Author: kp Date: Fri Nov 2 16:47:07 2018 New Revision: 340065 URL: https://svnweb.freebsd.org/changeset/base/340065
Log: pfsync: Make pfsync callbacks per-vnet The callbacks are installed and removed depending on the state of the pfsync device, which is per-vnet. The callbacks must also be per-vnet. MFC after: 2 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D17499 Modified: head/sys/net/pfvar.h head/sys/netpfil/pf/if_pfsync.c head/sys/netpfil/pf/pf.c head/sys/netpfil/pf/pf_ioctl.c Modified: head/sys/net/pfvar.h ============================================================================== --- head/sys/net/pfvar.h Fri Nov 2 16:26:44 2018 (r340064) +++ head/sys/net/pfvar.h Fri Nov 2 16:47:07 2018 (r340065) @@ -825,12 +825,18 @@ typedef void pfsync_delete_state_t(struct pf_state *) typedef void pfsync_clear_states_t(u_int32_t, const char *); typedef int pfsync_defer_t(struct pf_state *, struct mbuf *); -extern pfsync_state_import_t *pfsync_state_import_ptr; -extern pfsync_insert_state_t *pfsync_insert_state_ptr; -extern pfsync_update_state_t *pfsync_update_state_ptr; -extern pfsync_delete_state_t *pfsync_delete_state_ptr; -extern pfsync_clear_states_t *pfsync_clear_states_ptr; -extern pfsync_defer_t *pfsync_defer_ptr; +VNET_DECLARE(pfsync_state_import_t *, pfsync_state_import_ptr); +#define V_pfsync_state_import_ptr VNET(pfsync_state_import_ptr) +VNET_DECLARE(pfsync_insert_state_t *, pfsync_insert_state_ptr); +#define V_pfsync_insert_state_ptr VNET(pfsync_insert_state_ptr) +VNET_DECLARE(pfsync_update_state_t *, pfsync_update_state_ptr); +#define V_pfsync_update_state_ptr VNET(pfsync_update_state_ptr) +VNET_DECLARE(pfsync_delete_state_t *, pfsync_delete_state_ptr); +#define V_pfsync_delete_state_ptr VNET(pfsync_delete_state_ptr) +VNET_DECLARE(pfsync_clear_states_t *, pfsync_clear_states_ptr); +#define V_pfsync_clear_states_ptr VNET(pfsync_clear_states_ptr) +VNET_DECLARE(pfsync_defer_t *, pfsync_defer_ptr); +#define V_pfsync_defer_ptr VNET(pfsync_defer_ptr) void pfsync_state_export(struct pfsync_state *, struct pf_state *); Modified: head/sys/netpfil/pf/if_pfsync.c ============================================================================== --- head/sys/netpfil/pf/if_pfsync.c Fri Nov 2 16:26:44 2018 (r340064) +++ head/sys/netpfil/pf/if_pfsync.c Fri Nov 2 16:47:07 2018 (r340065) @@ -1362,10 +1362,10 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t dat sc->sc_maxupdates = pfsyncr.pfsyncr_maxupdates; if (pfsyncr.pfsyncr_defer) { sc->sc_flags |= PFSYNCF_DEFER; - pfsync_defer_ptr = pfsync_defer; + V_pfsync_defer_ptr = pfsync_defer; } else { sc->sc_flags &= ~PFSYNCF_DEFER; - pfsync_defer_ptr = NULL; + V_pfsync_defer_ptr = NULL; } if (sifp == NULL) { @@ -2311,12 +2311,12 @@ pfsync_pointers_init() { PF_RULES_WLOCK(); - pfsync_state_import_ptr = pfsync_state_import; - pfsync_insert_state_ptr = pfsync_insert_state; - pfsync_update_state_ptr = pfsync_update_state; - pfsync_delete_state_ptr = pfsync_delete_state; - pfsync_clear_states_ptr = pfsync_clear_states; - pfsync_defer_ptr = pfsync_defer; + V_pfsync_state_import_ptr = pfsync_state_import; + V_pfsync_insert_state_ptr = pfsync_insert_state; + V_pfsync_update_state_ptr = pfsync_update_state; + V_pfsync_delete_state_ptr = pfsync_delete_state; + V_pfsync_clear_states_ptr = pfsync_clear_states; + V_pfsync_defer_ptr = pfsync_defer; PF_RULES_WUNLOCK(); } @@ -2325,12 +2325,12 @@ pfsync_pointers_uninit() { PF_RULES_WLOCK(); - pfsync_state_import_ptr = NULL; - pfsync_insert_state_ptr = NULL; - pfsync_update_state_ptr = NULL; - pfsync_delete_state_ptr = NULL; - pfsync_clear_states_ptr = NULL; - pfsync_defer_ptr = NULL; + V_pfsync_state_import_ptr = NULL; + V_pfsync_insert_state_ptr = NULL; + V_pfsync_update_state_ptr = NULL; + V_pfsync_delete_state_ptr = NULL; + V_pfsync_clear_states_ptr = NULL; + V_pfsync_defer_ptr = NULL; PF_RULES_WUNLOCK(); } @@ -2347,6 +2347,8 @@ vnet_pfsync_init(const void *unused __unused) if_clone_detach(V_pfsync_cloner); log(LOG_INFO, "swi_add() failed in %s\n", __func__); } + + pfsync_pointers_init(); } VNET_SYSINIT(vnet_pfsync_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_ANY, vnet_pfsync_init, NULL); @@ -2355,6 +2357,8 @@ static void vnet_pfsync_uninit(const void *unused __unused) { + pfsync_pointers_uninit(); + if_clone_detach(V_pfsync_cloner); swi_remove(V_pfsync_swi_cookie); } @@ -2380,7 +2384,6 @@ pfsync_init() return (error); } #endif - pfsync_pointers_init(); return (0); } @@ -2388,8 +2391,6 @@ pfsync_init() static void pfsync_uninit() { - - pfsync_pointers_uninit(); #ifdef INET ipproto_unregister(IPPROTO_PFSYNC); Modified: head/sys/netpfil/pf/pf.c ============================================================================== --- head/sys/netpfil/pf/pf.c Fri Nov 2 16:26:44 2018 (r340064) +++ head/sys/netpfil/pf/pf.c Fri Nov 2 16:47:07 2018 (r340065) @@ -1268,8 +1268,8 @@ pf_state_insert(struct pfi_kif *kif, struct pf_state_k refcount_init(&s->refs, 2); counter_u64_add(V_pf_status.fcounters[FCNT_STATE_INSERT], 1); - if (pfsync_insert_state_ptr != NULL) - pfsync_insert_state_ptr(s); + if (V_pfsync_insert_state_ptr != NULL) + V_pfsync_insert_state_ptr(s); /* Returns locked. */ return (0); @@ -1672,8 +1672,8 @@ pf_unlink_state(struct pf_state *s, u_int flags) LIST_REMOVE(s, entry); pf_src_tree_remove_state(s); - if (pfsync_delete_state_ptr != NULL) - pfsync_delete_state_ptr(s); + if (V_pfsync_delete_state_ptr != NULL) + V_pfsync_delete_state_ptr(s); STATE_DEC_COUNTERS(s); @@ -3582,7 +3582,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm if (*sm != NULL && !((*sm)->state_flags & PFSTATE_NOSYNC) && direction == PF_OUT && - pfsync_defer_ptr != NULL && pfsync_defer_ptr(*sm, m)) + V_pfsync_defer_ptr != NULL && V_pfsync_defer_ptr(*sm, m)) /* * We want the state created, but we dont * want to send this in case a partner @@ -5996,8 +5996,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6025,8 +6025,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct } action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6048,8 +6048,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6071,8 +6071,8 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct default: action = pf_test_state_other(&s, dir, kif, m, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6435,8 +6435,8 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struc action = pf_test_state_tcp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6464,8 +6464,8 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struc } action = pf_test_state_udp(&s, dir, kif, m, off, h, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6494,8 +6494,8 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struc action = pf_test_state_icmp(&s, dir, kif, m, off, h, &pd, &reason); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; @@ -6508,8 +6508,8 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struc default: action = pf_test_state_other(&s, dir, kif, m, &pd); if (action == PF_PASS) { - if (pfsync_update_state_ptr != NULL) - pfsync_update_state_ptr(s); + if (V_pfsync_update_state_ptr != NULL) + V_pfsync_update_state_ptr(s); r = s->rule.ptr; a = s->anchor.ptr; log = s->log; Modified: head/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- head/sys/netpfil/pf/pf_ioctl.c Fri Nov 2 16:26:44 2018 (r340064) +++ head/sys/netpfil/pf/pf_ioctl.c Fri Nov 2 16:47:07 2018 (r340065) @@ -212,12 +212,13 @@ struct sx pf_ioctl_lock; struct sx pf_end_lock; /* pfsync */ -pfsync_state_import_t *pfsync_state_import_ptr = NULL; -pfsync_insert_state_t *pfsync_insert_state_ptr = NULL; -pfsync_update_state_t *pfsync_update_state_ptr = NULL; -pfsync_delete_state_t *pfsync_delete_state_ptr = NULL; -pfsync_clear_states_t *pfsync_clear_states_ptr = NULL; -pfsync_defer_t *pfsync_defer_ptr = NULL; +VNET_DEFINE(pfsync_state_import_t *, pfsync_state_import_ptr); +VNET_DEFINE(pfsync_insert_state_t *, pfsync_insert_state_ptr); +VNET_DEFINE(pfsync_update_state_t *, pfsync_update_state_ptr); +VNET_DEFINE(pfsync_delete_state_t *, pfsync_delete_state_ptr); +VNET_DEFINE(pfsync_clear_states_t *, pfsync_clear_states_ptr); +VNET_DEFINE(pfsync_defer_t *, pfsync_defer_ptr); + /* pflog */ pflog_packet_t *pflog_packet_ptr = NULL; @@ -1873,8 +1874,8 @@ relock_DIOCCLRSTATES: PF_HASHROW_UNLOCK(ih); } psk->psk_killed = killed; - if (pfsync_clear_states_ptr != NULL) - pfsync_clear_states_ptr(V_pf_status.hostid, psk->psk_ifname); + if (V_pfsync_clear_states_ptr != NULL) + V_pfsync_clear_states_ptr(V_pf_status.hostid, psk->psk_ifname); break; } @@ -1961,9 +1962,9 @@ relock_DIOCKILLSTATES: error = EINVAL; break; } - if (pfsync_state_import_ptr != NULL) { + if (V_pfsync_state_import_ptr != NULL) { PF_RULES_RLOCK(); - error = pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL); + error = V_pfsync_state_import_ptr(sp, PFSYNC_SI_IOCTL); PF_RULES_RUNLOCK(); } else error = EOPNOTSUPP; _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
