diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2007-05-28 17:16:40 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2007-05-28 17:16:40 +0000 |
| commit | f96d4bfaae8e683d6ce36140dff54c0670c826fb (patch) | |
| tree | 599f5dac4bbc56331fe9f4806b73b80dabee239c /sys | |
| parent | 024903f229c875b3dcae393928cc28761a3c18dd (diff) | |
double pf performance.
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/altq/altq_cbq.c | 7 | ||||
| -rw-r--r-- | sys/altq/altq_hfsc.c | 7 | ||||
| -rw-r--r-- | sys/altq/altq_priq.c | 7 | ||||
| -rw-r--r-- | sys/altq/altq_red.c | 27 | ||||
| -rw-r--r-- | sys/kern/uipc_mbuf.c | 8 | ||||
| -rw-r--r-- | sys/net/if_bridge.c | 4 | ||||
| -rw-r--r-- | sys/net/pf.c | 151 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 30 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 17 | ||||
| -rw-r--r-- | sys/netinet/ip_input.c | 8 | ||||
| -rw-r--r-- | sys/netinet/ipsec_input.c | 4 | ||||
| -rw-r--r-- | sys/netinet/ipsec_output.c | 4 | ||||
| -rw-r--r-- | sys/netinet6/ip6_forward.c | 8 | ||||
| -rw-r--r-- | sys/netinet6/ip6_input.c | 6 | ||||
| -rw-r--r-- | sys/sys/mbuf.h | 20 |
15 files changed, 102 insertions, 206 deletions
diff --git a/sys/altq/altq_cbq.c b/sys/altq/altq_cbq.c index 5b08e6d8427..16f4b272108 100644 --- a/sys/altq/altq_cbq.c +++ b/sys/altq/altq_cbq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: altq_cbq.c,v 1.21 2007/04/10 17:47:52 miod Exp $ */ +/* $OpenBSD: altq_cbq.c,v 1.22 2007/05/28 17:16:38 henning Exp $ */ /* $KAME: altq_cbq.c,v 1.9 2000/12/14 08:12:45 thorpej Exp $ */ /* @@ -441,7 +441,6 @@ cbq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) { cbq_state_t *cbqp = (cbq_state_t *)ifq->altq_disc; struct rm_class *cl; - struct pf_mtag *t; int len; /* grab class set by classifier */ @@ -452,9 +451,7 @@ cbq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) m_freem(m); return (ENOBUFS); } - t = pf_find_mtag(m); - if (t == NULL || - (cl = clh_to_clp(cbqp, t->qid)) == NULL) { + if ((cl = clh_to_clp(cbqp, m->m_pkthdr.pf.qid)) == NULL) { cl = cbqp->ifnp.default_; if (cl == NULL) { m_freem(m); diff --git a/sys/altq/altq_hfsc.c b/sys/altq/altq_hfsc.c index cc6d752820d..a3e73039233 100644 --- a/sys/altq/altq_hfsc.c +++ b/sys/altq/altq_hfsc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: altq_hfsc.c,v 1.23 2006/03/04 22:40:15 brad Exp $ */ +/* $OpenBSD: altq_hfsc.c,v 1.24 2007/05/28 17:16:38 henning Exp $ */ /* $KAME: altq_hfsc.c,v 1.17 2002/11/29 07:48:33 kjc Exp $ */ /* @@ -618,7 +618,6 @@ hfsc_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) { struct hfsc_if *hif = (struct hfsc_if *)ifq->altq_disc; struct hfsc_class *cl; - struct pf_mtag *t; int len; /* grab class set by classifier */ @@ -629,9 +628,7 @@ hfsc_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) m_freem(m); return (ENOBUFS); } - t = pf_find_mtag(m); - if (t == NULL || - (cl = clh_to_clp(hif, t->qid)) == NULL || + if ((cl = clh_to_clp(hif, m->m_pkthdr.pf.qid)) == NULL || is_a_parent_class(cl)) { cl = hif->hif_defaultclass; if (cl == NULL) { diff --git a/sys/altq/altq_priq.c b/sys/altq/altq_priq.c index e6d6a83c0ba..25e8a8beebc 100644 --- a/sys/altq/altq_priq.c +++ b/sys/altq/altq_priq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: altq_priq.c,v 1.19 2006/03/04 22:40:15 brad Exp $ */ +/* $OpenBSD: altq_priq.c,v 1.20 2007/05/28 17:16:38 henning Exp $ */ /* $KAME: altq_priq.c,v 1.1 2000/10/18 09:15:23 kjc Exp $ */ /* * Copyright (C) 2000 @@ -396,7 +396,6 @@ priq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) { struct priq_if *pif = (struct priq_if *)ifq->altq_disc; struct priq_class *cl; - struct pf_mtag *t; int len; /* grab class set by classifier */ @@ -407,9 +406,7 @@ priq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) m_freem(m); return (ENOBUFS); } - t = pf_find_mtag(m); - if (t == NULL || - (cl = clh_to_clp(pif, t->qid)) == NULL) { + if ((cl = clh_to_clp(pif, m->m_pkthdr.pf.qid)) == NULL) { cl = pif->pif_default; if (cl == NULL) { m_freem(m); diff --git a/sys/altq/altq_red.c b/sys/altq/altq_red.c index 0de641866a7..92ee7b6fbbb 100644 --- a/sys/altq/altq_red.c +++ b/sys/altq/altq_red.c @@ -1,4 +1,4 @@ -/* $OpenBSD: altq_red.c,v 1.12 2005/10/17 08:43:35 henning Exp $ */ +/* $OpenBSD: altq_red.c,v 1.13 2007/05/28 17:16:38 henning Exp $ */ /* $KAME: altq_red.c,v 1.10 2002/04/03 05:38:51 kjc Exp $ */ /* @@ -420,34 +420,27 @@ int mark_ecn(struct mbuf *m, struct altq_pktattr *pktattr, int flags) { struct mbuf *m0; - struct pf_mtag *t; + void *hdr; - if ((t = pf_find_mtag(m)) == NULL) - return (0); - - if (t->af != AF_INET && t->af != AF_INET6) - return (0); + hdr = m->m_pkthdr.pf.hdr; /* verify that pattr_hdr is within the mbuf data */ for (m0 = m; m0 != NULL; m0 = m0->m_next) - if (((caddr_t)(t->hdr) >= m0->m_data) && - ((caddr_t)(t->hdr) < m0->m_data + m0->m_len)) + if (((caddr_t)(hdr) >= m0->m_data) && + ((caddr_t)(hdr) < m0->m_data + m0->m_len)) break; if (m0 == NULL) { /* ick, tag info is stale */ return (0); } - switch (t->af) { - case AF_INET: + switch (((struct ip *)hdr)->ip_v) { + case 4: if (flags & REDF_ECN4) { - struct ip *ip = t->hdr; + struct ip *ip = hdr; u_int8_t otos; int sum; - if (ip->ip_v != 4) - return (0); /* version mismatch! */ - if ((ip->ip_tos & IPTOS_ECN_MASK) == IPTOS_ECN_NOTECT) return (0); /* not-ECT */ if ((ip->ip_tos & IPTOS_ECN_MASK) == IPTOS_ECN_CE) @@ -472,9 +465,9 @@ mark_ecn(struct mbuf *m, struct altq_pktattr *pktattr, int flags) } break; #ifdef INET6 - case AF_INET6: + case 6: if (flags & REDF_ECN6) { - struct ip6_hdr *ip6 = t->hdr; + struct ip6_hdr *ip6 = hdr; u_int32_t flowlabel; flowlabel = ntohl(ip6->ip6_flow); diff --git a/sys/kern/uipc_mbuf.c b/sys/kern/uipc_mbuf.c index a7786a6ec06..1e4585ea511 100644 --- a/sys/kern/uipc_mbuf.c +++ b/sys/kern/uipc_mbuf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_mbuf.c,v 1.81 2007/05/27 20:54:25 claudio Exp $ */ +/* $OpenBSD: uipc_mbuf.c,v 1.82 2007/05/28 17:16:39 henning Exp $ */ /* $NetBSD: uipc_mbuf.c,v 1.15.4.1 1996/06/13 17:11:44 cgd Exp $ */ /* @@ -191,6 +191,12 @@ m_gethdr(int nowait, int type) m->m_flags = M_PKTHDR; SLIST_INIT(&m->m_pkthdr.tags); m->m_pkthdr.csum_flags = 0; + m->m_pkthdr.pf.hdr = NULL; + m->m_pkthdr.pf.rtableid = 0; + m->m_pkthdr.pf.qid = 0; + m->m_pkthdr.pf.tag = 0; + m->m_pkthdr.pf.flags = 0; + m->m_pkthdr.pf.routed = 0; } splx(s); return (m); diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index 00e9ea2216e..5049b380262 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.163 2007/05/28 06:31:01 mcbride Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.164 2007/05/28 17:16:39 henning Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -2150,7 +2150,7 @@ bridge_filterrule(struct brl_head *h, struct ether_header *eh, struct mbuf *m) return_action: #if NPF > 0 - pf_tag_packet(m, NULL, n->brl_tag, -1); + pf_tag_packet(m, n->brl_tag, -1); #endif return (n->brl_action); } diff --git a/sys/net/pf.c b/sys/net/pf.c index 11a166a23e2..ad53f83c163 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.532 2007/05/27 21:17:38 dlg Exp $ */ +/* $OpenBSD: pf.c,v 1.533 2007/05/28 17:16:39 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -183,8 +183,7 @@ int pf_test_state_icmp(struct pf_state **, int, void *, struct pf_pdesc *, u_short *); int pf_test_state_other(struct pf_state **, int, struct pfi_kif *, struct pf_pdesc *); -int pf_match_tag(struct mbuf *, struct pf_rule *, - struct pf_mtag *, int *); +int pf_match_tag(struct mbuf *, struct pf_rule *, int *); void pf_step_into_anchor(int *, struct pf_ruleset **, int, struct pf_rule **, struct pf_rule **, int *); int pf_step_out_of_anchor(int *, struct pf_ruleset **, @@ -1566,7 +1565,6 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, #endif /* INET6 */ struct tcphdr *th; char *opt; - struct pf_mtag *pf_mtag; /* maximum segment size tcp option */ tlen = sizeof(struct tcphdr); @@ -1590,24 +1588,18 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, m = m_gethdr(M_DONTWAIT, MT_HEADER); if (m == NULL) return; - if ((pf_mtag = pf_get_mtag(m)) == NULL) { - m_freem(m); - return; - } if (tag) - pf_mtag->flags |= PF_TAG_GENERATED; - - pf_mtag->tag = rtag; + m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; + m->m_pkthdr.pf.tag = rtag; if (r != NULL && r->rtableid >= 0) - pf_mtag->rtableid = r->rtableid; + m->m_pkthdr.pf.rtableid = m->m_pkthdr.pf.rtableid; #ifdef ALTQ if (r != NULL && r->qid) { - pf_mtag->qid = r->qid; + m->m_pkthdr.pf.qid = r->qid; /* add hints for ecn */ - pf_mtag->af = af; - pf_mtag->hdr = mtod(m, struct ip *); + m->m_pkthdr.pf.hdr = mtod(m, struct ip *); } #endif /* ALTQ */ m->m_data += max_linkhdr; @@ -1717,24 +1709,19 @@ void pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, struct pf_rule *r) { - struct pf_mtag *pf_mtag; struct mbuf *m0; m0 = m_copy(m, 0, M_COPYALL); - - if ((pf_mtag = pf_get_mtag(m0)) == NULL) - return; - pf_mtag->flags |= PF_TAG_GENERATED; + m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; if (r->rtableid >= 0) - pf_mtag->rtableid = r->rtableid; + m0->m_pkthdr.pf.rtableid = r->rtableid; #ifdef ALTQ if (r->qid) { - pf_mtag->qid = r->qid; + m0->m_pkthdr.pf.qid = r->qid; /* add hints for ecn */ - pf_mtag->af = af; - pf_mtag->hdr = mtod(m0, struct ip *); + m0->m_pkthdr.pf.hdr = mtod(m0, struct ip *); } #endif /* ALTQ */ @@ -1849,58 +1836,26 @@ pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) return (pf_match(op, a1, a2, g)); } -struct pf_mtag * -pf_find_mtag(struct mbuf *m) -{ - struct m_tag *mtag; - - if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) - return (NULL); - - return ((struct pf_mtag *)(mtag + 1)); -} - -struct pf_mtag * -pf_get_mtag(struct mbuf *m) -{ - struct m_tag *mtag; - - if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) { - mtag = m_tag_get(PACKET_TAG_PF, sizeof(struct pf_mtag), - M_NOWAIT); - if (mtag == NULL) - return (NULL); - bzero(mtag + 1, sizeof(struct pf_mtag)); - m_tag_prepend(m, mtag); - } - - return ((struct pf_mtag *)(mtag + 1)); -} - int -pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_mtag *pf_mtag, - int *tag) +pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag) { if (*tag == -1) - *tag = pf_mtag->tag; + *tag = m->m_pkthdr.pf.tag; return ((!r->match_tag_not && r->match_tag == *tag) || (r->match_tag_not && r->match_tag != *tag)); } int -pf_tag_packet(struct mbuf *m, struct pf_mtag *pf_mtag, int tag, int rtableid) +pf_tag_packet(struct mbuf *m, int tag, int rtableid) { if (tag <= 0 && rtableid < 0) return (0); - if (pf_mtag == NULL) - if ((pf_mtag = pf_get_mtag(m)) == NULL) - return (1); if (tag > 0) - pf_mtag->tag = tag; + m->m_pkthdr.pf.tag = tag; if (rtableid >= 0) - pf_mtag->rtableid = rtableid; + m->m_pkthdr.pf.rtableid = rtableid; return (0); } @@ -2417,7 +2372,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, !pf_match_port(dst->port_op, dst->port[0], dst->port[1], dport)) r = r->skip[PF_SKIP_DST_PORT].ptr; - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, @@ -2438,7 +2393,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r, NULL, NULL); } - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) + if (pf_tag_packet(m, tag, rtableid)) return (NULL); if (rm != NULL && (rm->action == PF_NONAT || rm->action == PF_NORDR || rm->action == PF_NOBINAT)) @@ -2926,7 +2881,7 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) @@ -3005,7 +2960,7 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->action == PF_DROP) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) { + if (pf_tag_packet(m, tag, rtableid)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -3304,7 +3259,7 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); @@ -3368,7 +3323,7 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->action == PF_DROP) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) { + if (pf_tag_packet(m, tag, rtableid)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -3635,7 +3590,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); @@ -3679,7 +3634,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->action != PF_PASS) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) { + if (pf_tag_packet(m, tag, rtableid)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -3894,7 +3849,7 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); @@ -3966,7 +3921,7 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->action != PF_PASS) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) { + if (pf_tag_packet(m, tag, rtableid)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -4113,7 +4068,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else { if (r->anchor == NULL) { @@ -4145,7 +4100,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, if (r->action != PF_PASS) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, -1)) { + if (pf_tag_packet(m, tag, -1)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -5528,7 +5483,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, (dir != PF_IN && dir != PF_OUT) || oifp == NULL) panic("pf_route: invalid parameters"); - if (pd->pf_mtag->routed++ > 3) { + if ((*m)->m_pkthdr.pf.routed++ > 3) { m0 = *m; *m = NULL; goto bad; @@ -5719,7 +5674,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, (dir != PF_IN && dir != PF_OUT) || oifp == NULL) panic("pf_route6: invalid parameters"); - if (pd->pf_mtag->routed++ > 3) { + if ((*m)->m_pkthdr.pf.routed++ > 3) { m0 = *m; *m = NULL; goto bad; @@ -5750,7 +5705,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, /* Cheat. XXX why only in the v6 case??? */ if (r->rt == PF_FASTROUTE) { - pd->pf_mtag->flags |= PF_TAG_GENERATED; + m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; ip6_output(m0, NULL, NULL, 0, NULL, NULL); return; } @@ -5927,14 +5882,6 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, return (PF_PASS); memset(&pd, 0, sizeof(pd)); - if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test: pf_get_mtag returned NULL\n")); - return (PF_DROP); - } - if (pd.pf_mtag->flags & PF_TAG_GENERATED) - return (PF_PASS); - if (ifp->if_type == IFT_CARP && ifp->if_carpdev) kif = (struct pfi_kif *)ifp->if_carpdev->if_pf_kif; else @@ -5960,6 +5907,9 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, goto done; } + if (m->m_pkthdr.pf.flags & PF_TAG_GENERATED) + return (PF_PASS); + /* We do IP header normalization and packet reassembly here */ if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) { action = PF_DROP; @@ -6123,17 +6073,16 @@ done: } if ((s && s->tag) || r->rtableid) - pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid); + pf_tag_packet(m, s ? s->tag : 0, r->rtableid); #ifdef ALTQ if (action == PF_PASS && r->qid) { if (pqid || (pd.tos & IPTOS_LOWDELAY)) - pd.pf_mtag->qid = r->pqid; + m->m_pkthdr.pf.qid = r->pqid; else - pd.pf_mtag->qid = r->qid; + m->m_pkthdr.pf.qid = r->qid; /* add hints for ecn */ - pd.pf_mtag->af = AF_INET; - pd.pf_mtag->hdr = h; + m->m_pkthdr.pf.hdr = h; } #endif /* ALTQ */ @@ -6147,7 +6096,7 @@ done: (s->nat_rule.ptr->action == PF_RDR || s->nat_rule.ptr->action == PF_BINAT) && (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) - pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST; + m->m_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST; if (log) { struct pf_rule *lr; @@ -6257,14 +6206,6 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, return (PF_PASS); memset(&pd, 0, sizeof(pd)); - if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test6: pf_get_mtag returned NULL\n")); - return (PF_DROP); - } - if (pd.pf_mtag->flags & PF_TAG_GENERATED) - return (PF_PASS); - if (ifp->if_type == IFT_CARP && ifp->if_carpdev) kif = (struct pfi_kif *)ifp->if_carpdev->if_pf_kif; else @@ -6290,6 +6231,9 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, goto done; } + if (m->m_pkthdr.pf.flags & PF_TAG_GENERATED) + return (PF_PASS); + /* We do IP header normalization and packet reassembly here */ if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) { action = PF_DROP; @@ -6528,17 +6472,16 @@ done: } if ((s && s->tag) || r->rtableid) - pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid); + pf_tag_packet(m, s ? s->tag : 0, r->rtableid); #ifdef ALTQ if (action == PF_PASS && r->qid) { if (pd.tos & IPTOS_LOWDELAY) - pd.pf_mtag->qid = r->pqid; + m->m_pkthdr.pf.qid = r->pqid; else - pd.pf_mtag->qid = r->qid; + m->m_pkthdr.pf.qid = r->qid; /* add hints for ecn */ - pd.pf_mtag->af = AF_INET6; - pd.pf_mtag->hdr = h; + m->m_pkthdr.pf.hdr = h; } #endif /* ALTQ */ @@ -6547,7 +6490,7 @@ done: (s->nat_rule.ptr->action == PF_RDR || s->nat_rule.ptr->action == PF_BINAT) && IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) - pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST; + m->m_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST; if (log) { struct pf_rule *lr; diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 93d3e1cd031..ab3a161f83d 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.108 2007/05/26 00:36:03 krw Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.109 2007/05/28 17:16:39 henning Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -929,18 +929,6 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, if (m == NULL) return (PF_DROP); - /* use mtag from concatenated mbuf chain */ - pd->pf_mtag = pf_find_mtag(m); -#ifdef DIAGNOSTIC - if (pd->pf_mtag == NULL) { - printf("%s: pf_find_mtag returned NULL(1)\n", __func__); - if ((pd->pf_mtag = pf_get_mtag(m)) == NULL) { - m_freem(m); - *m0 = NULL; - goto no_mem; - } - } -#endif if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) goto drop; @@ -949,7 +937,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, /* non-buffering fragment cache (drops or masks overlaps) */ int nomem = 0; - if (dir == PF_OUT && pd->pf_mtag->flags & PF_TAG_FRAGCACHE) { + if (dir == PF_OUT && m->m_pkthdr.pf.flags & PF_TAG_FRAGCACHE) { /* * Already passed the fragment cache in the * input direction. If we continued, it would @@ -976,20 +964,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, goto drop; } - /* use mtag from copied and trimmed mbuf chain */ - pd->pf_mtag = pf_find_mtag(m); -#ifdef DIAGNOSTIC - if (pd->pf_mtag == NULL) { - printf("%s: pf_find_mtag returned NULL(2)\n", __func__); - if ((pd->pf_mtag = pf_get_mtag(m)) == NULL) { - m_freem(m); - *m0 = NULL; - goto no_mem; - } - } -#endif if (dir == PF_IN) - pd->pf_mtag->flags |= PF_TAG_FRAGCACHE; + m->m_pkthdr.pf.flags |= PF_TAG_FRAGCACHE; if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) goto drop; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index d650f799704..d55c600f6a6 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.244 2007/02/23 21:31:51 deraadt Exp $ */ +/* $OpenBSD: pfvar.h,v 1.245 2007/05/28 17:16:39 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -949,7 +949,6 @@ struct pf_pdesc { struct pf_addr *dst; struct ether_header *eh; - struct pf_mtag *pf_mtag; u_int16_t *ip_sum; u_int32_t p_len; /* total length of payload */ u_int16_t flags; /* Let SCRUB trigger behavior in @@ -1157,16 +1156,6 @@ struct pf_altq { #define PF_TAG_FRAGCACHE 0x02 #define PF_TAG_TRANSLATE_LOCALHOST 0x04 -struct pf_mtag { - void *hdr; /* saved hdr pos in mbuf, for ECN */ - u_int rtableid; /* alternate routing table id */ - u_int32_t qid; /* queue id */ - u_int16_t tag; /* tag id */ - u_int8_t flags; - u_int8_t routed; - sa_family_t af; /* for ECN */ -}; - struct pf_tag { u_int16_t tag; /* tag id */ }; @@ -1595,12 +1584,10 @@ u_int16_t pf_tagname2tag(char *); void pf_tag2tagname(u_int16_t, char *); void pf_tag_ref(u_int16_t); void pf_tag_unref(u_int16_t); -int pf_tag_packet(struct mbuf *, struct pf_mtag *, int, int); +int pf_tag_packet(struct mbuf *, int, int); u_int32_t pf_qname2qid(char *); void pf_qid2qname(u_int32_t, char *); void pf_qid_unref(u_int32_t); -struct pf_mtag *pf_find_mtag(struct mbuf *); -struct pf_mtag *pf_get_mtag(struct mbuf *); extern struct pf_status pf_status; extern struct pool pf_frent_pl, pf_frag_pl; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index dc0804981bc..529d271fbea 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.148 2007/05/27 20:14:15 dlg Exp $ */ +/* $OpenBSD: ip_input.c,v 1.149 2007/05/28 17:16:39 henning Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -1434,9 +1434,6 @@ ip_forward(m, srcrt) int error, type = 0, code = 0, destmtu = 0, rtableid = 0; struct mbuf *mcopy; n_long dest; -#if NPF > 0 - struct pf_mtag *pft; -#endif dest = 0; #ifdef DIAGNOSTIC @@ -1455,8 +1452,7 @@ ip_forward(m, srcrt) } #if NPF > 0 - if ((pft = pf_find_mtag(m)) != NULL) - rtableid = pft->rtableid; + rtableid = m->m_pkthdr.pf.rtableid; #endif sin = satosin(&ipforward_rt.ro_dst); diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index c3c45b5373b..16ea0a2cdb7 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.83 2007/02/08 15:25:30 itojun Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.84 2007/05/28 17:16:39 henning Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -562,7 +562,7 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, #if NPF > 0 /* Add pf tag if requested. */ - if (pf_tag_packet(m, NULL, tdbp->tdb_tag, -1)) + if (pf_tag_packet(m, tdbp->tdb_tag, -1)) DPRINTF(("failed to tag ipsec packet\n")); #endif diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index 2a9d6da4519..bdb15200674 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.37 2007/02/08 15:25:30 itojun Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.38 2007/05/28 17:16:39 henning Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -497,7 +497,7 @@ ipsp_process_done(struct mbuf *m, struct tdb *tdb) #if NPF > 0 /* Add pf tag if requested. */ - if (pf_tag_packet(m, NULL, tdb->tdb_tag, -1)) + if (pf_tag_packet(m, tdb->tdb_tag, -1)) DPRINTF(("failed to tag ipsec packet\n")); #endif diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 7448d6f3f59..c481e36c7a8 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_forward.c,v 1.37 2006/11/27 12:27:45 henning Exp $ */ +/* $OpenBSD: ip6_forward.c,v 1.38 2007/05/28 17:16:39 henning Exp $ */ /* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */ /* @@ -104,9 +104,6 @@ ip6_forward(m, srcrt) struct tdb *tdb; int s; #endif /* IPSEC */ -#if NPF > 0 - struct pf_mtag *pft; -#endif int rtableid = 0; /* @@ -220,8 +217,7 @@ ip6_forward(m, srcrt) #endif /* IPSEC */ #if NPF > 0 - if ((pft = pf_find_mtag(m)) != NULL) - rtableid = pft->rtableid; + rtableid = m->m_pkthdr.pf.rtableid; #endif /* diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 1aea3ae6747..b4262fb0326 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.76 2007/05/08 23:23:16 mcbride Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.77 2007/05/28 17:16:39 henning Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -206,7 +206,6 @@ ip6_input(m) struct ifnet *deliverifp = NULL; #if NPF > 0 struct in6_addr odst; - struct pf_mtag *pft; #endif int srcrt = 0, rtableid = 0; @@ -431,8 +430,7 @@ ip6_input(m) } #if NPF > 0 - if ((pft = pf_find_mtag(m)) != NULL) - rtableid = pft->rtableid; + rtableid = m->m_pkthdr.pf.rtableid; #endif /* diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 4cdc4e60515..3ffe8ff9038 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mbuf.h,v 1.87 2007/05/27 20:54:25 claudio Exp $ */ +/* $OpenBSD: mbuf.h,v 1.88 2007/05/28 17:16:39 henning Exp $ */ /* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */ /* @@ -75,12 +75,23 @@ struct m_hdr { u_short mh_flags; /* flags; see below */ }; +/* pf stuff */ +struct pkthdr_pf { + void *hdr; /* saved hdr pos in mbuf, for ECN */ + u_int rtableid; /* alternate routing table id */ + u_int32_t qid; /* queue id */ + u_int16_t tag; /* tag id */ + u_int8_t flags; + u_int8_t routed; +}; + /* record/packet header in first mbuf of chain; valid if M_PKTHDR set */ struct pkthdr { - struct ifnet *rcvif; /* rcv interface */ + struct ifnet *rcvif; /* rcv interface */ SLIST_HEAD(packet_tags, m_tag) tags; /* list of packet tags */ - int len; /* total packet length */ - int csum_flags; /* checksum flags */ + int len; /* total packet length */ + int csum_flags; /* checksum flags */ + struct pkthdr_pf pf; }; /* description of external storage mapped into mbuf, valid if M_EXT set */ @@ -527,7 +538,6 @@ struct m_tag *m_tag_next(struct mbuf *, struct m_tag *); #define PACKET_TAG_GIF 8 /* GIF processing done */ #define PACKET_TAG_GRE 9 /* GRE processing done */ #define PACKET_TAG_IN_PACKET_CHECKSUM 10 /* NIC checksumming done */ -#define PACKET_TAG_PF 11 /* PF */ #define PACKET_TAG_DLT 17 /* data link layer type */ #ifdef MBTYPES |