diff options
| -rw-r--r-- | sys/altq/altq_cbq.c | 7 | ||||
| -rw-r--r-- | sys/altq/altq_hfsc.c | 7 | ||||
| -rw-r--r-- | sys/altq/altq_priq.c | 7 | ||||
| -rw-r--r-- | sys/altq/altq_red.c | 27 | ||||
| -rw-r--r-- | sys/kern/uipc_mbuf.c | 8 | ||||
| -rw-r--r-- | sys/net/if_bridge.c | 4 | ||||
| -rw-r--r-- | sys/net/pf.c | 151 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 30 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 17 | ||||
| -rw-r--r-- | sys/netinet/ip_input.c | 8 | ||||
| -rw-r--r-- | sys/netinet/ipsec_input.c | 4 | ||||
| -rw-r--r-- | sys/netinet/ipsec_output.c | 4 | ||||
| -rw-r--r-- | sys/netinet6/ip6_forward.c | 8 | ||||
| -rw-r--r-- | sys/netinet6/ip6_input.c | 6 | ||||
| -rw-r--r-- | sys/sys/mbuf.h | 20 |
15 files changed, 102 insertions, 206 deletions
diff --git a/sys/altq/altq_cbq.c b/sys/altq/altq_cbq.c index 5b08e6d8427..16f4b272108 100644 --- a/sys/altq/altq_cbq.c +++ b/sys/altq/altq_cbq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: altq_cbq.c,v 1.21 2007/04/10 17:47:52 miod Exp $ */ +/* $OpenBSD: altq_cbq.c,v 1.22 2007/05/28 17:16:38 henning Exp $ */ /* $KAME: altq_cbq.c,v 1.9 2000/12/14 08:12:45 thorpej Exp $ */ /* @@ -441,7 +441,6 @@ cbq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) { cbq_state_t *cbqp = (cbq_state_t *)ifq->altq_disc; struct rm_class *cl; - struct pf_mtag *t; int len; /* grab class set by classifier */ @@ -452,9 +451,7 @@ cbq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) m_freem(m); return (ENOBUFS); } - t = pf_find_mtag(m); - if (t == NULL || - (cl = clh_to_clp(cbqp, t->qid)) == NULL) { + if ((cl = clh_to_clp(cbqp, m->m_pkthdr.pf.qid)) == NULL) { cl = cbqp->ifnp.default_; if (cl == NULL) { m_freem(m); diff --git a/sys/altq/altq_hfsc.c b/sys/altq/altq_hfsc.c index cc6d752820d..a3e73039233 100644 --- a/sys/altq/altq_hfsc.c +++ b/sys/altq/altq_hfsc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: altq_hfsc.c,v 1.23 2006/03/04 22:40:15 brad Exp $ */ +/* $OpenBSD: altq_hfsc.c,v 1.24 2007/05/28 17:16:38 henning Exp $ */ /* $KAME: altq_hfsc.c,v 1.17 2002/11/29 07:48:33 kjc Exp $ */ /* @@ -618,7 +618,6 @@ hfsc_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) { struct hfsc_if *hif = (struct hfsc_if *)ifq->altq_disc; struct hfsc_class *cl; - struct pf_mtag *t; int len; /* grab class set by classifier */ @@ -629,9 +628,7 @@ hfsc_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) m_freem(m); return (ENOBUFS); } - t = pf_find_mtag(m); - if (t == NULL || - (cl = clh_to_clp(hif, t->qid)) == NULL || + if ((cl = clh_to_clp(hif, m->m_pkthdr.pf.qid)) == NULL || is_a_parent_class(cl)) { cl = hif->hif_defaultclass; if (cl == NULL) { diff --git a/sys/altq/altq_priq.c b/sys/altq/altq_priq.c index e6d6a83c0ba..25e8a8beebc 100644 --- a/sys/altq/altq_priq.c +++ b/sys/altq/altq_priq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: altq_priq.c,v 1.19 2006/03/04 22:40:15 brad Exp $ */ +/* $OpenBSD: altq_priq.c,v 1.20 2007/05/28 17:16:38 henning Exp $ */ /* $KAME: altq_priq.c,v 1.1 2000/10/18 09:15:23 kjc Exp $ */ /* * Copyright (C) 2000 @@ -396,7 +396,6 @@ priq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) { struct priq_if *pif = (struct priq_if *)ifq->altq_disc; struct priq_class *cl; - struct pf_mtag *t; int len; /* grab class set by classifier */ @@ -407,9 +406,7 @@ priq_enqueue(struct ifaltq *ifq, struct mbuf *m, struct altq_pktattr *pktattr) m_freem(m); return (ENOBUFS); } - t = pf_find_mtag(m); - if (t == NULL || - (cl = clh_to_clp(pif, t->qid)) == NULL) { + if ((cl = clh_to_clp(pif, m->m_pkthdr.pf.qid)) == NULL) { cl = pif->pif_default; if (cl == NULL) { m_freem(m); diff --git a/sys/altq/altq_red.c b/sys/altq/altq_red.c index 0de641866a7..92ee7b6fbbb 100644 --- a/sys/altq/altq_red.c +++ b/sys/altq/altq_red.c @@ -1,4 +1,4 @@ -/* $OpenBSD: altq_red.c,v 1.12 2005/10/17 08:43:35 henning Exp $ */ +/* $OpenBSD: altq_red.c,v 1.13 2007/05/28 17:16:38 henning Exp $ */ /* $KAME: altq_red.c,v 1.10 2002/04/03 05:38:51 kjc Exp $ */ /* @@ -420,34 +420,27 @@ int mark_ecn(struct mbuf *m, struct altq_pktattr *pktattr, int flags) { struct mbuf *m0; - struct pf_mtag *t; + void *hdr; - if ((t = pf_find_mtag(m)) == NULL) - return (0); - - if (t->af != AF_INET && t->af != AF_INET6) - return (0); + hdr = m->m_pkthdr.pf.hdr; /* verify that pattr_hdr is within the mbuf data */ for (m0 = m; m0 != NULL; m0 = m0->m_next) - if (((caddr_t)(t->hdr) >= m0->m_data) && - ((caddr_t)(t->hdr) < m0->m_data + m0->m_len)) + if (((caddr_t)(hdr) >= m0->m_data) && + ((caddr_t)(hdr) < m0->m_data + m0->m_len)) break; if (m0 == NULL) { /* ick, tag info is stale */ return (0); } - switch (t->af) { - case AF_INET: + switch (((struct ip *)hdr)->ip_v) { + case 4: if (flags & REDF_ECN4) { - struct ip *ip = t->hdr; + struct ip *ip = hdr; u_int8_t otos; int sum; - if (ip->ip_v != 4) - return (0); /* version mismatch! */ - if ((ip->ip_tos & IPTOS_ECN_MASK) == IPTOS_ECN_NOTECT) return (0); /* not-ECT */ if ((ip->ip_tos & IPTOS_ECN_MASK) == IPTOS_ECN_CE) @@ -472,9 +465,9 @@ mark_ecn(struct mbuf *m, struct altq_pktattr *pktattr, int flags) } break; #ifdef INET6 - case AF_INET6: + case 6: if (flags & REDF_ECN6) { - struct ip6_hdr *ip6 = t->hdr; + struct ip6_hdr *ip6 = hdr; u_int32_t flowlabel; flowlabel = ntohl(ip6->ip6_flow); diff --git a/sys/kern/uipc_mbuf.c b/sys/kern/uipc_mbuf.c index a7786a6ec06..1e4585ea511 100644 --- a/sys/kern/uipc_mbuf.c +++ b/sys/kern/uipc_mbuf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_mbuf.c,v 1.81 2007/05/27 20:54:25 claudio Exp $ */ +/* $OpenBSD: uipc_mbuf.c,v 1.82 2007/05/28 17:16:39 henning Exp $ */ /* $NetBSD: uipc_mbuf.c,v 1.15.4.1 1996/06/13 17:11:44 cgd Exp $ */ /* @@ -191,6 +191,12 @@ m_gethdr(int nowait, int type) m->m_flags = M_PKTHDR; SLIST_INIT(&m->m_pkthdr.tags); m->m_pkthdr.csum_flags = 0; + m->m_pkthdr.pf.hdr = NULL; + m->m_pkthdr.pf.rtableid = 0; + m->m_pkthdr.pf.qid = 0; + m->m_pkthdr.pf.tag = 0; + m->m_pkthdr.pf.flags = 0; + m->m_pkthdr.pf.routed = 0; } splx(s); return (m); diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index 00e9ea2216e..5049b380262 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.163 2007/05/28 06:31:01 mcbride Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.164 2007/05/28 17:16:39 henning Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -2150,7 +2150,7 @@ bridge_filterrule(struct brl_head *h, struct ether_header *eh, struct mbuf *m) return_action: #if NPF > 0 - pf_tag_packet(m, NULL, n->brl_tag, -1); + pf_tag_packet(m, n->brl_tag, -1); #endif return (n->brl_action); } diff --git a/sys/net/pf.c b/sys/net/pf.c index 11a166a23e2..ad53f83c163 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.532 2007/05/27 21:17:38 dlg Exp $ */ +/* $OpenBSD: pf.c,v 1.533 2007/05/28 17:16:39 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -183,8 +183,7 @@ int pf_test_state_icmp(struct pf_state **, int, void *, struct pf_pdesc *, u_short *); int pf_test_state_other(struct pf_state **, int, struct pfi_kif *, struct pf_pdesc *); -int pf_match_tag(struct mbuf *, struct pf_rule *, - struct pf_mtag *, int *); +int pf_match_tag(struct mbuf *, struct pf_rule *, int *); void pf_step_into_anchor(int *, struct pf_ruleset **, int, struct pf_rule **, struct pf_rule **, int *); int pf_step_out_of_anchor(int *, struct pf_ruleset **, @@ -1566,7 +1565,6 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, #endif /* INET6 */ struct tcphdr *th; char *opt; - struct pf_mtag *pf_mtag; /* maximum segment size tcp option */ tlen = sizeof(struct tcphdr); @@ -1590,24 +1588,18 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, m = m_gethdr(M_DONTWAIT, MT_HEADER); if (m == NULL) return; - if ((pf_mtag = pf_get_mtag(m)) == NULL) { - m_freem(m); - return; - } if (tag) - pf_mtag->flags |= PF_TAG_GENERATED; - - pf_mtag->tag = rtag; + m->m_pkthdr.pf.flags |= PF_TAG_GENERATED; + m->m_pkthdr.pf.tag = rtag; if (r != NULL && r->rtableid >= 0) - pf_mtag->rtableid = r->rtableid; + m->m_pkthdr.pf.rtableid = m->m_pkthdr.pf.rtableid; #ifdef ALTQ if (r != NULL && r->qid) { - pf_mtag->qid = r->qid; + m->m_pkthdr.pf.qid = r->qid; /* add hints for ecn */ - pf_mtag->af = af; - pf_mtag->hdr = mtod(m, struct ip *); + m->m_pkthdr.pf.hdr = mtod(m, struct ip *); } #endif /* ALTQ */ m->m_data += max_linkhdr; @@ -1717,24 +1709,19 @@ void pf_send_icmp(struct mbuf *m, u_int8_t type, u_int8_t code, sa_family_t af, struct pf_rule *r) { - struct pf_mtag *pf_mtag; struct mbuf *m0; m0 = m_copy(m, 0, M_COPYALL); - - if ((pf_mtag = pf_get_mtag(m0)) == NULL) - return; - pf_mtag->flags |= PF_TAG_GENERATED; + m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; if (r->rtableid >= 0) - pf_mtag->rtableid = r->rtableid; + m0->m_pkthdr.pf.rtableid = r->rtableid; #ifdef ALTQ if (r->qid) { - pf_mtag->qid = r->qid; + m0->m_pkthdr.pf.qid = r->qid; /* add hints for ecn */ - pf_mtag->af = af; - pf_mtag->hdr = mtod(m0, struct ip *); + m0->m_pkthdr.pf.hdr = mtod(m0, struct ip *); } #endif /* ALTQ */ @@ -1849,58 +1836,26 @@ pf_match_gid(u_int8_t op, gid_t a1, gid_t a2, gid_t g) return (pf_match(op, a1, a2, g)); } -struct pf_mtag * -pf_find_mtag(struct mbuf *m) -{ - struct m_tag *mtag; - - if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) - return (NULL); - - return ((struct pf_mtag *)(mtag + 1)); -} - -struct pf_mtag * -pf_get_mtag(struct mbuf *m) -{ - struct m_tag *mtag; - - if ((mtag = m_tag_find(m, PACKET_TAG_PF, NULL)) == NULL) { - mtag = m_tag_get(PACKET_TAG_PF, sizeof(struct pf_mtag), - M_NOWAIT); - if (mtag == NULL) - return (NULL); - bzero(mtag + 1, sizeof(struct pf_mtag)); - m_tag_prepend(m, mtag); - } - - return ((struct pf_mtag *)(mtag + 1)); -} - int -pf_match_tag(struct mbuf *m, struct pf_rule *r, struct pf_mtag *pf_mtag, - int *tag) +pf_match_tag(struct mbuf *m, struct pf_rule *r, int *tag) { if (*tag == -1) - *tag = pf_mtag->tag; + *tag = m->m_pkthdr.pf.tag; return ((!r->match_tag_not && r->match_tag == *tag) || (r->match_tag_not && r->match_tag != *tag)); } int -pf_tag_packet(struct mbuf *m, struct pf_mtag *pf_mtag, int tag, int rtableid) +pf_tag_packet(struct mbuf *m, int tag, int rtableid) { if (tag <= 0 && rtableid < 0) return (0); - if (pf_mtag == NULL) - if ((pf_mtag = pf_get_mtag(m)) == NULL) - return (1); if (tag > 0) - pf_mtag->tag = tag; + m->m_pkthdr.pf.tag = tag; if (rtableid >= 0) - pf_mtag->rtableid = rtableid; + m->m_pkthdr.pf.rtableid = rtableid; return (0); } @@ -2417,7 +2372,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, !pf_match_port(dst->port_op, dst->port[0], dst->port[1], dport)) r = r->skip[PF_SKIP_DST_PORT].ptr; - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY && (pd->proto != IPPROTO_TCP || !pf_osfp_match(pf_osfp_fingerprint(pd, m, @@ -2438,7 +2393,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, pf_step_out_of_anchor(&asd, &ruleset, rs_num, &r, NULL, NULL); } - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) + if (pf_tag_packet(m, tag, rtableid)) return (NULL); if (rm != NULL && (rm->action == PF_NONAT || rm->action == PF_NORDR || rm->action == PF_NOBINAT)) @@ -2926,7 +2881,7 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY && !pf_osfp_match( pf_osfp_fingerprint(pd, m, off, th), r->os_fingerprint)) @@ -3005,7 +2960,7 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->action == PF_DROP) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) { + if (pf_tag_packet(m, tag, rtableid)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -3304,7 +3259,7 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); @@ -3368,7 +3323,7 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->action == PF_DROP) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) { + if (pf_tag_packet(m, tag, rtableid)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -3635,7 +3590,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); @@ -3679,7 +3634,7 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->action != PF_PASS) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) { + if (pf_tag_packet(m, tag, rtableid)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -3894,7 +3849,7 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else if (r->os_fingerprint != PF_OSFP_ANY) r = TAILQ_NEXT(r, entries); @@ -3966,7 +3921,7 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, if (r->action != PF_PASS) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, rtableid)) { + if (pf_tag_packet(m, tag, rtableid)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -4113,7 +4068,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, r = TAILQ_NEXT(r, entries); else if (r->prob && r->prob <= arc4random()) r = TAILQ_NEXT(r, entries); - else if (r->match_tag && !pf_match_tag(m, r, pd->pf_mtag, &tag)) + else if (r->match_tag && !pf_match_tag(m, r, &tag)) r = TAILQ_NEXT(r, entries); else { if (r->anchor == NULL) { @@ -4145,7 +4100,7 @@ pf_test_fragment(struct pf_rule **rm, int direction, struct pfi_kif *kif, if (r->action != PF_PASS) return (PF_DROP); - if (pf_tag_packet(m, pd->pf_mtag, tag, -1)) { + if (pf_tag_packet(m, tag, -1)) { REASON_SET(&reason, PFRES_MEMORY); return (PF_DROP); } @@ -5528,7 +5483,7 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, (dir != PF_IN && dir != PF_OUT) || oifp == NULL) panic("pf_route: invalid parameters"); - if (pd->pf_mtag->routed++ > 3) { + if ((*m)->m_pkthdr.pf.routed++ > 3) { m0 = *m; *m = NULL; goto bad; @@ -5719,7 +5674,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, (dir != PF_IN && dir != PF_OUT) || oifp == NULL) panic("pf_route6: invalid parameters"); - if (pd->pf_mtag->routed++ > 3) { + if ((*m)->m_pkthdr.pf.routed++ > 3) { m0 = *m; *m = NULL; goto bad; @@ -5750,7 +5705,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, /* Cheat. XXX why only in the v6 case??? */ if (r->rt == PF_FASTROUTE) { - pd->pf_mtag->flags |= PF_TAG_GENERATED; + m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED; ip6_output(m0, NULL, NULL, 0, NULL, NULL); return; } @@ -5927,14 +5882,6 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, return (PF_PASS); memset(&pd, 0, sizeof(pd)); - if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test: pf_get_mtag returned NULL\n")); - return (PF_DROP); - } - if (pd.pf_mtag->flags & PF_TAG_GENERATED) - return (PF_PASS); - if (ifp->if_type == IFT_CARP && ifp->if_carpdev) kif = (struct pfi_kif *)ifp->if_carpdev->if_pf_kif; else @@ -5960,6 +5907,9 @@ pf_test(int dir, struct ifnet *ifp, struct mbuf **m0, goto done; } + if (m->m_pkthdr.pf.flags & PF_TAG_GENERATED) + return (PF_PASS); + /* We do IP header normalization and packet reassembly here */ if (pf_normalize_ip(m0, dir, kif, &reason, &pd) != PF_PASS) { action = PF_DROP; @@ -6123,17 +6073,16 @@ done: } if ((s && s->tag) || r->rtableid) - pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid); + pf_tag_packet(m, s ? s->tag : 0, r->rtableid); #ifdef ALTQ if (action == PF_PASS && r->qid) { if (pqid || (pd.tos & IPTOS_LOWDELAY)) - pd.pf_mtag->qid = r->pqid; + m->m_pkthdr.pf.qid = r->pqid; else - pd.pf_mtag->qid = r->qid; + m->m_pkthdr.pf.qid = r->qid; /* add hints for ecn */ - pd.pf_mtag->af = AF_INET; - pd.pf_mtag->hdr = h; + m->m_pkthdr.pf.hdr = h; } #endif /* ALTQ */ @@ -6147,7 +6096,7 @@ done: (s->nat_rule.ptr->action == PF_RDR || s->nat_rule.ptr->action == PF_BINAT) && (ntohl(pd.dst->v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) - pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST; + m->m_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST; if (log) { struct pf_rule *lr; @@ -6257,14 +6206,6 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, return (PF_PASS); memset(&pd, 0, sizeof(pd)); - if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) { - DPFPRINTF(PF_DEBUG_URGENT, - ("pf_test6: pf_get_mtag returned NULL\n")); - return (PF_DROP); - } - if (pd.pf_mtag->flags & PF_TAG_GENERATED) - return (PF_PASS); - if (ifp->if_type == IFT_CARP && ifp->if_carpdev) kif = (struct pfi_kif *)ifp->if_carpdev->if_pf_kif; else @@ -6290,6 +6231,9 @@ pf_test6(int dir, struct ifnet *ifp, struct mbuf **m0, goto done; } + if (m->m_pkthdr.pf.flags & PF_TAG_GENERATED) + return (PF_PASS); + /* We do IP header normalization and packet reassembly here */ if (pf_normalize_ip6(m0, dir, kif, &reason, &pd) != PF_PASS) { action = PF_DROP; @@ -6528,17 +6472,16 @@ done: } if ((s && s->tag) || r->rtableid) - pf_tag_packet(m, pd.pf_mtag, s ? s->tag : 0, r->rtableid); + pf_tag_packet(m, s ? s->tag : 0, r->rtableid); #ifdef ALTQ if (action == PF_PASS && r->qid) { if (pd.tos & IPTOS_LOWDELAY) - pd.pf_mtag->qid = r->pqid; + m->m_pkthdr.pf.qid = r->pqid; else - pd.pf_mtag->qid = r->qid; + m->m_pkthdr.pf.qid = r->qid; /* add hints for ecn */ - pd.pf_mtag->af = AF_INET6; - pd.pf_mtag->hdr = h; + m->m_pkthdr.pf.hdr = h; } #endif /* ALTQ */ @@ -6547,7 +6490,7 @@ done: (s->nat_rule.ptr->action == PF_RDR || s->nat_rule.ptr->action == PF_BINAT) && IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) - pd.pf_mtag->flags |= PF_TAG_TRANSLATE_LOCALHOST; + m->m_pkthdr.pf.flags |= PF_TAG_TRANSLATE_LOCALHOST; if (log) { struct pf_rule *lr; diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 93d3e1cd031..ab3a161f83d 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.108 2007/05/26 00:36:03 krw Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.109 2007/05/28 17:16:39 henning Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -929,18 +929,6 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, if (m == NULL) return (PF_DROP); - /* use mtag from concatenated mbuf chain */ - pd->pf_mtag = pf_find_mtag(m); -#ifdef DIAGNOSTIC - if (pd->pf_mtag == NULL) { - printf("%s: pf_find_mtag returned NULL(1)\n", __func__); - if ((pd->pf_mtag = pf_get_mtag(m)) == NULL) { - m_freem(m); - *m0 = NULL; - goto no_mem; - } - } -#endif if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) goto drop; @@ -949,7 +937,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, /* non-buffering fragment cache (drops or masks overlaps) */ int nomem = 0; - if (dir == PF_OUT && pd->pf_mtag->flags & PF_TAG_FRAGCACHE) { + if (dir == PF_OUT && m->m_pkthdr.pf.flags & PF_TAG_FRAGCACHE) { /* * Already passed the fragment cache in the * input direction. If we continued, it would @@ -976,20 +964,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kif *kif, u_short *reason, goto drop; } - /* use mtag from copied and trimmed mbuf chain */ - pd->pf_mtag = pf_find_mtag(m); -#ifdef DIAGNOSTIC - if (pd->pf_mtag == NULL) { - printf("%s: pf_find_mtag returned NULL(2)\n", __func__); - if ((pd->pf_mtag = pf_get_mtag(m)) == NULL) { - m_freem(m); - *m0 = NULL; - goto no_mem; - } - } -#endif if (dir == PF_IN) - pd->pf_mtag->flags |= PF_TAG_FRAGCACHE; + m->m_pkthdr.pf.flags |= PF_TAG_FRAGCACHE; if (frag != NULL && (frag->fr_flags & PFFRAG_DROP)) goto drop; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index d650f799704..d55c600f6a6 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.244 2007/02/23 21:31:51 deraadt Exp $ */ +/* $OpenBSD: pfvar.h,v 1.245 2007/05/28 17:16:39 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -949,7 +949,6 @@ struct pf_pdesc { struct pf_addr *dst; struct ether_header *eh; - struct pf_mtag *pf_mtag; u_int16_t *ip_sum; u_int32_t p_len; /* total length of payload */ u_int16_t flags; /* Let SCRUB trigger behavior in @@ -1157,16 +1156,6 @@ struct pf_altq { #define PF_TAG_FRAGCACHE 0x02 #define PF_TAG_TRANSLATE_LOCALHOST 0x04 -struct pf_mtag { - void *hdr; /* saved hdr pos in mbuf, for ECN */ - u_int rtableid; /* alternate routing table id */ - u_int32_t qid; /* queue id */ - u_int16_t tag; /* tag id */ - u_int8_t flags; - u_int8_t routed; - sa_family_t af; /* for ECN */ -}; - struct pf_tag { u_int16_t tag; /* tag id */ }; @@ -1595,12 +1584,10 @@ u_int16_t pf_tagname2tag(char *); void pf_tag2tagname(u_int16_t, char *); void pf_tag_ref(u_int16_t); void pf_tag_unref(u_int16_t); -int pf_tag_packet(struct mbuf *, struct pf_mtag *, int, int); +int pf_tag_packet(struct mbuf *, int, int); u_int32_t pf_qname2qid(char *); void pf_qid2qname(u_int32_t, char *); void pf_qid_unref(u_int32_t); -struct pf_mtag *pf_find_mtag(struct mbuf *); -struct pf_mtag *pf_get_mtag(struct mbuf *); extern struct pf_status pf_status; extern struct pool pf_frent_pl, pf_frag_pl; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index dc0804981bc..529d271fbea 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.148 2007/05/27 20:14:15 dlg Exp $ */ +/* $OpenBSD: ip_input.c,v 1.149 2007/05/28 17:16:39 henning Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -1434,9 +1434,6 @@ ip_forward(m, srcrt) int error, type = 0, code = 0, destmtu = 0, rtableid = 0; struct mbuf *mcopy; n_long dest; -#if NPF > 0 - struct pf_mtag *pft; -#endif dest = 0; #ifdef DIAGNOSTIC @@ -1455,8 +1452,7 @@ ip_forward(m, srcrt) } #if NPF > 0 - if ((pft = pf_find_mtag(m)) != NULL) - rtableid = pft->rtableid; + rtableid = m->m_pkthdr.pf.rtableid; #endif sin = satosin(&ipforward_rt.ro_dst); diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index c3c45b5373b..16ea0a2cdb7 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.83 2007/02/08 15:25:30 itojun Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.84 2007/05/28 17:16:39 henning Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -562,7 +562,7 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff, #if NPF > 0 /* Add pf tag if requested. */ - if (pf_tag_packet(m, NULL, tdbp->tdb_tag, -1)) + if (pf_tag_packet(m, tdbp->tdb_tag, -1)) DPRINTF(("failed to tag ipsec packet\n")); #endif diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index 2a9d6da4519..bdb15200674 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.37 2007/02/08 15:25:30 itojun Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.38 2007/05/28 17:16:39 henning Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -497,7 +497,7 @@ ipsp_process_done(struct mbuf *m, struct tdb *tdb) #if NPF > 0 /* Add pf tag if requested. */ - if (pf_tag_packet(m, NULL, tdb->tdb_tag, -1)) + if (pf_tag_packet(m, tdb->tdb_tag, -1)) DPRINTF(("failed to tag ipsec packet\n")); #endif diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 7448d6f3f59..c481e36c7a8 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_forward.c,v 1.37 2006/11/27 12:27:45 henning Exp $ */ +/* $OpenBSD: ip6_forward.c,v 1.38 2007/05/28 17:16:39 henning Exp $ */ /* $KAME: ip6_forward.c,v 1.75 2001/06/29 12:42:13 jinmei Exp $ */ /* @@ -104,9 +104,6 @@ ip6_forward(m, srcrt) struct tdb *tdb; int s; #endif /* IPSEC */ -#if NPF > 0 - struct pf_mtag *pft; -#endif int rtableid = 0; /* @@ -220,8 +217,7 @@ ip6_forward(m, srcrt) #endif /* IPSEC */ #if NPF > 0 - if ((pft = pf_find_mtag(m)) != NULL) - rtableid = pft->rtableid; + rtableid = m->m_pkthdr.pf.rtableid; #endif /* diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 1aea3ae6747..b4262fb0326 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.76 2007/05/08 23:23:16 mcbride Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.77 2007/05/28 17:16:39 henning Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -206,7 +206,6 @@ ip6_input(m) struct ifnet *deliverifp = NULL; #if NPF > 0 struct in6_addr odst; - struct pf_mtag *pft; #endif int srcrt = 0, rtableid = 0; @@ -431,8 +430,7 @@ ip6_input(m) } #if NPF > 0 - if ((pft = pf_find_mtag(m)) != NULL) - rtableid = pft->rtableid; + rtableid = m->m_pkthdr.pf.rtableid; #endif /* diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index 4cdc4e60515..3ffe8ff9038 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: mbuf.h,v 1.87 2007/05/27 20:54:25 claudio Exp $ */ +/* $OpenBSD: mbuf.h,v 1.88 2007/05/28 17:16:39 henning Exp $ */ /* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */ /* @@ -75,12 +75,23 @@ struct m_hdr { u_short mh_flags; /* flags; see below */ }; +/* pf stuff */ +struct pkthdr_pf { + void *hdr; /* saved hdr pos in mbuf, for ECN */ + u_int rtableid; /* alternate routing table id */ + u_int32_t qid; /* queue id */ + u_int16_t tag; /* tag id */ + u_int8_t flags; + u_int8_t routed; +}; + /* record/packet header in first mbuf of chain; valid if M_PKTHDR set */ struct pkthdr { - struct ifnet *rcvif; /* rcv interface */ + struct ifnet *rcvif; /* rcv interface */ SLIST_HEAD(packet_tags, m_tag) tags; /* list of packet tags */ - int len; /* total packet length */ - int csum_flags; /* checksum flags */ + int len; /* total packet length */ + int csum_flags; /* checksum flags */ + struct pkthdr_pf pf; }; /* description of external storage mapped into mbuf, valid if M_EXT set */ @@ -527,7 +538,6 @@ struct m_tag *m_tag_next(struct mbuf *, struct m_tag *); #define PACKET_TAG_GIF 8 /* GIF processing done */ #define PACKET_TAG_GRE 9 /* GRE processing done */ #define PACKET_TAG_IN_PACKET_CHECKSUM 10 /* NIC checksumming done */ -#define PACKET_TAG_PF 11 /* PF */ #define PACKET_TAG_DLT 17 /* data link layer type */ #ifdef MBTYPES |