o remove pfil_head instances from protosw entries (no longer used) o add locking o bump FreeBSD version for 3rd party modules Heavy lifting by: "Max Laier" <max@love2party.net> Supported by: FreeBSD Foundation Obtained from: NetBSD (bits of pfil.h and pfil.c)
|
#
a163d034 |
|
18-Feb-2003 |
Warner Losh <imp@FreeBSD.org> |
Back out M_* changes, per decision of the TRB. Approved by: trb
|
#
44956c98 |
|
21-Jan-2003 |
Alfred Perlstein <alfred@FreeBSD.org> |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
929ddbbb |
|
19-Mar-2002 |
Alfred Perlstein <alfred@FreeBSD.org> |
Remove __P.
|
#
fc2ffbe6 |
|
04-Feb-2001 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Mechanical change to use <sys/queue.h> macro API instead of fondling implementation details. Created with: sed(1) Reviewed by: md5(1)
|
#
22f29826 |
|
03-Feb-2001 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Use <sys/queue.h> macro api rather than fondle its implementation detals. Created with: /usr/bin/sed Reviewed by: /sbin/md5
|
#
53ce36d1 |
|
29-Oct-2000 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Remove unneeded #include <sys/proc.h> lines.
|
#
e9c7bebf |
|
10-May-2000 |
Darren Reed <darrenr@FreeBSD.org> |
Add pfil(9) subroutines and manpage from NetBSD.
|