summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2011-04-24 19:36:55 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2011-04-24 19:36:55 +0000
commitccf01298eb370933be2f6386e5502f7f812047bc (patch)
tree08626863187ebafa510ae55a9c551d731cd4bf76 /sys
parent7b1ea8a3a89e1966e6de0290fc2ecd008d8f4128 (diff)
Double link between pf states and sockets. Henning has already
implemented half of it. The additional part is: - The pf state lookup for outgoing packets is optimized by using mbuf->inp->state. - For incomming tcp, udp, raw, raw6 packets the socket lookup always is optimized by using mbuf->state->inp. - All protocols establish the link for incomming packets. - All protocols set the inp in the mbuf for outgoing packets. This allows the linkage beginning with the first packet for outgoing connections. - In case of divert states, delete the state when the socket closes. Otherwise new connections could match on old states instead of being diverted to the listen socket. ok henning@
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf.c27
-rw-r--r--sys/netinet/in_pcb.c21
-rw-r--r--sys/netinet/raw_ip.c17
-rw-r--r--sys/netinet/tcp_input.c18
-rw-r--r--sys/netinet/tcp_output.c8
-rw-r--r--sys/netinet/udp_usrreq.c17
-rw-r--r--sys/netinet6/raw_ip6.c22
-rw-r--r--sys/sys/mbuf.h3
8 files changed, 120 insertions, 13 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index ce3ad1968ec..f0abe32b822 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.741 2011/04/23 10:00:36 bluhm Exp $ */
+/* $OpenBSD: pf.c,v 1.742 2011/04/24 19:36:54 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -953,6 +953,9 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir,
if (dir == PF_OUT && m->m_pkthdr.pf.statekey &&
((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse)
sk = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse;
+ else if (dir == PF_OUT && m->m_pkthdr.pf.inp &&
+ ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk)
+ sk = ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk;
else {
if ((sk = RB_FIND(pf_state_tree, &pf_statetbl,
(struct pf_state_key *)key)) == NULL)
@@ -963,11 +966,16 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir,
((struct pf_state_key *)
m->m_pkthdr.pf.statekey)->reverse = sk;
sk->reverse = m->m_pkthdr.pf.statekey;
+ } else if (dir == PF_OUT && m->m_pkthdr.pf.inp && !sk->inp) {
+ ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = sk;
+ sk->inp = m->m_pkthdr.pf.inp;
}
}
- if (dir == PF_OUT)
+ if (dir == PF_OUT) {
m->m_pkthdr.pf.statekey = NULL;
+ m->m_pkthdr.pf.inp = NULL;
+ }
/* list is sorted, if-bound states before floating ones */
TAILQ_FOREACH(si, &sk->states, entry)
@@ -5938,6 +5946,13 @@ done:
if (dir == PF_IN && s && s->key[PF_SK_STACK])
m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK];
+ if (dir == PF_OUT && m->m_pkthdr.pf.inp &&
+ !((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk &&
+ s && s->key[PF_SK_STACK] && !s->key[PF_SK_STACK]->inp) {
+ ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk =
+ s->key[PF_SK_STACK];
+ s->key[PF_SK_STACK]->inp = m->m_pkthdr.pf.inp;
+ }
#ifdef ALTQ
if (action == PF_PASS && qid) {
@@ -6223,6 +6238,13 @@ done:
if (dir == PF_IN && s && s->key[PF_SK_STACK])
m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK];
+ if (dir == PF_OUT && m->m_pkthdr.pf.inp &&
+ !((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk &&
+ s && s->key[PF_SK_STACK] && !s->key[PF_SK_STACK]->inp) {
+ ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk =
+ s->key[PF_SK_STACK];
+ s->key[PF_SK_STACK]->inp = m->m_pkthdr.pf.inp;
+ }
#ifdef ALTQ
if (action == PF_PASS && qid) {
@@ -6319,4 +6341,5 @@ void
pf_pkt_addr_changed(struct mbuf *m)
{
m->m_pkthdr.pf.statekey = NULL;
+ m->m_pkthdr.pf.inp = NULL;
}
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index c9981fcc442..b372fdcecc9 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: in_pcb.c,v 1.116 2011/04/19 03:47:29 dlg Exp $ */
+/* $OpenBSD: in_pcb.c,v 1.117 2011/04/24 19:36:54 bluhm Exp $ */
/* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */
/*
@@ -509,8 +509,23 @@ in_pcbdetach(v)
splx(s);
#endif
#if NPF > 0
- if (inp->inp_pf_sk)
- ((struct pf_state_key *)inp->inp_pf_sk)->inp = NULL;
+ if (inp->inp_pf_sk) {
+ struct pf_state_key *sk;
+ struct pf_state_item *si;
+
+ s = splsoftnet();
+ sk = (struct pf_state_key *)inp->inp_pf_sk;
+ TAILQ_FOREACH(si, &sk->states, entry)
+ if (sk == si->s->key[PF_SK_STACK] && si->s->rule.ptr &&
+ si->s->rule.ptr->divert.port) {
+ pf_unlink_state(si->s);
+ break;
+ }
+ /* pf_unlink_state() may have detached the state */
+ if (inp->inp_pf_sk)
+ ((struct pf_state_key *)inp->inp_pf_sk)->inp = NULL;
+ splx(s);
+ }
#endif
s = splnet();
LIST_REMOVE(inp, inp_lhash);
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index db470c84bb2..d3ad8bf199d 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: raw_ip.c,v 1.54 2011/04/19 03:47:29 dlg Exp $ */
+/* $OpenBSD: raw_ip.c,v 1.55 2011/04/24 19:36:54 bluhm Exp $ */
/* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */
/*
@@ -157,6 +157,16 @@ rip_input(struct mbuf *m, ...)
if (inp->inp_faddr.s_addr &&
inp->inp_faddr.s_addr != ip->ip_src.s_addr)
continue;
+#if NPF > 0
+ if (m->m_pkthdr.pf.statekey && !inp->inp_pf_sk &&
+ !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp &&
+ (inp->inp_socket->so_state & SS_ISCONNECTED) &&
+ ip->ip_p != IPPROTO_ICMP) {
+ ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp =
+ inp;
+ inp->inp_pf_sk = m->m_pkthdr.pf.statekey;
+ }
+#endif
if (last) {
struct mbuf *n;
@@ -277,6 +287,11 @@ rip_output(struct mbuf *m, ...)
/* force routing domain */
m->m_pkthdr.rdomain = inp->inp_rtableid;
+#if NPF > 0
+ if (inp->inp_socket->so_state & SS_ISCONNECTED &&
+ ip->ip_p != IPPROTO_ICMP)
+ m->m_pkthdr.pf.inp = inp;
+#endif
error = ip_output(m, inp->inp_options, &inp->inp_route, flags,
inp->inp_moptions, inp);
if (error == EACCES) /* translate pf(4) error for userland */
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 1a724dfa018..b66bfc7754f 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcp_input.c,v 1.245 2011/04/12 10:47:29 mikeb Exp $ */
+/* $OpenBSD: tcp_input.c,v 1.246 2011/04/24 19:36:54 bluhm Exp $ */
/* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */
/*
@@ -895,7 +895,8 @@ after_listen:
#endif
#if NPF > 0
- if (m->m_pkthdr.pf.statekey) {
+ if (m->m_pkthdr.pf.statekey && !inp->inp_pf_sk &&
+ !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp) {
((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = inp;
inp->inp_pf_sk = m->m_pkthdr.pf.statekey;
}
@@ -1338,6 +1339,19 @@ trimthenstep6:
((opti.ts_present &&
TSTMP_LT(tp->ts_recent, opti.ts_val)) ||
SEQ_GT(th->th_seq, tp->rcv_nxt))) {
+#if NPF > 0
+ /*
+ * The socket will be recreated but the new state
+ * has already been linked to the socket. Remove the
+ * link between old socket and new state. Otherwise
+ * closing the socket would remove the state.
+ */
+ if (inp->inp_pf_sk) {
+ ((struct pf_state_key *)inp->inp_pf_sk)->inp =
+ NULL;
+ inp->inp_pf_sk = NULL;
+ }
+#endif
/*
* Advance the iss by at least 32768, but
* clear the msb in order to make sure
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index a215aa70cbf..bb5416e7e0f 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcp_output.c,v 1.94 2011/04/05 18:01:21 henning Exp $ */
+/* $OpenBSD: tcp_output.c,v 1.95 2011/04/24 19:36:54 bluhm Exp $ */
/* $NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $ */
/*
@@ -98,6 +98,8 @@
#include <netinet6/in6_var.h>
#endif /* INET6 */
+#include "pf.h"
+
#ifdef notyet
extern struct mbuf *m_copypack();
#endif
@@ -1077,6 +1079,10 @@ send:
/* force routing domain */
m->m_pkthdr.rdomain = tp->t_inpcb->inp_rtableid;
+#if NPF > 0
+ m->m_pkthdr.pf.inp = tp->t_inpcb;
+#endif
+
switch (tp->pf) {
case 0: /*default to PF_INET*/
#ifdef INET
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 08a7d13317b..42daf24c458 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: udp_usrreq.c,v 1.140 2011/04/05 18:01:21 henning Exp $ */
+/* $OpenBSD: udp_usrreq.c,v 1.141 2011/04/24 19:36:54 bluhm Exp $ */
/* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */
/*
@@ -560,7 +560,7 @@ udp_input(struct mbuf *m, ...)
/*
* Locate pcb for datagram.
*/
-#if 0
+#if NPF > 0
if (m->m_pkthdr.pf.statekey)
inp = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp;
#endif
@@ -618,6 +618,15 @@ udp_input(struct mbuf *m, ...)
}
}
+#if NPF > 0
+ if (m->m_pkthdr.pf.statekey && !inp->inp_pf_sk &&
+ !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp &&
+ (inp->inp_socket->so_state & SS_ISCONNECTED)) {
+ ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = inp;
+ inp->inp_pf_sk = m->m_pkthdr.pf.statekey;
+ }
+#endif
+
#ifdef IPSEC
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
s = splnet();
@@ -1032,6 +1041,10 @@ udp_output(struct mbuf *m, ...)
/* force routing domain */
m->m_pkthdr.rdomain = inp->inp_rtableid;
+#if NPF > 0
+ if (inp->inp_socket->so_state & SS_ISCONNECTED)
+ m->m_pkthdr.pf.inp = inp;
+#endif
error = ip_output(m, inp->inp_options, &inp->inp_route,
inp->inp_socket->so_options &
(SO_DONTROUTE | SO_BROADCAST | SO_JUMBO),
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index c40a77d171a..2e1140953ef 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: raw_ip6.c,v 1.41 2011/04/04 11:07:18 claudio Exp $ */
+/* $OpenBSD: raw_ip6.c,v 1.42 2011/04/24 19:36:54 bluhm Exp $ */
/* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */
/*
@@ -61,6 +61,8 @@
* @(#)raw_ip.c 8.2 (Berkeley) 1/4/94
*/
+#include "pf.h"
+
#include <sys/param.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
@@ -75,6 +77,9 @@
#include <net/if.h>
#include <net/route.h>
#include <net/if_types.h>
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
#include <netinet/in.h>
#include <netinet/in_var.h>
@@ -200,6 +205,16 @@ rip6_input(struct mbuf **mp, int *offp, int proto)
continue;
}
}
+#if NPF > 0
+ if (m->m_pkthdr.pf.statekey && !in6p->inp_pf_sk &&
+ !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp &&
+ (in6p->inp_socket->so_state & SS_ISCONNECTED) &&
+ proto != IPPROTO_ICMPV6) {
+ ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp =
+ in6p;
+ in6p->inp_pf_sk = m->m_pkthdr.pf.statekey;
+ }
+#endif
if (last) {
struct mbuf *n;
if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
@@ -487,6 +502,11 @@ rip6_output(struct mbuf *m, ...)
if (in6p->in6p_flags & IN6P_MINMTU)
flags |= IPV6_MINMTU;
+#if NPF > 0
+ if (in6p->inp_socket->so_state & SS_ISCONNECTED &&
+ so->so_proto->pr_protocol != IPPROTO_ICMPV6)
+ m->m_pkthdr.pf.inp = in6p;
+#endif
error = ip6_output(m, optp, &in6p->in6p_route, flags,
in6p->in6p_moptions, &oifp, in6p);
if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) {
diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h
index 38bf35babc6..203822a3460 100644
--- a/sys/sys/mbuf.h
+++ b/sys/sys/mbuf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: mbuf.h,v 1.150 2011/04/06 19:15:34 markus Exp $ */
+/* $OpenBSD: mbuf.h,v 1.151 2011/04/24 19:36:54 bluhm Exp $ */
/* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */
/*
@@ -78,6 +78,7 @@ struct m_hdr {
struct pkthdr_pf {
void *hdr; /* saved hdr pos in mbuf, for ECN */
void *statekey; /* pf stackside statekey */
+ void *inp; /* connected pcb for outgoing packet */
u_int32_t qid; /* queue id */
u_int16_t tag; /* tag id */
u_int8_t flags;