diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-04-24 19:36:55 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-04-24 19:36:55 +0000 |
| commit | ccf01298eb370933be2f6386e5502f7f812047bc (patch) | |
| tree | 08626863187ebafa510ae55a9c551d731cd4bf76 /sys/net | |
| parent | 7b1ea8a3a89e1966e6de0290fc2ecd008d8f4128 (diff) | |
Double link between pf states and sockets. Henning has already
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index ce3ad1968ec..f0abe32b822 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.741 2011/04/23 10:00:36 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.742 2011/04/24 19:36:54 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -953,6 +953,9 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, if (dir == PF_OUT && m->m_pkthdr.pf.statekey && ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse) sk = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse; + else if (dir == PF_OUT && m->m_pkthdr.pf.inp && + ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk) + sk = ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk; else { if ((sk = RB_FIND(pf_state_tree, &pf_statetbl, (struct pf_state_key *)key)) == NULL) @@ -963,11 +966,16 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, ((struct pf_state_key *) m->m_pkthdr.pf.statekey)->reverse = sk; sk->reverse = m->m_pkthdr.pf.statekey; + } else if (dir == PF_OUT && m->m_pkthdr.pf.inp && !sk->inp) { + ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = sk; + sk->inp = m->m_pkthdr.pf.inp; } } - if (dir == PF_OUT) + if (dir == PF_OUT) { m->m_pkthdr.pf.statekey = NULL; + m->m_pkthdr.pf.inp = NULL; + } /* list is sorted, if-bound states before floating ones */ TAILQ_FOREACH(si, &sk->states, entry) @@ -5938,6 +5946,13 @@ done: if (dir == PF_IN && s && s->key[PF_SK_STACK]) m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; + if (dir == PF_OUT && m->m_pkthdr.pf.inp && + !((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk && + s && s->key[PF_SK_STACK] && !s->key[PF_SK_STACK]->inp) { + ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = + s->key[PF_SK_STACK]; + s->key[PF_SK_STACK]->inp = m->m_pkthdr.pf.inp; + } #ifdef ALTQ if (action == PF_PASS && qid) { @@ -6223,6 +6238,13 @@ done: if (dir == PF_IN && s && s->key[PF_SK_STACK]) m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; + if (dir == PF_OUT && m->m_pkthdr.pf.inp && + !((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk && + s && s->key[PF_SK_STACK] && !s->key[PF_SK_STACK]->inp) { + ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = + s->key[PF_SK_STACK]; + s->key[PF_SK_STACK]->inp = m->m_pkthdr.pf.inp; + } #ifdef ALTQ if (action == PF_PASS && qid) { @@ -6319,4 +6341,5 @@ void pf_pkt_addr_changed(struct mbuf *m) { m->m_pkthdr.pf.statekey = NULL; + m->m_pkthdr.pf.inp = NULL; } |