From a93c9c2f4b37aa9bf348a26b638b270ae513144a Mon Sep 17 00:00:00 2001 From: Sepherosa Ziehau Date: Thu, 18 Sep 2008 11:19:42 +0000 Subject: [PATCH] If there are no pfil hooks, just remove the dummynet tag (for packets that were trapped in pipes/queues before pfil hooks were deleted) and skip all firwall related operation. --- sys/netinet/ip_input.c | 39 +++++++++++++++++++++++---------------- sys/netinet/ip_output.c | 26 +++++++++++++++++++------- 2 files changed, 42 insertions(+), 23 deletions(-) diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 56e5878b92..42eee23c66 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -65,7 +65,7 @@ * * @(#)ip_input.c 8.2 (Berkeley) 1/4/94 * $FreeBSD: src/sys/netinet/ip_input.c,v 1.130.2.52 2003/03/07 07:01:28 silby Exp $ - * $DragonFly: src/sys/netinet/ip_input.c,v 1.106 2008/09/13 12:57:07 sephe Exp $ + * $DragonFly: src/sys/netinet/ip_input.c,v 1.107 2008/09/18 11:19:42 sephe Exp $ */ #define _IP_VHL @@ -541,6 +541,20 @@ iphack: if (next_hop != NULL) goto ours; + /* No pfil hooks */ + if (!pfil_has_hooks(&inet_pfil_hook)) { + if (m->m_pkthdr.fw_flags & DUMMYNET_MBUF_TAGGED) { + /* + * Strip dummynet tags from stranded packets + */ + mtag = m_tag_find(m, PACKET_TAG_DUMMYNET, NULL); + KKASSERT(mtag != NULL); + m_tag_delete(m, mtag); + m->m_pkthdr.fw_flags &= ~DUMMYNET_MBUF_TAGGED; + } + goto pass; + } + /* * Run through list of hooks for input packets. * @@ -548,18 +562,14 @@ iphack: * by NAT rewriting). When this happens, tell * ip_forward to do the right thing. */ - if (pfil_has_hooks(&inet_pfil_hook)) { - odst = ip->ip_dst; - if (pfil_run_hooks(&inet_pfil_hook, &m, - m->m_pkthdr.rcvif, PFIL_IN)) { - return; - } - if (m == NULL) /* consumed by filter */ - return; - ip = mtod(m, struct ip *); - hlen = IP_VHL_HL(ip->ip_vhl) << 2; - using_srcrt = (odst.s_addr != ip->ip_dst.s_addr); - } + odst = ip->ip_dst; + if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif, PFIL_IN)) + return; + if (m == NULL) /* consumed by filter */ + return; + ip = mtod(m, struct ip *); + hlen = IP_VHL_HL(ip->ip_vhl) << 2; + using_srcrt = (odst.s_addr != ip->ip_dst.s_addr); if (m->m_pkthdr.fw_flags & IPFORWARD_MBUF_TAGGED) { mtag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL); @@ -574,10 +584,7 @@ iphack: needredispatch = TRUE; m->m_pkthdr.fw_flags &= ~FW_MBUF_REDISPATCH; } - -#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) pass: -#endif /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 5b06c9de64..802fc30544 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -28,7 +28,7 @@ * * @(#)ip_output.c 8.3 (Berkeley) 1/21/94 * $FreeBSD: src/sys/netinet/ip_output.c,v 1.99.2.37 2003/04/15 06:44:45 silby Exp $ - * $DragonFly: src/sys/netinet/ip_output.c,v 1.63 2008/09/13 12:57:07 sephe Exp $ + * $DragonFly: src/sys/netinet/ip_output.c,v 1.64 2008/09/18 11:19:42 sephe Exp $ */ #define _IP_VHL @@ -770,6 +770,20 @@ spd_done: if (next_hop != NULL) goto pass; + /* No pfil hooks */ + if (!pfil_has_hooks(&inet_pfil_hook)) { + if (m->m_pkthdr.fw_flags & DUMMYNET_MBUF_TAGGED) { + /* + * Strip dummynet tags from stranded packets + */ + mtag = m_tag_find(m, PACKET_TAG_DUMMYNET, NULL); + KKASSERT(mtag != NULL); + m_tag_delete(m, mtag); + m->m_pkthdr.fw_flags &= ~DUMMYNET_MBUF_TAGGED; + } + goto pass; + } + /* * IpHack's section. * - Xlate: translate packet's addr/port (NAT). @@ -781,12 +795,10 @@ spd_done: /* * Run through list of hooks for output packets. */ - if (pfil_has_hooks(&inet_pfil_hook)) { - error = pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT); - if (error != 0 || m == NULL) - goto done; - ip = mtod(m, struct ip *); - } + error = pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_OUT); + if (error != 0 || m == NULL) + goto done; + ip = mtod(m, struct ip *); if (m->m_pkthdr.fw_flags & IPFORWARD_MBUF_TAGGED) { /* -- 2.41.0