svn commit: r306684 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf

Kristof Provost Tue, 04 Oct 2016 12:35:29 -0700

Author: kp
Date: Tue Oct  4 19:35:14 2016
New Revision: 306684
URL: https://svnweb.freebsd.org/changeset/base/306684


Log:
  pf: remove fastroute tag
  
  The tag fastroute came from ipf and was removed in OpenBSD in 2011. The code
  allows to skip the in pfil hooks and completely removes the out pfil invoke,
  albeit looking up a route that the IP stack will likely find on its own.
  The code between IPv4 and IPv6 is also inconsistent and marked as "XXX"
  for years.
  
  Submitted by: Franco Fichtner <fra...@opnsense.org>
  Differential Revision:        https://reviews.freebsd.org/D8058

Modified:
  head/sbin/pfctl/parse.y
  head/sbin/pfctl/pfctl_parser.c
  head/share/man/man5/pf.conf.5
  head/sys/netpfil/pf/pf.c
  head/sys/netpfil/pf/pf_ioctl.c

Modified: head/sbin/pfctl/parse.y
==============================================================================
--- head/sbin/pfctl/parse.y     Tue Oct  4 18:07:33 2016        (r306683)
+++ head/sbin/pfctl/parse.y     Tue Oct  4 19:35:14 2016        (r306684)
@@ -2330,7 +2330,7 @@ pfrule            : action dir logquick interface 
                                        memcpy(&r.rpool.key, $5.key,
                                            sizeof(struct pf_poolhashkey));
                        }
-                       if (r.rt && r.rt != PF_FASTROUTE) {
+                       if (r.rt) {
                                decide_address_family($5.host, &r.af);
                                remove_invalid_hosts(&$5.host, &r.af);
                                if ($5.host == NULL) {
@@ -4416,8 +4416,9 @@ route             : /* empty */                   {
                        $$.pool_opts = 0;
                }
                | FASTROUTE {
+                       /* backwards-compat */
                        $$.host = NULL;
-                       $$.rt = PF_FASTROUTE;
+                       $$.rt = 0;
                        $$.pool_opts = 0;
                }
                | ROUTETO routespec pool_opts {

Modified: head/sbin/pfctl/pfctl_parser.c
==============================================================================
--- head/sbin/pfctl/pfctl_parser.c      Tue Oct  4 18:07:33 2016        
(r306683)
+++ head/sbin/pfctl/pfctl_parser.c      Tue Oct  4 19:35:14 2016        
(r306684)
@@ -778,12 +778,8 @@ print_rule(struct pf_rule *r, const char
                        printf(" reply-to");
                else if (r->rt == PF_DUPTO)
                        printf(" dup-to");
-               else if (r->rt == PF_FASTROUTE)
-                       printf(" fastroute");
-               if (r->rt != PF_FASTROUTE) {
-                       printf(" ");
-                       print_pool(&r->rpool, 0, 0, r->af, PF_PASS);
-               }
+               printf(" ");
+               print_pool(&r->rpool, 0, 0, r->af, PF_PASS);
        }
        if (r->af) {
                if (r->af == AF_INET)

Modified: head/share/man/man5/pf.conf.5
==============================================================================
--- head/share/man/man5/pf.conf.5       Tue Oct  4 18:07:33 2016        
(r306683)
+++ head/share/man/man5/pf.conf.5       Tue Oct  4 19:35:14 2016        
(r306684)
@@ -28,7 +28,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd June 9, 2016
+.Dd September 28, 2016
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -1874,10 +1874,6 @@ route the packet according to the type o
 When such a rule creates state, the route option is also applied to all
 packets matching the same connection.
 .Bl -tag -width xxxx
-.It Ar fastroute
-The
-.Ar fastroute
-option does a normal route lookup to find the next hop for the packet.
 .It Ar route-to
 The
 .Ar route-to
@@ -2839,7 +2835,7 @@ option         = "set" ( [ "timeout" ( t
 
 pf-rule        = action [ ( "in" | "out" ) ]
                  [ "log" [ "(" logopts ")"] ] [ "quick" ]
-                 [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ]
+                 [ "on" ifspec ] [ route ] [ af ] [ protospec ]
                  hosts [ filteropt-list ]
 
 logopts        = logopt [ "," logopts ]

Modified: head/sys/netpfil/pf/pf.c
==============================================================================
--- head/sys/netpfil/pf/pf.c    Tue Oct  4 18:07:33 2016        (r306683)
+++ head/sys/netpfil/pf/pf.c    Tue Oct  4 19:35:14 2016        (r306684)
@@ -3632,7 +3632,7 @@ pf_create_state(struct pf_rule *r, struc
                s->timeout = PFTM_OTHER_FIRST_PACKET;
        }
 
-       if (r->rt && r->rt != PF_FASTROUTE) {
+       if (r->rt) {
                if (pf_map_addr(pd->af, r, pd->src, &s->rt_addr, NULL, &sn)) {
                        REASON_SET(&reason, PFRES_MAPFAILED);
                        pf_src_tree_remove_state(s);
@@ -5439,41 +5439,24 @@ pf_route(struct mbuf **m, struct pf_rule
        dst.sin_len = sizeof(dst);
        dst.sin_addr = ip->ip_dst;
 
-       if (r->rt == PF_FASTROUTE) {
-               struct nhop4_basic nh4;
-
-               if (s)
-                       PF_STATE_UNLOCK(s);
-
-               if (fib4_lookup_nh_basic(M_GETFIB(m0), ip->ip_dst, 0,
-                   m0->m_pkthdr.flowid, &nh4) != 0) {
-                       KMOD_IPSTAT_INC(ips_noroute);
-                       error = EHOSTUNREACH;
-                       goto bad;
-               }
-
-               ifp = nh4.nh_ifp;
-               dst.sin_addr = nh4.nh_addr;
+       if (TAILQ_EMPTY(&r->rpool.list)) {
+               DPFPRINTF(PF_DEBUG_URGENT,
+                   ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));
+               goto bad_locked;
+       }
+       if (s == NULL) {
+               pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
+                   &naddr, NULL, &sn);
+               if (!PF_AZERO(&naddr, AF_INET))
+                       dst.sin_addr.s_addr = naddr.v4.s_addr;
+               ifp = r->rpool.cur->kif ?
+                   r->rpool.cur->kif->pfik_ifp : NULL;
        } else {
-               if (TAILQ_EMPTY(&r->rpool.list)) {
-                       DPFPRINTF(PF_DEBUG_URGENT,
-                           ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));
-                       goto bad_locked;
-               }
-               if (s == NULL) {
-                       pf_map_addr(AF_INET, r, (struct pf_addr *)&ip->ip_src,
-                           &naddr, NULL, &sn);
-                       if (!PF_AZERO(&naddr, AF_INET))
-                               dst.sin_addr.s_addr = naddr.v4.s_addr;
-                       ifp = r->rpool.cur->kif ?
-                           r->rpool.cur->kif->pfik_ifp : NULL;
-               } else {
-                       if (!PF_AZERO(&s->rt_addr, AF_INET))
-                               dst.sin_addr.s_addr =
-                                   s->rt_addr.v4.s_addr;
-                       ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
-                       PF_STATE_UNLOCK(s);
-               }
+               if (!PF_AZERO(&s->rt_addr, AF_INET))
+                       dst.sin_addr.s_addr =
+                           s->rt_addr.v4.s_addr;
+               ifp = s->rt_kif ? s->rt_kif->pfik_ifp : NULL;
+               PF_STATE_UNLOCK(s);
        }
        if (ifp == NULL)
                goto bad;
@@ -5615,16 +5598,6 @@ pf_route6(struct mbuf **m, struct pf_rul
        dst.sin6_len = sizeof(dst);
        dst.sin6_addr = ip6->ip6_dst;
 
-       /* Cheat. XXX why only in the v6 case??? */
-       if (r->rt == PF_FASTROUTE) {
-               if (s)
-                       PF_STATE_UNLOCK(s);
-               m0->m_flags |= M_SKIP_FIREWALL;
-               ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
-               *m = NULL;
-               return;
-       }
-
        if (TAILQ_EMPTY(&r->rpool.list)) {
                DPFPRINTF(PF_DEBUG_URGENT,
                    ("%s: TAILQ_EMPTY(&r->rpool.list)\n", __func__));

Modified: head/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- head/sys/netpfil/pf/pf_ioctl.c      Tue Oct  4 18:07:33 2016        
(r306683)
+++ head/sys/netpfil/pf/pf_ioctl.c      Tue Oct  4 19:35:14 2016        
(r306684)
@@ -1267,7 +1267,7 @@ pfioctl(struct cdev *dev, u_long cmd, ca
                pf_mv_pool(&V_pf_pabuf, &rule->rpool.list);
                if (((((rule->action == PF_NAT) || (rule->action == PF_RDR) ||
                    (rule->action == PF_BINAT)) && rule->anchor == NULL) ||
-                   (rule->rt > PF_FASTROUTE)) &&
+                   (rule->rt > PF_NOPFROUTE)) &&
                    (TAILQ_FIRST(&rule->rpool.list) == NULL))
                        error = EINVAL;
 
@@ -1527,7 +1527,7 @@ DIOCADDRULE_error:
                        if (((((newrule->action == PF_NAT) ||
                            (newrule->action == PF_RDR) ||
                            (newrule->action == PF_BINAT) ||
-                           (newrule->rt > PF_FASTROUTE)) &&
+                           (newrule->rt > PF_NOPFROUTE)) &&
                            !newrule->anchor)) &&
                            (TAILQ_FIRST(&newrule->rpool.list) == NULL))
                                error = EINVAL;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

svn commit: r306684 - in head: sbin/pfctl share/man/man5 sys/netpfil/pf

Reply via email to