In message <201511050726.ta57qxlu074...@repo.freebsd.org>, "George V. Neville-N eil" writes: > Author: gnn > Date: Thu Nov 5 07:26:32 2015 > New Revision: 290383 > URL: https://svnweb.freebsd.org/changeset/base/290383 > > Log: > Replace the fastforward path with tryforward which does not require a > sysctl and will always be on. The former split between default and > fast forwarding is removed by this commit while preserving the ability > to use all network stack features. > > Differential Revision: https://reviews.freebsd.org/D4042 > Reviewed by: ae, melifaro, olivier, rwatson > MFC after: 1 month > Sponsored by: Rubicon Communications (Netgate) > > Modified: > head/sys/net/if_arcsubr.c > head/sys/net/if_ethersubr.c > head/sys/net/if_fddisubr.c > head/sys/net/if_fwsubr.c > head/sys/net/if_iso88025subr.c > head/sys/netinet/in_var.h > head/sys/netinet/ip_fastfwd.c > head/sys/netinet/ip_input.c > > Modified: head/sys/net/if_arcsubr.c > ============================================================================= > = > --- head/sys/net/if_arcsubr.c Thu Nov 5 04:16:03 2015 (r290382) > +++ head/sys/net/if_arcsubr.c Thu Nov 5 07:26:32 2015 (r290383) > @@ -550,15 +550,11 @@ arc_input(struct ifnet *ifp, struct mbuf > #ifdef INET > case ARCTYPE_IP: > m_adj(m, ARC_HDRNEWLEN); > - if ((m = ip_fastforward(m)) == NULL) > - return; > isr = NETISR_IP; > break; > > case ARCTYPE_IP_OLD: > m_adj(m, ARC_HDRLEN); > - if ((m = ip_fastforward(m)) == NULL) > - return; > isr = NETISR_IP; > break; > > > Modified: head/sys/net/if_ethersubr.c > ============================================================================= > = > --- head/sys/net/if_ethersubr.c Thu Nov 5 04:16:03 2015 (r29038 > 2) > +++ head/sys/net/if_ethersubr.c Thu Nov 5 07:26:32 2015 (r29038 > 3) > @@ -722,8 +722,6 @@ ether_demux(struct ifnet *ifp, struct mb > switch (ether_type) { > #ifdef INET > case ETHERTYPE_IP: > - if ((m = ip_fastforward(m)) == NULL) > - return; > isr = NETISR_IP; > break; > > > Modified: head/sys/net/if_fddisubr.c > ============================================================================= > = > --- head/sys/net/if_fddisubr.c Thu Nov 5 04:16:03 2015 (r29038 > 2) > +++ head/sys/net/if_fddisubr.c Thu Nov 5 07:26:32 2015 (r29038 > 3) > @@ -429,8 +429,6 @@ fddi_input(ifp, m) > switch (type) { > #ifdef INET > case ETHERTYPE_IP: > - if ((m = ip_fastforward(m)) == NULL) > - return; > isr = NETISR_IP; > break; > > > Modified: head/sys/net/if_fwsubr.c > ============================================================================= > = > --- head/sys/net/if_fwsubr.c Thu Nov 5 04:16:03 2015 (r290382) > +++ head/sys/net/if_fwsubr.c Thu Nov 5 07:26:32 2015 (r290383) > @@ -605,8 +605,6 @@ firewire_input(struct ifnet *ifp, struct > switch (type) { > #ifdef INET > case ETHERTYPE_IP: > - if ((m = ip_fastforward(m)) == NULL) > - return; > isr = NETISR_IP; > break; > > > Modified: head/sys/net/if_iso88025subr.c > ============================================================================= > = > --- head/sys/net/if_iso88025subr.c Thu Nov 5 04:16:03 2015 (r29038 > 2) > +++ head/sys/net/if_iso88025subr.c Thu Nov 5 07:26:32 2015 (r29038 > 3) > @@ -519,8 +519,6 @@ iso88025_input(ifp, m) > #ifdef INET > case ETHERTYPE_IP: > th->iso88025_shost[0] &= ~(TR_RII); > - if ((m = ip_fastforward(m)) == NULL) > - return; > isr = NETISR_IP; > break; > > > Modified: head/sys/netinet/in_var.h > ============================================================================= > = > --- head/sys/netinet/in_var.h Thu Nov 5 04:16:03 2015 (r290382) > +++ head/sys/netinet/in_var.h Thu Nov 5 07:26:32 2015 (r290383) > @@ -380,7 +380,7 @@ int in_scrubprefix(struct in_ifaddr *, u > void ip_input(struct mbuf *); > void ip_direct_input(struct mbuf *); > void in_ifadown(struct ifaddr *ifa, int); > -struct mbuf *ip_fastforward(struct mbuf *); > +struct mbuf *ip_tryforward(struct mbuf *); > void *in_domifattach(struct ifnet *); > void in_domifdetach(struct ifnet *, void *); > > > Modified: head/sys/netinet/ip_fastfwd.c > ============================================================================= > = > --- head/sys/netinet/ip_fastfwd.c Thu Nov 5 04:16:03 2015 (r29038 > 2) > +++ head/sys/netinet/ip_fastfwd.c Thu Nov 5 07:26:32 2015 (r29038 > 3) > @@ -108,12 +108,6 @@ __FBSDID("$FreeBSD$"); > > #include <machine/in_cksum.h> > > -static VNET_DEFINE(int, ipfastforward_active); > -#define V_ipfastforward_active VNET(ipfastforward_active) > - > -SYSCTL_INT(_net_inet_ip, OID_AUTO, fastforwarding, CTLFLAG_VNET | CTLFLAG_RW > , > - &VNET_NAME(ipfastforward_active), 0, "Enable fast IP forwarding"); > - > static struct sockaddr_in * > ip_findroute(struct route *ro, struct in_addr dest, struct mbuf *m) > { > @@ -158,7 +152,7 @@ ip_findroute(struct route *ro, struct in > * to ip_input for full processing. > */ > struct mbuf * > -ip_fastforward(struct mbuf *m) > +ip_tryforward(struct mbuf *m) > { > struct ip *ip; > struct mbuf *m0 = NULL; > @@ -166,119 +160,20 @@ ip_fastforward(struct mbuf *m) > struct sockaddr_in *dst = NULL; > struct ifnet *ifp; > struct in_addr odest, dest; > - uint16_t sum, ip_len, ip_off; > + uint16_t ip_len, ip_off; > int error = 0; > - int hlen, mtu; > + int mtu; > struct m_tag *fwd_tag = NULL; > > /* > * Are we active and forwarding packets? > */ > - if (!V_ipfastforward_active || !V_ipforwarding) > - return m; > > M_ASSERTVALID(m); > M_ASSERTPKTHDR(m); > > bzero(&ro, sizeof(ro)); > > - /* > - * Step 1: check for packet drop conditions (and sanity checks) > - */ > - > - /* > - * Is entire packet big enough? > - */ > - if (m->m_pkthdr.len < sizeof(struct ip)) { > - IPSTAT_INC(ips_tooshort); > - goto drop; > - } > - > - /* > - * Is first mbuf large enough for ip header and is header present? > - */ > - if (m->m_len < sizeof (struct ip) && > - (m = m_pullup(m, sizeof (struct ip))) == NULL) { > - IPSTAT_INC(ips_toosmall); > - return NULL; /* mbuf already free'd */ > - } > - > - ip = mtod(m, struct ip *); > - > - /* > - * Is it IPv4? > - */ > - if (ip->ip_v != IPVERSION) { > - IPSTAT_INC(ips_badvers); > - goto drop; > - } > - > - /* > - * Is IP header length correct and is it in first mbuf? > - */ > - hlen = ip->ip_hl << 2; > - if (hlen < sizeof(struct ip)) { /* minimum header length */ > - IPSTAT_INC(ips_badhlen); > - goto drop; > - } > - if (hlen > m->m_len) { > - if ((m = m_pullup(m, hlen)) == NULL) { > - IPSTAT_INC(ips_badhlen); > - return NULL; /* mbuf already free'd */ > - } > - ip = mtod(m, struct ip *); > - } > - > - /* > - * Checksum correct? > - */ > - if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) > - sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID); > - else { > - if (hlen == sizeof(struct ip)) > - sum = in_cksum_hdr(ip); > - else > - sum = in_cksum(m, hlen); > - } > - if (sum) { > - IPSTAT_INC(ips_badsum); > - goto drop; > - } > - > - /* > - * Remember that we have checked the IP header and found it valid. > - */ > - m->m_pkthdr.csum_flags |= (CSUM_IP_CHECKED | CSUM_IP_VALID); > - > - ip_len = ntohs(ip->ip_len); > - > - /* > - * Is IP length longer than packet we have got? > - */ > - if (m->m_pkthdr.len < ip_len) { > - IPSTAT_INC(ips_tooshort); > - goto drop; > - } > - > - /* > - * Is packet longer than IP header tells us? If yes, truncate packet. > - */ > - if (m->m_pkthdr.len > ip_len) { > - if (m->m_len == m->m_pkthdr.len) { > - m->m_len = ip_len; > - m->m_pkthdr.len = ip_len; > - } else > - m_adj(m, ip_len - m->m_pkthdr.len); > - } > - > - /* > - * Is packet from or to 127/8? > - */ > - if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || > - (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { > - IPSTAT_INC(ips_badaddr); > - goto drop; > - } > > #ifdef ALTQ > /* > @@ -289,12 +184,10 @@ ip_fastforward(struct mbuf *m) > #endif > > /* > - * Step 2: fallback conditions to normal ip_input path processing > - */ > - > - /* > * Only IP packets without options > */ > + ip = mtod(m, struct ip *); > + > if (ip->ip_hl != (sizeof(struct ip) >> 2)) { > if (V_ip_doopts == 1) > return m; > > Modified: head/sys/netinet/ip_input.c > ============================================================================= > = > --- head/sys/netinet/ip_input.c Thu Nov 5 04:16:03 2015 (r29038 > 2) > +++ head/sys/netinet/ip_input.c Thu Nov 5 07:26:32 2015 (r29038 > 3) > @@ -79,6 +79,8 @@ __FBSDID("$FreeBSD$"); > #include <netinet/ip_carp.h> > #ifdef IPSEC > #include <netinet/ip_ipsec.h> > +#include <netipsec/ipsec.h> > +#include <netipsec/key.h> > #endif /* IPSEC */ > #include <netinet/in_rss.h> > > @@ -500,12 +502,22 @@ tooshort: > m_adj(m, ip_len - m->m_pkthdr.len); > } > > + /* Try to forward the packet, but if we fail continue */ > #ifdef IPSEC > + /* For now we do not handle IPSEC in tryforward. */ > + if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND) & > & > + (V_ipforwarding == 1)) > + if (ip_tryforward(m) == NULL) > + return; > /* > * Bypass packet filtering for packets previously handled by IPsec. > */ > if (ip_ipsec_filtertunnel(m)) > goto passin; > +#else > + if (V_ipforwarding == 1) > + if (ip_tryforward(m) == NULL) > + return; > #endif /* IPSEC */ > > /* > >
Hi George, Sorry for the lateness of this reply, I finally got some time off for Christmas and have time to myself to boot. This breaks ipfilter's ipnat. I want to let you know before anyone MFCs this. -- Cheers, Cy Schubert <cy.schub...@komquats.com> or <cy.schub...@cschubert.com> FreeBSD UNIX: <c...@freebsd.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few. _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
