CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Gleb Smirnoff <glebius@FreeBSD.org>
	Thu, 14 Mar 2019 22:52:16 +0000 (22:52 +0000)
committer	Gleb Smirnoff <glebius@FreeBSD.org>
	Thu, 14 Mar 2019 22:52:16 +0000 (22:52 +0000)
commit	f355cb3e6fa1dea72938b83d5b69a99bc4e1fe0c
tree	ed0b83b52e894cafd489ef0896d32c9e571ea1f0	tree \| snapshot
parent	dc0fa4f7122faf346f0a3ca884dabbdbb7467f2d	commit \| diff

PFIL_MEMPTR for ipfw link level hook

With new pfil(9) KPI it is possible to pass a void pointer with length
instead of mbuf pointer to a packet filter. Until this commit no filters
supported that, so pfil run through a shim function pfil_fake_mbuf().

Now the ipfw(4) hook named "default-link", that is instantiated when
net.link.ether.ipfw sysctl is on, supports processing pointer/length
packets natively.

- ip_fw_args now has union for either mbuf or void *, and if flags have
non-zero length, then we use the void *.
- through ipfw_chk() we handle mem/mbuf cases differently.
- ether_header goes away from args. It is ipfw_chk() responsibility
to do parsing of Ethernet header.
- ipfw_log() now uses different bpf APIs to log packets.

Although ipfw_chk() is now capable to process pointer/length packets,
this commit adds support for the link level hook only, see
ipfw_check_frame(). Potentially the IP processing hook ipfw_check_packet()
can be improved too, but that requires more changes since the hook
supports more complex actions: NAT, divert, etc.

Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D19357

sys/netpfil/ipfw/ip_fw2.c		diff \| blob \| history
sys/netpfil/ipfw/ip_fw_bpf.c		diff \| blob \| history
sys/netpfil/ipfw/ip_fw_log.c		diff \| blob \| history
sys/netpfil/ipfw/ip_fw_pfil.c		diff \| blob \| history
sys/netpfil/ipfw/ip_fw_private.h		diff \| blob \| history