diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-04-24 19:36:55 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2011-04-24 19:36:55 +0000 |
commit | ccf01298eb370933be2f6386e5502f7f812047bc (patch) | |
tree | 08626863187ebafa510ae55a9c551d731cd4bf76 /sys | |
parent | 7b1ea8a3a89e1966e6de0290fc2ecd008d8f4128 (diff) |
Double link between pf states and sockets. Henning has already
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pf.c | 27 | ||||
-rw-r--r-- | sys/netinet/in_pcb.c | 21 | ||||
-rw-r--r-- | sys/netinet/raw_ip.c | 17 | ||||
-rw-r--r-- | sys/netinet/tcp_input.c | 18 | ||||
-rw-r--r-- | sys/netinet/tcp_output.c | 8 | ||||
-rw-r--r-- | sys/netinet/udp_usrreq.c | 17 | ||||
-rw-r--r-- | sys/netinet6/raw_ip6.c | 22 | ||||
-rw-r--r-- | sys/sys/mbuf.h | 3 |
8 files changed, 120 insertions, 13 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index ce3ad1968ec..f0abe32b822 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.741 2011/04/23 10:00:36 bluhm Exp $ */ +/* $OpenBSD: pf.c,v 1.742 2011/04/24 19:36:54 bluhm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -953,6 +953,9 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, if (dir == PF_OUT && m->m_pkthdr.pf.statekey && ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse) sk = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->reverse; + else if (dir == PF_OUT && m->m_pkthdr.pf.inp && + ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk) + sk = ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk; else { if ((sk = RB_FIND(pf_state_tree, &pf_statetbl, (struct pf_state_key *)key)) == NULL) @@ -963,11 +966,16 @@ pf_find_state(struct pfi_kif *kif, struct pf_state_key_cmp *key, u_int dir, ((struct pf_state_key *) m->m_pkthdr.pf.statekey)->reverse = sk; sk->reverse = m->m_pkthdr.pf.statekey; + } else if (dir == PF_OUT && m->m_pkthdr.pf.inp && !sk->inp) { + ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = sk; + sk->inp = m->m_pkthdr.pf.inp; } } - if (dir == PF_OUT) + if (dir == PF_OUT) { m->m_pkthdr.pf.statekey = NULL; + m->m_pkthdr.pf.inp = NULL; + } /* list is sorted, if-bound states before floating ones */ TAILQ_FOREACH(si, &sk->states, entry) @@ -5938,6 +5946,13 @@ done: if (dir == PF_IN && s && s->key[PF_SK_STACK]) m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; + if (dir == PF_OUT && m->m_pkthdr.pf.inp && + !((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk && + s && s->key[PF_SK_STACK] && !s->key[PF_SK_STACK]->inp) { + ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = + s->key[PF_SK_STACK]; + s->key[PF_SK_STACK]->inp = m->m_pkthdr.pf.inp; + } #ifdef ALTQ if (action == PF_PASS && qid) { @@ -6223,6 +6238,13 @@ done: if (dir == PF_IN && s && s->key[PF_SK_STACK]) m->m_pkthdr.pf.statekey = s->key[PF_SK_STACK]; + if (dir == PF_OUT && m->m_pkthdr.pf.inp && + !((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk && + s && s->key[PF_SK_STACK] && !s->key[PF_SK_STACK]->inp) { + ((struct inpcb *)m->m_pkthdr.pf.inp)->inp_pf_sk = + s->key[PF_SK_STACK]; + s->key[PF_SK_STACK]->inp = m->m_pkthdr.pf.inp; + } #ifdef ALTQ if (action == PF_PASS && qid) { @@ -6319,4 +6341,5 @@ void pf_pkt_addr_changed(struct mbuf *m) { m->m_pkthdr.pf.statekey = NULL; + m->m_pkthdr.pf.inp = NULL; } diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index c9981fcc442..b372fdcecc9 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_pcb.c,v 1.116 2011/04/19 03:47:29 dlg Exp $ */ +/* $OpenBSD: in_pcb.c,v 1.117 2011/04/24 19:36:54 bluhm Exp $ */ /* $NetBSD: in_pcb.c,v 1.25 1996/02/13 23:41:53 christos Exp $ */ /* @@ -509,8 +509,23 @@ in_pcbdetach(v) splx(s); #endif #if NPF > 0 - if (inp->inp_pf_sk) - ((struct pf_state_key *)inp->inp_pf_sk)->inp = NULL; + if (inp->inp_pf_sk) { + struct pf_state_key *sk; + struct pf_state_item *si; + + s = splsoftnet(); + sk = (struct pf_state_key *)inp->inp_pf_sk; + TAILQ_FOREACH(si, &sk->states, entry) + if (sk == si->s->key[PF_SK_STACK] && si->s->rule.ptr && + si->s->rule.ptr->divert.port) { + pf_unlink_state(si->s); + break; + } + /* pf_unlink_state() may have detached the state */ + if (inp->inp_pf_sk) + ((struct pf_state_key *)inp->inp_pf_sk)->inp = NULL; + splx(s); + } #endif s = splnet(); LIST_REMOVE(inp, inp_lhash); diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index db470c84bb2..d3ad8bf199d 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip.c,v 1.54 2011/04/19 03:47:29 dlg Exp $ */ +/* $OpenBSD: raw_ip.c,v 1.55 2011/04/24 19:36:54 bluhm Exp $ */ /* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */ /* @@ -157,6 +157,16 @@ rip_input(struct mbuf *m, ...) if (inp->inp_faddr.s_addr && inp->inp_faddr.s_addr != ip->ip_src.s_addr) continue; +#if NPF > 0 + if (m->m_pkthdr.pf.statekey && !inp->inp_pf_sk && + !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp && + (inp->inp_socket->so_state & SS_ISCONNECTED) && + ip->ip_p != IPPROTO_ICMP) { + ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = + inp; + inp->inp_pf_sk = m->m_pkthdr.pf.statekey; + } +#endif if (last) { struct mbuf *n; @@ -277,6 +287,11 @@ rip_output(struct mbuf *m, ...) /* force routing domain */ m->m_pkthdr.rdomain = inp->inp_rtableid; +#if NPF > 0 + if (inp->inp_socket->so_state & SS_ISCONNECTED && + ip->ip_p != IPPROTO_ICMP) + m->m_pkthdr.pf.inp = inp; +#endif error = ip_output(m, inp->inp_options, &inp->inp_route, flags, inp->inp_moptions, inp); if (error == EACCES) /* translate pf(4) error for userland */ diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 1a724dfa018..b66bfc7754f 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.245 2011/04/12 10:47:29 mikeb Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.246 2011/04/24 19:36:54 bluhm Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -895,7 +895,8 @@ after_listen: #endif #if NPF > 0 - if (m->m_pkthdr.pf.statekey) { + if (m->m_pkthdr.pf.statekey && !inp->inp_pf_sk && + !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp) { ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = inp; inp->inp_pf_sk = m->m_pkthdr.pf.statekey; } @@ -1338,6 +1339,19 @@ trimthenstep6: ((opti.ts_present && TSTMP_LT(tp->ts_recent, opti.ts_val)) || SEQ_GT(th->th_seq, tp->rcv_nxt))) { +#if NPF > 0 + /* + * The socket will be recreated but the new state + * has already been linked to the socket. Remove the + * link between old socket and new state. Otherwise + * closing the socket would remove the state. + */ + if (inp->inp_pf_sk) { + ((struct pf_state_key *)inp->inp_pf_sk)->inp = + NULL; + inp->inp_pf_sk = NULL; + } +#endif /* * Advance the iss by at least 32768, but * clear the msb in order to make sure diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index a215aa70cbf..bb5416e7e0f 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_output.c,v 1.94 2011/04/05 18:01:21 henning Exp $ */ +/* $OpenBSD: tcp_output.c,v 1.95 2011/04/24 19:36:54 bluhm Exp $ */ /* $NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $ */ /* @@ -98,6 +98,8 @@ #include <netinet6/in6_var.h> #endif /* INET6 */ +#include "pf.h" + #ifdef notyet extern struct mbuf *m_copypack(); #endif @@ -1077,6 +1079,10 @@ send: /* force routing domain */ m->m_pkthdr.rdomain = tp->t_inpcb->inp_rtableid; +#if NPF > 0 + m->m_pkthdr.pf.inp = tp->t_inpcb; +#endif + switch (tp->pf) { case 0: /*default to PF_INET*/ #ifdef INET diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 08a7d13317b..42daf24c458 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.140 2011/04/05 18:01:21 henning Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.141 2011/04/24 19:36:54 bluhm Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -560,7 +560,7 @@ udp_input(struct mbuf *m, ...) /* * Locate pcb for datagram. */ -#if 0 +#if NPF > 0 if (m->m_pkthdr.pf.statekey) inp = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp; #endif @@ -618,6 +618,15 @@ udp_input(struct mbuf *m, ...) } } +#if NPF > 0 + if (m->m_pkthdr.pf.statekey && !inp->inp_pf_sk && + !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp && + (inp->inp_socket->so_state & SS_ISCONNECTED)) { + ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = inp; + inp->inp_pf_sk = m->m_pkthdr.pf.statekey; + } +#endif + #ifdef IPSEC mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); s = splnet(); @@ -1032,6 +1041,10 @@ udp_output(struct mbuf *m, ...) /* force routing domain */ m->m_pkthdr.rdomain = inp->inp_rtableid; +#if NPF > 0 + if (inp->inp_socket->so_state & SS_ISCONNECTED) + m->m_pkthdr.pf.inp = inp; +#endif error = ip_output(m, inp->inp_options, &inp->inp_route, inp->inp_socket->so_options & (SO_DONTROUTE | SO_BROADCAST | SO_JUMBO), diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index c40a77d171a..2e1140953ef 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip6.c,v 1.41 2011/04/04 11:07:18 claudio Exp $ */ +/* $OpenBSD: raw_ip6.c,v 1.42 2011/04/24 19:36:54 bluhm Exp $ */ /* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */ /* @@ -61,6 +61,8 @@ * @(#)raw_ip.c 8.2 (Berkeley) 1/4/94 */ +#include "pf.h" + #include <sys/param.h> #include <sys/malloc.h> #include <sys/mbuf.h> @@ -75,6 +77,9 @@ #include <net/if.h> #include <net/route.h> #include <net/if_types.h> +#if NPF > 0 +#include <net/pfvar.h> +#endif #include <netinet/in.h> #include <netinet/in_var.h> @@ -200,6 +205,16 @@ rip6_input(struct mbuf **mp, int *offp, int proto) continue; } } +#if NPF > 0 + if (m->m_pkthdr.pf.statekey && !in6p->inp_pf_sk && + !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp && + (in6p->inp_socket->so_state & SS_ISCONNECTED) && + proto != IPPROTO_ICMPV6) { + ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = + in6p; + in6p->inp_pf_sk = m->m_pkthdr.pf.statekey; + } +#endif if (last) { struct mbuf *n; if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) { @@ -487,6 +502,11 @@ rip6_output(struct mbuf *m, ...) if (in6p->in6p_flags & IN6P_MINMTU) flags |= IPV6_MINMTU; +#if NPF > 0 + if (in6p->inp_socket->so_state & SS_ISCONNECTED && + so->so_proto->pr_protocol != IPPROTO_ICMPV6) + m->m_pkthdr.pf.inp = in6p; +#endif error = ip6_output(m, optp, &in6p->in6p_route, flags, in6p->in6p_moptions, &oifp, in6p); if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) { diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 38bf35babc6..203822a3460 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mbuf.h,v 1.150 2011/04/06 19:15:34 markus Exp $ */ +/* $OpenBSD: mbuf.h,v 1.151 2011/04/24 19:36:54 bluhm Exp $ */ /* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */ /* @@ -78,6 +78,7 @@ struct m_hdr { struct pkthdr_pf { void *hdr; /* saved hdr pos in mbuf, for ECN */ void *statekey; /* pf stackside statekey */ + void *inp; /* connected pcb for outgoing packet */ u_int32_t qid; /* queue id */ u_int16_t tag; /* tag id */ u_int8_t flags; |