Author: bz
Date: Thu Jun 30 01:33:14 2016
New Revision: 302290
URL: https://svnweb.freebsd.org/changeset/base/302290
Log:
Move the ipfw_log_bpf() calls from global module initialisation to
per-VNET initialisation and virtualise the interface cloning to
allow a dedicated ipfw log interface per VNET.
Approved by: re (gjb)
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Modified:
head/sys/netpfil/ipfw/ip_fw2.c
head/sys/netpfil/ipfw/ip_fw_log.c
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw2.c Thu Jun 30 01:32:12 2016
(r302289)
+++ head/sys/netpfil/ipfw/ip_fw2.c Thu Jun 30 01:33:14 2016
(r302290)
@@ -2691,7 +2691,6 @@ ipfw_init(void)
default_fw_tables = IPFW_TABLES_MAX;
ipfw_init_sopt_handler();
- ipfw_log_bpf(1); /* init */
ipfw_iface_init();
return (error);
}
@@ -2704,7 +2703,6 @@ ipfw_destroy(void)
{
ipfw_iface_destroy();
- ipfw_log_bpf(0); /* uninit */
ipfw_destroy_sopt_handler();
printf("IP firewall unloaded\n");
}
@@ -2793,6 +2791,7 @@ vnet_ipfw_init(const void *unused)
* is checked on each packet because there are no pfil hooks.
*/
V_ip_fw_ctl_ptr = ipfw_ctl3;
+ ipfw_log_bpf(1); /* init */
error = ipfw_attach_hooks(1);
return (error);
}
@@ -2816,6 +2815,8 @@ vnet_ipfw_uninit(const void *unused)
(void)ipfw_attach_hooks(0 /* detach */);
V_ip_fw_ctl_ptr = NULL;
+ ipfw_log_bpf(0); /* uninit */
+
last = IS_DEFAULT_VNET(curvnet) ? 1 : 0;
IPFW_UH_WLOCK(chain);
Modified: head/sys/netpfil/ipfw/ip_fw_log.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_log.c Thu Jun 30 01:32:12 2016
(r302289)
+++ head/sys/netpfil/ipfw/ip_fw_log.c Thu Jun 30 01:33:14 2016
(r302290)
@@ -102,7 +102,8 @@ ipfw_log_bpf(int onoff)
{
}
#else /* !WITHOUT_BPF */
-static struct ifnet *log_if; /* hook to attach to bpf */
+static VNET_DEFINE(struct ifnet *, log_if); /* hook to attach to bpf */
+#define V_log_if VNET(log_if)
static struct rwlock log_if_lock;
#define LOGIF_LOCK_INIT(x) rw_init(&log_if_lock, "ipfw log_if
lock")
#define LOGIF_LOCK_DESTROY(x) rw_destroy(&log_if_lock)
@@ -182,8 +183,8 @@ ipfw_log_clone_create(struct if_clone *i
ifp->if_baudrate = IF_Mbps(10);
LOGIF_WLOCK();
- if (log_if == NULL)
- log_if = ifp;
+ if (V_log_if == NULL)
+ V_log_if = ifp;
else {
LOGIF_WUNLOCK();
if_free(ifp);
@@ -206,8 +207,8 @@ ipfw_log_clone_destroy(struct if_clone *
return (0);
LOGIF_WLOCK();
- if (log_if != NULL && ifp == log_if)
- log_if = NULL;
+ if (V_log_if != NULL && ifp == V_log_if)
+ V_log_if = NULL;
else {
LOGIF_WUNLOCK();
return (EINVAL);
@@ -223,20 +224,23 @@ ipfw_log_clone_destroy(struct if_clone *
return (0);
}
-static struct if_clone *ipfw_log_cloner;
+static VNET_DEFINE(struct if_clone *, ipfw_log_cloner);
+#define V_ipfw_log_cloner VNET(ipfw_log_cloner)
void
ipfw_log_bpf(int onoff)
{
if (onoff) {
- LOGIF_LOCK_INIT();
- ipfw_log_cloner = if_clone_advanced(ipfwname, 0,
+ if (IS_DEFAULT_VNET(curvnet))
+ LOGIF_LOCK_INIT();
+ V_ipfw_log_cloner = if_clone_advanced(ipfwname, 0,
ipfw_log_clone_match, ipfw_log_clone_create,
ipfw_log_clone_destroy);
} else {
- if_clone_detach(ipfw_log_cloner);
- LOGIF_LOCK_DESTROY();
+ if_clone_detach(V_ipfw_log_cloner);
+ if (IS_DEFAULT_VNET(curvnet))
+ LOGIF_LOCK_DESTROY();
}
}
#endif /* !WITHOUT_BPF */
@@ -258,24 +262,24 @@ ipfw_log(struct ip_fw_chain *chain, stru
if (V_fw_verbose == 0) {
#ifndef WITHOUT_BPF
LOGIF_RLOCK();
- if (log_if == NULL || log_if->if_bpf == NULL) {
+ if (V_log_if == NULL || V_log_if->if_bpf == NULL) {
LOGIF_RUNLOCK();
return;
}
if (args->eh) /* layer2, use orig hdr */
- BPF_MTAP2(log_if, args->eh, ETHER_HDR_LEN, m);
+ BPF_MTAP2(V_log_if, args->eh, ETHER_HDR_LEN, m);
else {
/* Add fake header. Later we will store
* more info in the header.
*/
if (ip->ip_v == 4)
- BPF_MTAP2(log_if, "DDDDDDSSSSSS\x08\x00",
ETHER_HDR_LEN, m);
+ BPF_MTAP2(V_log_if, "DDDDDDSSSSSS\x08\x00",
ETHER_HDR_LEN, m);
else if (ip->ip_v == 6)
- BPF_MTAP2(log_if, "DDDDDDSSSSSS\x86\xdd",
ETHER_HDR_LEN, m);
+ BPF_MTAP2(V_log_if, "DDDDDDSSSSSS\x86\xdd",
ETHER_HDR_LEN, m);
else
/* Obviously bogus EtherType. */
- BPF_MTAP2(log_if, "DDDDDDSSSSSS\xff\xff",
ETHER_HDR_LEN, m);
+ BPF_MTAP2(V_log_if, "DDDDDDSSSSSS\xff\xff",
ETHER_HDR_LEN, m);
}
LOGIF_RUNLOCK();
#endif /* !WITHOUT_BPF */
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
