diff options
| author | dr146992 <none@none> | 2008-07-18 15:44:15 -0700 |
|---|---|---|
| committer | dr146992 <none@none> | 2008-07-18 15:44:15 -0700 |
| commit | cbded9ae11944b2d8ab0ae13e5dbd0881ddba98c (patch) | |
| tree | fe93932ca11f5b39515d4715a98ade27d72d0942 /usr/src | |
| parent | 31c83a1b44505db718ee9088db1ce16bd9205d86 (diff) | |
| download | illumos-joyent-cbded9ae11944b2d8ab0ae13e5dbd0881ddba98c.tar.gz | |
6719268 enabling ipfilter causes up to 80% or more drop in packet throughput for multi-stream workloads
6721215 ipfilter panic in ipf:fr_derefrule after restoring state table
6723213 IPfilter: NAT suffers performance hit by holding exclusive locks longer than required
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/cmd/ipf/tools/ip_fil.c | 2 | ||||
| -rw-r--r-- | usr/src/cmd/ipf/tools/ipftest.c | 2 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/fil.c | 130 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/ip_fil_solaris.c | 196 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/ip_nat.c | 52 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/ip_state.c | 1 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/netinet/ip_fil.h | 8 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/netinet/ipf_stack.h | 16 | ||||
| -rw-r--r-- | usr/src/uts/common/inet/ipf/solaris.c | 2 |
9 files changed, 222 insertions, 187 deletions
diff --git a/usr/src/cmd/ipf/tools/ip_fil.c b/usr/src/cmd/ipf/tools/ip_fil.c index daf170f41d..52fa867504 100644 --- a/usr/src/cmd/ipf/tools/ip_fil.c +++ b/usr/src/cmd/ipf/tools/ip_fil.c @@ -362,8 +362,6 @@ int mode; if (!(mode & FWRITE)) error = EPERM; else { - bzero((char *)ifs->ifs_frcache, - sizeof(ifs->ifs_frcache[0]) * 2); *(u_int *)data = ifs->ifs_fr_active; ifs->ifs_fr_active = 1 - ifs->ifs_fr_active; } diff --git a/usr/src/cmd/ipf/tools/ipftest.c b/usr/src/cmd/ipf/tools/ipftest.c index 37b47b6dbe..4463e132de 100644 --- a/usr/src/cmd/ipf/tools/ipftest.c +++ b/usr/src/cmd/ipf/tools/ipftest.c @@ -109,13 +109,11 @@ char *argv[]; #endif ipftuneable_alloc(ifs); - bzero((char *)ifs->ifs_frcache, sizeof(ifs->ifs_frcache)); MUTEX_INIT(&ifs->ifs_ipf_rw, "ipf rw mutex"); MUTEX_INIT(&ifs->ifs_ipf_timeoutlock, "ipf timeout lock"); RWLOCK_INIT(&ifs->ifs_ipf_global, "ipf filter load/unload mutex"); RWLOCK_INIT(&ifs->ifs_ipf_mutex, "ipf filter rwlock"); RWLOCK_INIT(&ifs->ifs_ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); - RWLOCK_INIT(&ifs->ifs_ipf_frcache, "ipf cache rwlock"); fr_loginit(ifs); fr_authinit(ifs); diff --git a/usr/src/uts/common/inet/ipf/fil.c b/usr/src/uts/common/inet/ipf/fil.c index f8c8050062..f38a3a23a2 100644 --- a/usr/src/uts/common/inet/ipf/fil.c +++ b/usr/src/uts/common/inet/ipf/fil.c @@ -189,6 +189,9 @@ int fr_features = 0 #endif ; +#define IPF_BUMP(x) (x)++ + +static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int)); static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int)); static int fr_portcheck __P((frpcmp_t *, u_short *)); static int frflushlist __P((int, minor_t, int *, frentry_t **, @@ -1975,7 +1978,7 @@ u_32_t pass; * it, except for increasing the hit counter. */ if ((passt & FR_CALLNOW) != 0) { - ATOMIC_INC64(fr->fr_hits); + IPF_BUMP(fr->fr_hits); if ((fr->fr_func != NULL) && (fr->fr_func != (ipfunc_t)-1)) { frentry_t *frs; @@ -2004,9 +2007,9 @@ u_32_t pass; passt &= ~FR_CMDMASK; passt |= FR_BLOCK|FR_QUICK; } - ATOMIC_INCL(ifs->ifs_frstats[fin->fin_out].fr_skip); + IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_skip); } - ATOMIC_INCL(ifs->ifs_frstats[fin->fin_out].fr_pkl); + IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_pkl); logged = 1; } #endif /* IPFILTER_LOG */ @@ -2019,7 +2022,7 @@ u_32_t pass; if (passt & (FR_RETICMP|FR_FAKEICMP)) fin->fin_icode = fr->fr_icode; FR_DEBUG(("pass %#x\n", pass)); - ATOMIC_INC64(fr->fr_hits); + IPF_BUMP(fr->fr_hits); fin->fin_rule = rulen; (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN); if (fr->fr_grp != NULL) { @@ -2048,9 +2051,9 @@ u_32_t pass; int out = fin->fin_out; if (fr_addstate(fin, NULL, 0) != NULL) { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_ads); + IPF_BUMP(ifs->ifs_frstats[out].fr_ads); } else { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_bads); + IPF_BUMP(ifs->ifs_frstats[out].fr_bads); pass = passo; continue; } @@ -2101,7 +2104,7 @@ u_32_t *passp; fin->fin_fr = fr; pass = fr_scanlist(fin, FR_NOMATCH); if (FR_ISACCOUNT(pass)) { - ATOMIC_INCL(ifs->ifs_frstats[0].fr_acct); + IPF_BUMP(ifs->ifs_frstats[0].fr_acct); } fin->fin_fr = frsave; bcopy(group, fin->fin_group, FR_GROUPLEN); @@ -2129,7 +2132,6 @@ fr_info_t *fin; u_32_t *passp; { frentry_t *fr; - fr_info_t *fc; u_32_t pass; int out; ipf_stack_t *ifs = fin->fin_ifs; @@ -2137,48 +2139,19 @@ u_32_t *passp; out = fin->fin_out; pass = *passp; - /* - * If a packet is found in the auth table, then skip checking - * the access lists for permission but we do need to consider - * the result as if it were from the ACL's. - */ - fc = &ifs->ifs_frcache[out][CACHE_HASH(fin)]; - READ_ENTER(&ifs->ifs_ipf_frcache); - if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) { - /* - * copy cached data so we can unlock the mutexes earlier. - */ - bcopy((char *)fc, (char *)fin, FI_COPYSIZE); - RWLOCK_EXIT(&ifs->ifs_ipf_frcache); - ATOMIC_INCL(ifs->ifs_frstats[out].fr_chit); - - if ((fr = fin->fin_fr) != NULL) { - ATOMIC_INC64(fr->fr_hits); - pass = fr->fr_flags; - } - } else { - RWLOCK_EXIT(&ifs->ifs_ipf_frcache); - #ifdef USE_INET6 - if (fin->fin_v == 6) - fin->fin_fr = ifs->ifs_ipfilter6[out][ifs->ifs_fr_active]; - else + if (fin->fin_v == 6) + fin->fin_fr = ifs->ifs_ipfilter6[out][ifs->ifs_fr_active]; + else #endif - fin->fin_fr = ifs->ifs_ipfilter[out][ifs->ifs_fr_active]; - if (fin->fin_fr != NULL) - pass = fr_scanlist(fin, ifs->ifs_fr_pass); + fin->fin_fr = ifs->ifs_ipfilter[out][ifs->ifs_fr_active]; + if (fin->fin_fr != NULL) + pass = fr_scanlist(fin, ifs->ifs_fr_pass); - if (((pass & FR_KEEPSTATE) == 0) && - ((fin->fin_flx & FI_DONTCACHE) == 0)) { - WRITE_ENTER(&ifs->ifs_ipf_frcache); - bcopy((char *)fin, (char *)fc, FI_COPYSIZE); - RWLOCK_EXIT(&ifs->ifs_ipf_frcache); - } - if ((pass & FR_NOMATCH)) { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_nom); - } - fr = fin->fin_fr; + if ((pass & FR_NOMATCH)) { + IPF_BUMP(ifs->ifs_frstats[out].fr_nom); } + fr = fin->fin_fr; /* * Apply packets per second rate-limiting to a rule as required. @@ -2187,7 +2160,7 @@ u_32_t *passp; !ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) { pass &= ~(FR_CMDMASK|FR_DUP|FR_RETICMP|FR_RETRST); pass |= FR_BLOCK; - ATOMIC_INCL(ifs->ifs_frstats[out].fr_ppshit); + IPF_BUMP(ifs->ifs_frstats[out].fr_ppshit); } /* @@ -2229,12 +2202,12 @@ u_32_t *passp; if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { if (fin->fin_flx & FI_FRAG) { if (fr_newfrag(fin, pass) == -1) { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_bnfr); + IPF_BUMP(ifs->ifs_frstats[out].fr_bnfr); } else { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_nfr); + IPF_BUMP(ifs->ifs_frstats[out].fr_nfr); } } else { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_cfr); + IPF_BUMP(ifs->ifs_frstats[out].fr_cfr); } } @@ -2243,9 +2216,9 @@ u_32_t *passp; */ if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) { if (fr_addstate(fin, NULL, 0) != NULL) { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_ads); + IPF_BUMP(ifs->ifs_frstats[out].fr_ads); } else { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_bads); + IPF_BUMP(ifs->ifs_frstats[out].fr_bads); if (FR_ISPASS(pass)) { pass &= ~FR_CMDMASK; pass |= FR_BLOCK; @@ -2341,10 +2314,8 @@ ipf_stack_t *ifs; return 2; # endif - READ_ENTER(&ifs->ifs_ipf_global); if (ifs->ifs_fr_running <= 0) { - RWLOCK_EXIT(&ifs->ifs_ipf_global); return 0; } @@ -2391,7 +2362,6 @@ ipf_stack_t *ifs; # endif /* CSUM_DELAY_DATA */ # endif /* MENTAT */ #else - READ_ENTER(&ifs->ifs_ipf_global); bzero((char *)fin, sizeof(*fin)); m = *mp; @@ -2413,7 +2383,7 @@ ipf_stack_t *ifs; #ifdef USE_INET6 if (v == 6) { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_ipv6); + IPF_BUMP(ifs->ifs_frstats[out].fr_ipv6); /* * Jumbo grams are quite likely too big for internal buffer * structures to handle comfortably, for now, so just drop @@ -2454,12 +2424,12 @@ ipf_stack_t *ifs; if (v == 4) { #ifdef _KERNEL if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) { - ATOMIC_INCL(ifs->ifs_frstats[0].fr_badsrc); + IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc); fin->fin_flx |= FI_BADSRC; } #endif if (fin->fin_ip->ip_ttl < ifs->ifs_fr_minttl) { - ATOMIC_INCL(ifs->ifs_frstats[0].fr_badttl); + IPF_BUMP(ifs->ifs_frstats[0].fr_badttl); fin->fin_flx |= FI_LOWTTL; } } @@ -2468,12 +2438,12 @@ ipf_stack_t *ifs; ip6 = (ip6_t *)ip; #ifdef _KERNEL if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) { - ATOMIC_INCL(ifs->ifs_frstats[0].fr_badsrc); + IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc); fin->fin_flx |= FI_BADSRC; } #endif if (ip6->ip6_hlim < ifs->ifs_fr_minttl) { - ATOMIC_INCL(ifs->ifs_frstats[0].fr_badttl); + IPF_BUMP(ifs->ifs_frstats[0].fr_badttl); fin->fin_flx |= FI_LOWTTL; } } @@ -2481,7 +2451,7 @@ ipf_stack_t *ifs; } if (fin->fin_flx & FI_SHORT) { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_short); + IPF_BUMP(ifs->ifs_frstats[out].fr_short); } READ_ENTER(&ifs->ifs_ipf_mutex); @@ -2526,11 +2496,11 @@ ipf_stack_t *ifs; goto finished; } else if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) { if (fr_updateipid(fin) == -1) { - ATOMIC_INCL(ifs->ifs_frstats[1].fr_ipud); + IPF_BUMP(ifs->ifs_frstats[1].fr_ipud); pass &= ~FR_CMDMASK; pass |= FR_BLOCK; } else { - ATOMIC_INCL(ifs->ifs_frstats[0].fr_ipud); + IPF_BUMP(ifs->ifs_frstats[0].fr_ipud); } } } @@ -2575,11 +2545,11 @@ ipf_stack_t *ifs; else dst = 0; (void) fr_send_icmp_err(ICMP_UNREACH, fin, dst); - ATOMIC_INCL(ifs->ifs_frstats[0].fr_ret); + IPF_BUMP(ifs->ifs_frstats[0].fr_ret); } else if (((pass & FR_RETMASK) == FR_RETRST) && !(fin->fin_flx & FI_SHORT)) { if (fr_send_reset(fin) == 0) { - ATOMIC_INCL(ifs->ifs_frstats[1].fr_ret); + IPF_BUMP(ifs->ifs_frstats[1].fr_ret); } } } else { @@ -2632,13 +2602,13 @@ filtered: finished: if (!FR_ISPASS(pass)) { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_block); + IPF_BUMP(ifs->ifs_frstats[out].fr_block); if (*mp != NULL) { FREE_MB_T(*mp); m = *mp = NULL; } } else { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_pass); + IPF_BUMP(ifs->ifs_frstats[out].fr_pass); #if defined(_KERNEL) && defined(__sgi) if ((fin->fin_hbuf != NULL) && (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) { @@ -2648,7 +2618,6 @@ finished: } SPL_X(s); - RWLOCK_EXIT(&ifs->ifs_ipf_global); #ifdef _KERNEL # if OpenBSD >= 200311 @@ -2716,22 +2685,22 @@ u_32_t *passp; if ((ifs->ifs_fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) { pass |= FF_LOGNOMATCH; - ATOMIC_INCL(ifs->ifs_frstats[out].fr_npkl); + IPF_BUMP(ifs->ifs_frstats[out].fr_npkl); goto logit; } else if (((pass & FR_LOGMASK) == FR_LOGP) || (FR_ISPASS(pass) && (ifs->ifs_fr_flags & FF_LOGPASS))) { if ((pass & FR_LOGMASK) != FR_LOGP) pass |= FF_LOGPASS; - ATOMIC_INCL(ifs->ifs_frstats[out].fr_ppkl); + IPF_BUMP(ifs->ifs_frstats[out].fr_ppkl); goto logit; } else if (((pass & FR_LOGMASK) == FR_LOGB) || (FR_ISBLOCK(pass) && (ifs->ifs_fr_flags & FF_LOGBLOCK))) { if ((pass & FR_LOGMASK) != FR_LOGB) pass |= FF_LOGBLOCK; - ATOMIC_INCL(ifs->ifs_frstats[out].fr_bpkl); + IPF_BUMP(ifs->ifs_frstats[out].fr_bpkl); logit: if (ipflog(fin, pass) == -1) { - ATOMIC_INCL(ifs->ifs_frstats[out].fr_skip); + IPF_BUMP(ifs->ifs_frstats[out].fr_skip); /* * If the "or-block" option has been used then @@ -3432,7 +3401,6 @@ ipf_stack_t *ifs; int flushed = 0, set; WRITE_ENTER(&ifs->ifs_ipf_mutex); - bzero((char *)&ifs->ifs_frcache, sizeof (ifs->ifs_frcache)); set = ifs->ifs_fr_active; if ((flags & FR_INACTIVE) == FR_INACTIVE) @@ -4371,7 +4339,6 @@ ipf_stack_t *ifs; fp->fr_cksum += *p; WRITE_ENTER(&ifs->ifs_ipf_mutex); - bzero((char *)&ifs->ifs_frcache, sizeof (ifs->ifs_frcache)); for (; (f = *ftail) != NULL; ftail = &f->fr_next) { if ((fp->fr_cksum != f->fr_cksum) || @@ -4401,7 +4368,6 @@ ipf_stack_t *ifs; * copied out into user space. */ bcopy((char *)f, (char *)fp, sizeof(*f)); - /* MUTEX_DOWNGRADE(&ipf_mutex); */ /* * When we copy this rule back out, set the data @@ -5144,12 +5110,15 @@ ipf_stack_t *ifs; /* * Is the operation here going to be a no-op ? */ - MUTEX_ENTER(&oifq->ifq_lock); - if (oifq == nifq && *oifq->ifq_tail == tqe) { - MUTEX_EXIT(&oifq->ifq_lock); - return; + tqe->tqe_die = ifs->ifs_fr_ticks + nifq->ifq_ttl; + if (oifq == nifq) { + if (tqe->tqe_next == NULL) + return; + if (tqe->tqe_next->tqe_die == tqe->tqe_die) + return; } + MUTEX_ENTER(&oifq->ifq_lock); /* * Remove from the old queue */ @@ -5181,7 +5150,6 @@ ipf_stack_t *ifs; /* * Add to the bottom of the new queue */ - tqe->tqe_die = ifs->ifs_fr_ticks + nifq->ifq_ttl; tqe->tqe_pnext = nifq->ifq_tail; *nifq->ifq_tail = tqe; nifq->ifq_tail = &tqe->tqe_next; @@ -5859,7 +5827,7 @@ fr_info_t *fin; #if defined(_KERNEL) if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) { - ATOMIC_INCL(ifs->ifs_fr_badcoalesces[fin->fin_out]); + IPF_BUMP(ifs->ifs_fr_badcoalesces[fin->fin_out]); # ifdef MENTAT FREE_MB_T(*fin->fin_mp); # endif diff --git a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c index e44f0c6967..36f374d586 100644 --- a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c +++ b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c @@ -73,15 +73,24 @@ static int ipf_nic_event_v4 __P((hook_event_token_t, hook_data_t, netstack_t *)); static int ipf_nic_event_v6 __P((hook_event_token_t, hook_data_t, netstack_t *)); -static int ipf_hook_out __P((hook_event_token_t, hook_data_t, +static int ipf_hook4_out __P((hook_event_token_t, hook_data_t, netstack_t *)); -static int ipf_hook_in __P((hook_event_token_t, hook_data_t, +static int ipf_hook4_in __P((hook_event_token_t, hook_data_t, netstack_t *)); -static int ipf_hook_loop_out __P((hook_event_token_t, hook_data_t, +static int ipf_hook4_loop_out __P((hook_event_token_t, hook_data_t, netstack_t *)); -static int ipf_hook_loop_in __P((hook_event_token_t, hook_data_t, +static int ipf_hook4_loop_in __P((hook_event_token_t, hook_data_t, netstack_t *)); -static int ipf_hook __P((hook_data_t, int, int, netstack_t *)); +static int ipf_hook4 __P((hook_data_t, int, int, netstack_t *)); +static int ipf_hook6_out __P((hook_event_token_t, hook_data_t, + netstack_t *)); +static int ipf_hook6_in __P((hook_event_token_t, hook_data_t, + netstack_t *)); +static int ipf_hook6_loop_out __P((hook_event_token_t, hook_data_t, + netstack_t *)); +static int ipf_hook6_loop_in __P((hook_event_token_t, hook_data_t, + netstack_t *)); +static int ipf_hook6 __P((hook_data_t, int, int, netstack_t *)); extern int ipf_geniter __P((ipftoken_t *, ipfgeniter_t *, ipf_stack_t *)); extern int ipf_frruleiter __P((void *, int, void *, ipf_stack_t *)); @@ -146,12 +155,12 @@ ipf_stack_t *ifs; if (ifs->ifs_ipf_ipv6 != NULL) { if (ifs->ifs_hook6_physical_in) { ifs->ifs_hook6_physical_in = (net_unregister_hook(ifs->ifs_ipf_ipv6, - NH_PHYSICAL_IN, &ifs->ifs_ipfhook_in) != 0); + NH_PHYSICAL_IN, &ifs->ifs_ipfhook6_in) != 0); } if (ifs->ifs_hook6_physical_out) { ifs->ifs_hook6_physical_out = (net_unregister_hook(ifs->ifs_ipf_ipv6, - NH_PHYSICAL_OUT, &ifs->ifs_ipfhook_out) != 0); + NH_PHYSICAL_OUT, &ifs->ifs_ipfhook6_out) != 0); } if (ifs->ifs_hook6_nic_events) { ifs->ifs_hook6_nic_events = @@ -161,12 +170,12 @@ ipf_stack_t *ifs; if (ifs->ifs_hook6_loopback_in) { ifs->ifs_hook6_loopback_in = (net_unregister_hook(ifs->ifs_ipf_ipv6, - NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) != 0); + NH_LOOPBACK_IN, &ifs->ifs_ipfhook6_loop_in) != 0); } if (ifs->ifs_hook6_loopback_out) { ifs->ifs_hook6_loopback_out = (net_unregister_hook(ifs->ifs_ipf_ipv6, - NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) != 0); + NH_LOOPBACK_OUT, &ifs->ifs_ipfhook6_loop_out) != 0); } if (net_release(ifs->ifs_ipf_ipv6) != 0) @@ -181,12 +190,12 @@ ipf_stack_t *ifs; if (ifs->ifs_hook4_physical_in) { ifs->ifs_hook4_physical_in = (net_unregister_hook(ifs->ifs_ipf_ipv4, - NH_PHYSICAL_IN, &ifs->ifs_ipfhook_in) != 0); + NH_PHYSICAL_IN, &ifs->ifs_ipfhook4_in) != 0); } if (ifs->ifs_hook4_physical_out) { ifs->ifs_hook4_physical_out = (net_unregister_hook(ifs->ifs_ipf_ipv4, - NH_PHYSICAL_OUT, &ifs->ifs_ipfhook_out) != 0); + NH_PHYSICAL_OUT, &ifs->ifs_ipfhook4_out) != 0); } if (ifs->ifs_hook4_nic_events) { ifs->ifs_hook4_nic_events = @@ -196,12 +205,12 @@ ipf_stack_t *ifs; if (ifs->ifs_hook4_loopback_in) { ifs->ifs_hook4_loopback_in = (net_unregister_hook(ifs->ifs_ipf_ipv4, - NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) != 0); + NH_LOOPBACK_IN, &ifs->ifs_ipfhook4_loop_in) != 0); } if (ifs->ifs_hook4_loopback_out) { ifs->ifs_hook4_loopback_out = (net_unregister_hook(ifs->ifs_ipf_ipv4, - NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) != 0); + NH_LOOPBACK_OUT, &ifs->ifs_ipfhook4_loop_out) != 0); } if (net_release(ifs->ifs_ipf_ipv4) != 0) @@ -267,7 +276,6 @@ netstack_t *ns; ifs->ifs_fr_pass = (IPF_DEFAULT_PASS)|FR_NOMATCH; #endif - bzero((char *)ifs->ifs_frcache, sizeof(ifs->ifs_frcache)); MUTEX_INIT(&ifs->ifs_ipf_rw, "ipf rw mutex"); MUTEX_INIT(&ifs->ifs_ipf_timeoutlock, "ipf timeout lock mutex"); RWLOCK_INIT(&ifs->ifs_ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); @@ -279,11 +287,11 @@ netstack_t *ns; HOOK_INIT(&ifs->ifs_ipfhook_nicevents, ipf_nic_event_v4, "ipfilter_hook_nicevents"); - HOOK_INIT(&ifs->ifs_ipfhook_in, ipf_hook_in, "ipfilter_hook_in"); - HOOK_INIT(&ifs->ifs_ipfhook_out, ipf_hook_out, "ipfilter_hook_out"); - HOOK_INIT(&ifs->ifs_ipfhook_loop_in, ipf_hook_in, + HOOK_INIT(&ifs->ifs_ipfhook4_in, ipf_hook4_in, "ipfilter_hook_in"); + HOOK_INIT(&ifs->ifs_ipfhook4_out, ipf_hook4_out, "ipfilter_hook_out"); + HOOK_INIT(&ifs->ifs_ipfhook4_loop_in, ipf_hook4_in, "ipfilter_hook_loop_in"); - HOOK_INIT(&ifs->ifs_ipfhook_loop_out, ipf_hook_out, + HOOK_INIT(&ifs->ifs_ipfhook4_loop_out, ipf_hook4_out, "ipfilter_hook_loop_out"); /* @@ -307,25 +315,25 @@ netstack_t *ns; goto hookup_failed; ifs->ifs_hook4_physical_in = (net_register_hook(ifs->ifs_ipf_ipv4, - NH_PHYSICAL_IN, &ifs->ifs_ipfhook_in) == 0); + NH_PHYSICAL_IN, &ifs->ifs_ipfhook4_in) == 0); if (!ifs->ifs_hook4_physical_in) goto hookup_failed; ifs->ifs_hook4_physical_out = (net_register_hook(ifs->ifs_ipf_ipv4, - NH_PHYSICAL_OUT, &ifs->ifs_ipfhook_out) == 0); + NH_PHYSICAL_OUT, &ifs->ifs_ipfhook4_out) == 0); if (!ifs->ifs_hook4_physical_out) goto hookup_failed; if (ifs->ifs_ipf_loopback) { ifs->ifs_hook4_loopback_in = (net_register_hook(ifs->ifs_ipf_ipv4, - NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) == 0); + NH_LOOPBACK_IN, &ifs->ifs_ipfhook4_loop_in) == 0); if (!ifs->ifs_hook4_loopback_in) goto hookup_failed; ifs->ifs_hook4_loopback_out = (net_register_hook(ifs->ifs_ipf_ipv4, - NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) == 0); + NH_LOOPBACK_OUT, &ifs->ifs_ipfhook4_loop_out) == 0); if (!ifs->ifs_hook4_loopback_out) goto hookup_failed; } @@ -336,6 +344,13 @@ netstack_t *ns; if (ifs->ifs_ipf_ipv6 == NULL) goto hookup_failed; + HOOK_INIT(&ifs->ifs_ipfhook6_in, ipf_hook6_in, "ipfilter_hook_in"); + HOOK_INIT(&ifs->ifs_ipfhook6_out, ipf_hook6_out, "ipfilter_hook_out"); + HOOK_INIT(&ifs->ifs_ipfhook6_loop_in, ipf_hook6_in, + "ipfilter_hook_loop_in"); + HOOK_INIT(&ifs->ifs_ipfhook6_loop_out, ipf_hook6_out, + "ipfilter_hook_loop_out"); + HOOK_INIT(&ifs->ifs_ipfhook_nicevents, ipf_nic_event_v6, "ipfilter_hook_nicevents"); ifs->ifs_hook6_nic_events = (net_register_hook(ifs->ifs_ipf_ipv6, @@ -344,25 +359,25 @@ netstack_t *ns; goto hookup_failed; ifs->ifs_hook6_physical_in = (net_register_hook(ifs->ifs_ipf_ipv6, - NH_PHYSICAL_IN, &ifs->ifs_ipfhook_in) == 0); + NH_PHYSICAL_IN, &ifs->ifs_ipfhook6_in) == 0); if (!ifs->ifs_hook6_physical_in) goto hookup_failed; ifs->ifs_hook6_physical_out = (net_register_hook(ifs->ifs_ipf_ipv6, - NH_PHYSICAL_OUT, &ifs->ifs_ipfhook_out) == 0); + NH_PHYSICAL_OUT, &ifs->ifs_ipfhook6_out) == 0); if (!ifs->ifs_hook6_physical_out) goto hookup_failed; if (ifs->ifs_ipf_loopback) { ifs->ifs_hook6_loopback_in = (net_register_hook(ifs->ifs_ipf_ipv6, - NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) == 0); + NH_LOOPBACK_IN, &ifs->ifs_ipfhook6_loop_in) == 0); if (!ifs->ifs_hook6_loopback_in) goto hookup_failed; ifs->ifs_hook6_loopback_out = (net_register_hook(ifs->ifs_ipf_ipv6, - NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) == 0); + NH_LOOPBACK_OUT, &ifs->ifs_ipfhook6_loop_out) == 0); if (!ifs->ifs_hook6_loopback_out) goto hookup_failed; } @@ -442,25 +457,25 @@ ipf_stack_t *ifs; ifs->ifs_hook4_loopback_in = (net_register_hook(ifs->ifs_ipf_ipv4, - NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) == 0); + NH_LOOPBACK_IN, &ifs->ifs_ipfhook4_loop_in) == 0); if (!ifs->ifs_hook4_loopback_in) return EINVAL; ifs->ifs_hook4_loopback_out = (net_register_hook(ifs->ifs_ipf_ipv4, - NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) == 0); + NH_LOOPBACK_OUT, &ifs->ifs_ipfhook4_loop_out) == 0); if (!ifs->ifs_hook4_loopback_out) return EINVAL; ifs->ifs_hook6_loopback_in = (net_register_hook(ifs->ifs_ipf_ipv6, - NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) == 0); + NH_LOOPBACK_IN, &ifs->ifs_ipfhook6_loop_in) == 0); if (!ifs->ifs_hook6_loopback_in) return EINVAL; ifs->ifs_hook6_loopback_out = (net_register_hook(ifs->ifs_ipf_ipv6, - NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) == 0); + NH_LOOPBACK_OUT, &ifs->ifs_ipfhook6_loop_out) == 0); if (!ifs->ifs_hook6_loopback_out) return EINVAL; @@ -469,25 +484,25 @@ ipf_stack_t *ifs; ifs->ifs_hook4_loopback_in = (net_unregister_hook(ifs->ifs_ipf_ipv4, - NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) != 0); + NH_LOOPBACK_IN, &ifs->ifs_ipfhook4_loop_in) != 0); if (ifs->ifs_hook4_loopback_in) return EBUSY; ifs->ifs_hook4_loopback_out = (net_unregister_hook(ifs->ifs_ipf_ipv4, - NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) != 0); + NH_LOOPBACK_OUT, &ifs->ifs_ipfhook4_loop_out) != 0); if (ifs->ifs_hook4_loopback_out) return EBUSY; ifs->ifs_hook6_loopback_in = (net_unregister_hook(ifs->ifs_ipf_ipv6, - NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) != 0); + NH_LOOPBACK_IN, &ifs->ifs_ipfhook6_loop_in) != 0); if (ifs->ifs_hook6_loopback_in) return EBUSY; ifs->ifs_hook6_loopback_out = (net_unregister_hook(ifs->ifs_ipf_ipv6, - NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) != 0); + NH_LOOPBACK_OUT, &ifs->ifs_ipfhook6_loop_out) != 0); if (ifs->ifs_hook6_loopback_out) return EBUSY; } @@ -633,9 +648,6 @@ int *rp; error = EPERM; else { WRITE_ENTER(&ifs->ifs_ipf_mutex); - /* Clear one fourth of the table */ - bzero((char *)&ifs->ifs_frcache, - sizeof (ifs->ifs_frcache[0]) * 2); error = COPYOUT((caddr_t)&ifs->ifs_fr_active, (caddr_t)data, sizeof(ifs->ifs_fr_active)); @@ -1829,9 +1841,14 @@ bad_fastroute: /* Calling ipf_hook. */ /* ------------------------------------------------------------------------ */ /*ARGSUSED*/ -int ipf_hook_out(hook_event_token_t token, hook_data_t info, netstack_t *ns) +int ipf_hook4_out(hook_event_token_t token, hook_data_t info, netstack_t *ns) { - return ipf_hook(info, 1, 0, ns); + return ipf_hook4(info, 1, 0, ns); +} +/*ARGSUSED*/ +int ipf_hook6_out(hook_event_token_t token, hook_data_t info, netstack_t *ns) +{ + return ipf_hook6(info, 1, 0, ns); } /* ------------------------------------------------------------------------ */ @@ -1843,9 +1860,14 @@ int ipf_hook_out(hook_event_token_t token, hook_data_t info, netstack_t *ns) /* Calling ipf_hook. */ /* ------------------------------------------------------------------------ */ /*ARGSUSED*/ -int ipf_hook_in(hook_event_token_t token, hook_data_t info, netstack_t *ns) +int ipf_hook4_in(hook_event_token_t token, hook_data_t info, netstack_t *ns) { - return ipf_hook(info, 0, 0, ns); + return ipf_hook4(info, 0, 0, ns); +} +/*ARGSUSED*/ +int ipf_hook6_in(hook_event_token_t token, hook_data_t info, netstack_t *ns) +{ + return ipf_hook6(info, 0, 0, ns); } @@ -1858,10 +1880,16 @@ int ipf_hook_in(hook_event_token_t token, hook_data_t info, netstack_t *ns) /* Calling ipf_hook. */ /* ------------------------------------------------------------------------ */ /*ARGSUSED*/ -int ipf_hook_loop_out(hook_event_token_t token, hook_data_t info, +int ipf_hook4_loop_out(hook_event_token_t token, hook_data_t info, + netstack_t *ns) +{ + return ipf_hook4(info, 1, FI_NOCKSUM, ns); +} +/*ARGSUSED*/ +int ipf_hook6_loop_out(hook_event_token_t token, hook_data_t info, netstack_t *ns) { - return ipf_hook(info, 1, 1, ns); + return ipf_hook6(info, 1, FI_NOCKSUM, ns); } /* ------------------------------------------------------------------------ */ @@ -1873,10 +1901,16 @@ int ipf_hook_loop_out(hook_event_token_t token, hook_data_t info, /* Calling ipf_hook. */ /* ------------------------------------------------------------------------ */ /*ARGSUSED*/ -int ipf_hook_loop_in(hook_event_token_t token, hook_data_t info, +int ipf_hook4_loop_in(hook_event_token_t token, hook_data_t info, + netstack_t *ns) +{ + return ipf_hook4(info, 0, FI_NOCKSUM, ns); +} +/*ARGSUSED*/ +int ipf_hook6_loop_in(hook_event_token_t token, hook_data_t info, netstack_t *ns) { - return ipf_hook(info, 0, 1, ns); + return ipf_hook6(info, 0, FI_NOCKSUM, ns); } /* ------------------------------------------------------------------------ */ @@ -1890,10 +1924,10 @@ int ipf_hook_loop_in(hook_event_token_t token, hook_data_t info, /* parameters out of the info structure and forms them up to be useful for */ /* calling ipfilter. */ /* ------------------------------------------------------------------------ */ -int ipf_hook(hook_data_t info, int out, int loopback, netstack_t *ns) +int ipf_hook4(hook_data_t info, int out, int loopback, netstack_t *ns) { hook_pkt_event_t *fw; - int rval, v, hlen; + int rval, hlen; qpktinfo_t qpi; u_short swap; phy_if_t phy; @@ -1905,30 +1939,20 @@ int ipf_hook(hook_data_t info, int out, int loopback, netstack_t *ns) phy = (out == 0) ? fw->hpe_ifp : fw->hpe_ofp; ip = fw->hpe_hdr; - v = ip->ip_v; - if (v == IPV4_VERSION) { - swap = ntohs(ip->ip_len); - ip->ip_len = swap; - swap = ntohs(ip->ip_off); - ip->ip_off = swap; - - hlen = IPH_HDR_LENGTH(ip); - } else - hlen = sizeof (ip6_t); - - bzero(&qpi, sizeof (qpktinfo_t)); + swap = ntohs(ip->ip_len); + ip->ip_len = swap; + swap = ntohs(ip->ip_off); + ip->ip_off = swap; + hlen = IPH_HDR_LENGTH(ip); qpi.qpi_m = fw->hpe_mb; qpi.qpi_data = fw->hpe_hdr; qpi.qpi_off = (char *)qpi.qpi_data - (char *)fw->hpe_mb->b_rptr; qpi.qpi_ill = (void *)phy; - qpi.qpi_flags = 0; - if (fw->hpe_flags & HPE_MULTICAST) - qpi.qpi_flags |= FI_MBCAST|FI_MULTICAST; - else if (fw->hpe_flags & HPE_BROADCAST) - qpi.qpi_flags = FI_MBCAST|FI_BROADCAST; - if (loopback) - qpi.qpi_flags |= FI_NOCKSUM; + qpi.qpi_flags = fw->hpe_flags & (HPE_MULTICAST|HPE_BROADCAST); + if (qpi.qpi_flags) + qpi.qpi_flags |= FI_MBCAST; + qpi.qpi_flags |= loopback; rval = fr_check(fw->hpe_hdr, hlen, qpi.qpi_ill, out, &qpi, fw->hpe_mp, ns->netstack_ipf); @@ -1937,10 +1961,10 @@ int ipf_hook(hook_data_t info, int out, int loopback, netstack_t *ns) if (rval == 0 && *(fw->hpe_mp) == NULL) rval = 1; - /* Notify IP the packet mblk_t and IP header pointers. */ + /* Notify IP the packet mblk_t and IP header pointers. */ fw->hpe_mb = qpi.qpi_m; fw->hpe_hdr = qpi.qpi_data; - if ((rval == 0) && (v == IPV4_VERSION)) { + if (rval == 0) { ip = qpi.qpi_data; swap = ntohs(ip->ip_len); ip->ip_len = swap; @@ -1950,6 +1974,42 @@ int ipf_hook(hook_data_t info, int out, int loopback, netstack_t *ns) return rval; } +int ipf_hook6(hook_data_t info, int out, int loopback, netstack_t *ns) +{ + hook_pkt_event_t *fw; + int rval, hlen; + qpktinfo_t qpi; + phy_if_t phy; + + fw = (hook_pkt_event_t *)info; + + ASSERT(fw != NULL); + phy = (out == 0) ? fw->hpe_ifp : fw->hpe_ofp; + + hlen = sizeof (ip6_t); + + qpi.qpi_m = fw->hpe_mb; + qpi.qpi_data = fw->hpe_hdr; + qpi.qpi_off = (char *)qpi.qpi_data - (char *)fw->hpe_mb->b_rptr; + qpi.qpi_ill = (void *)phy; + qpi.qpi_flags = fw->hpe_flags & (HPE_MULTICAST|HPE_BROADCAST); + if (qpi.qpi_flags) + qpi.qpi_flags |= FI_MBCAST; + qpi.qpi_flags |= loopback; + + rval = fr_check(fw->hpe_hdr, hlen, qpi.qpi_ill, out, + &qpi, fw->hpe_mp, ns->netstack_ipf); + + /* For fastroute cases, fr_check returns 0 with mp set to NULL */ + if (rval == 0 && *(fw->hpe_mp) == NULL) + rval = 1; + + /* Notify IP the packet mblk_t and IP header pointers. */ + fw->hpe_mb = qpi.qpi_m; + fw->hpe_hdr = qpi.qpi_data; + return rval; + +} /* ------------------------------------------------------------------------ */ diff --git a/usr/src/uts/common/inet/ipf/ip_nat.c b/usr/src/uts/common/inet/ipf/ip_nat.c index e13fe79053..994a9eb034 100644 --- a/usr/src/uts/common/inet/ipf/ip_nat.c +++ b/usr/src/uts/common/inet/ipf/ip_nat.c @@ -3699,11 +3699,11 @@ int fr_checknatout(fin, passp) fr_info_t *fin; u_32_t *passp; { + ipnat_t *np = NULL, *npnext; struct ifnet *ifp, *sifp; icmphdr_t *icmp = NULL; tcphdr_t *tcp = NULL; int rval, natfailed; - ipnat_t *np = NULL; u_int nflags = 0; u_32_t ipa, iph; int natadd = 1; @@ -3769,15 +3769,13 @@ u_32_t *passp; * If there is no current entry in the nat table for this IP#, * create one for it (if there is a matching rule). */ - RWLOCK_EXIT(&ifs->ifs_ipf_nat); msk = 0xffffffff; nmsk = ifs->ifs_nat_masks; - WRITE_ENTER(&ifs->ifs_ipf_nat); maskloop: iph = ipa & htonl(msk); hv = NAT_HASH_FN(iph, 0, ifs->ifs_ipf_natrules_sz); - for (np = ifs->ifs_nat_rules[hv]; np; np = np->in_mnext) - { + for (np = ifs->ifs_nat_rules[hv]; np; np = npnext) { + npnext = np->in_mnext; if ((np->in_ifps[1] && (np->in_ifps[1] != ifp))) continue; if (np->in_v != fin->fin_v) @@ -3804,12 +3802,20 @@ maskloop: continue; } - if ((nat = nat_new(fin, np, NULL, nflags, - NAT_OUTBOUND))) { + ATOMIC_INC32(np->in_use); + RWLOCK_EXIT(&ifs->ifs_ipf_nat); + WRITE_ENTER(&ifs->ifs_ipf_nat); + nat = nat_new(fin, np, NULL, nflags, NAT_OUTBOUND); + if (nat != NULL) { + np->in_use--; np->in_hits++; + MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat); break; - } else - natfailed = -1; + } + natfailed = -1; + npnext = np->in_mnext; + fr_ipnatderef(&np, ifs); + MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat); } if ((np == NULL) && (nmsk != 0)) { while (nmsk) { @@ -3823,7 +3829,6 @@ maskloop: goto maskloop; } } - MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat); } if (nat != NULL) { @@ -3986,7 +3991,7 @@ u_32_t nflags; i = 1; } else i = 1; - ATOMIC_INCL(ifs->ifs_nat_stats.ns_mapped[1]); + ifs->ifs_nat_stats.ns_mapped[1]++; fin->fin_flx |= FI_NATED; return i; } @@ -4012,13 +4017,13 @@ fr_info_t *fin; u_32_t *passp; { u_int nflags, natadd; + ipnat_t *np, *npnext; int rval, natfailed; struct ifnet *ifp; struct in_addr in; icmphdr_t *icmp; tcphdr_t *tcp; u_short dport; - ipnat_t *np; nat_t *nat; u_32_t iph; ipf_stack_t *ifs = fin->fin_ifs; @@ -4079,10 +4084,8 @@ u_32_t *passp; } else { u_32_t hv, msk, rmsk; - RWLOCK_EXIT(&ifs->ifs_ipf_nat); rmsk = ifs->ifs_rdr_masks; msk = 0xffffffff; - WRITE_ENTER(&ifs->ifs_ipf_nat); /* * If there is no current entry in the nat table for this IP#, * create one for it (if there is a matching rule). @@ -4090,7 +4093,8 @@ u_32_t *passp; maskloop: iph = in.s_addr & htonl(msk); hv = NAT_HASH_FN(iph, 0, ifs->ifs_ipf_rdrrules_sz); - for (np = ifs->ifs_rdr_rules[hv]; np; np = np->in_rnext) { + for (np = ifs->ifs_rdr_rules[hv]; np; np = npnext) { + npnext = np->in_rnext; if (np->in_ifps[0] && (np->in_ifps[0] != ifp)) continue; if (np->in_v != fin->fin_v) @@ -4117,12 +4121,20 @@ maskloop: } } + ATOMIC_INC32(np->in_use); + RWLOCK_EXIT(&ifs->ifs_ipf_nat); + WRITE_ENTER(&ifs->ifs_ipf_nat); nat = nat_new(fin, np, NULL, nflags, NAT_INBOUND); if (nat != NULL) { + np->in_use--; np->in_hits++; + MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat); break; - } else - natfailed = -1; + } + natfailed = -1; + npnext = np->in_rnext; + fr_ipnatderef(&np, ifs); + MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat); } if ((np == NULL) && (rmsk != 0)) { @@ -4137,7 +4149,6 @@ maskloop: goto maskloop; } } - MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat); } if (nat != NULL) { rval = fr_natin(fin, nat, natadd, nflags); @@ -4303,7 +4314,7 @@ u_32_t nflags; } #endif - ATOMIC_INCL(ifs->ifs_nat_stats.ns_mapped[0]); + ifs->ifs_nat_stats.ns_mapped[0]++; fin->fin_flx |= FI_NATED; if (np != NULL && np->in_tag.ipt_num[0] != 0) fin->fin_nattag = &np->in_tag; @@ -4837,7 +4848,7 @@ ipf_stack_t *ifs; /* ------------------------------------------------------------------------ */ /* Function: fr_ipnatderef */ /* Returns: Nil */ -/* Parameters: isp(I) - pointer to pointer to NAT rule */ +/* Parameters: inp(I) - pointer to pointer to NAT rule */ /* Write Locks: ipf_nat */ /* */ /* ------------------------------------------------------------------------ */ @@ -4849,7 +4860,6 @@ ipf_stack_t *ifs; in = *inp; *inp = NULL; - in->in_space++; in->in_use--; if (in->in_use == 0 && (in->in_flags & IPN_DELETE)) { if (in->in_apr) diff --git a/usr/src/uts/common/inet/ipf/ip_state.c b/usr/src/uts/common/inet/ipf/ip_state.c index cbeb2a47d6..b33b7a2b84 100644 --- a/usr/src/uts/common/inet/ipf/ip_state.c +++ b/usr/src/uts/common/inet/ipf/ip_state.c @@ -688,6 +688,7 @@ ipf_stack_t *ifs; fr->fr_ref = 0; fr->fr_dsize = 0; fr->fr_data = NULL; + fr->fr_type = FR_T_NONE; fr_resolvedest(&fr->fr_tif, fr->fr_v, ifs); fr_resolvedest(&fr->fr_dif, fr->fr_v, ifs); diff --git a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h index 5859bfa419..dbdbaef7e9 100644 --- a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h +++ b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h @@ -240,13 +240,13 @@ typedef struct fr_ip { /* * For use in fi_flx */ -#define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/ -#define FI_OPTIONS 0x0002 +#define FI_MULTICAST 0x0001 +#define FI_BROADCAST 0x0002 #define FI_FRAG 0x0004 #define FI_SHORT 0x0008 #define FI_NATED 0x0010 -#define FI_MULTICAST 0x0020 -#define FI_BROADCAST 0x0040 +#define FI_TCPUDP 0x0020 /* TCP/UCP implied comparison*/ +#define FI_OPTIONS 0x0040 #define FI_MBCAST 0x0080 #define FI_STATE 0x0100 #define FI_BADNAT 0x0200 diff --git a/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h b/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h index 002fb091f4..23f291c866 100644 --- a/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h +++ b/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h @@ -44,7 +44,6 @@ struct ipf_stack { netstack_t *ifs_netstack; /* ipf module */ - fr_info_t ifs_frcache[2][8]; filterstats_t ifs_frstats[2]; frentry_t *ifs_ipfilter[2][2]; @@ -91,7 +90,6 @@ struct ipf_stack { ipfmutex_t ifs_ipf_timeoutlock; ipfrwlock_t ifs_ipf_mutex; ipfrwlock_t ifs_ipf_global; - ipfrwlock_t ifs_ipf_frcache; ipfrwlock_t ifs_ip_poolrw; ipfrwlock_t ifs_ipf_frag; ipfrwlock_t ifs_ipf_state; @@ -110,11 +108,15 @@ struct ipf_stack { ipftuneable_t *ifs_ipf_tunelist; /* ip_fil_solaris.c */ - hook_t ifs_ipfhook_in; - hook_t ifs_ipfhook_out; - hook_t ifs_ipfhook_loop_in; - hook_t ifs_ipfhook_loop_out; - hook_t ifs_ipfhook_nicevents; + hook_t ifs_ipfhook4_in; + hook_t ifs_ipfhook4_out; + hook_t ifs_ipfhook4_loop_in; + hook_t ifs_ipfhook4_loop_out; + hook_t ifs_ipfhook6_in; + hook_t ifs_ipfhook6_out; + hook_t ifs_ipfhook6_loop_in; + hook_t ifs_ipfhook6_loop_out; + hook_t ifs_ipfhook_nicevents; /* flags to indicate whether hooks are registered. */ boolean_t ifs_hook4_physical_in; diff --git a/usr/src/uts/common/inet/ipf/solaris.c b/usr/src/uts/common/inet/ipf/solaris.c index 671c6303d6..a48a3250cf 100644 --- a/usr/src/uts/common/inet/ipf/solaris.c +++ b/usr/src/uts/common/inet/ipf/solaris.c @@ -384,7 +384,6 @@ ipf_stack_init(netstackid_t stackid, netstack_t *ns) */ RWLOCK_INIT(&ifs->ifs_ipf_global, "ipf filter load/unload mutex"); RWLOCK_INIT(&ifs->ifs_ipf_mutex, "ipf filter rwlock"); - RWLOCK_INIT(&ifs->ifs_ipf_frcache, "ipf cache rwlock"); #ifdef KERNEL ipf_kstat_init(ifs, stackid); #endif @@ -494,7 +493,6 @@ ipf_stack_fini(netstackid_t stackid, void *arg) RWLOCK_EXIT(&ifs->ifs_ipf_global); RW_DESTROY(&ifs->ifs_ipf_mutex); - RW_DESTROY(&ifs->ifs_ipf_frcache); RW_DESTROY(&ifs->ifs_ipf_global); KFREE(ifs); |