summaryrefslogtreecommitdiff
path: root/usr/src
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src')
-rw-r--r--usr/src/cmd/ipf/tools/ip_fil.c2
-rw-r--r--usr/src/cmd/ipf/tools/ipftest.c2
-rw-r--r--usr/src/uts/common/inet/ipf/fil.c130
-rw-r--r--usr/src/uts/common/inet/ipf/ip_fil_solaris.c196
-rw-r--r--usr/src/uts/common/inet/ipf/ip_nat.c52
-rw-r--r--usr/src/uts/common/inet/ipf/ip_state.c1
-rw-r--r--usr/src/uts/common/inet/ipf/netinet/ip_fil.h8
-rw-r--r--usr/src/uts/common/inet/ipf/netinet/ipf_stack.h16
-rw-r--r--usr/src/uts/common/inet/ipf/solaris.c2
9 files changed, 222 insertions, 187 deletions
diff --git a/usr/src/cmd/ipf/tools/ip_fil.c b/usr/src/cmd/ipf/tools/ip_fil.c
index daf170f41d..52fa867504 100644
--- a/usr/src/cmd/ipf/tools/ip_fil.c
+++ b/usr/src/cmd/ipf/tools/ip_fil.c
@@ -362,8 +362,6 @@ int mode;
if (!(mode & FWRITE))
error = EPERM;
else {
- bzero((char *)ifs->ifs_frcache,
- sizeof(ifs->ifs_frcache[0]) * 2);
*(u_int *)data = ifs->ifs_fr_active;
ifs->ifs_fr_active = 1 - ifs->ifs_fr_active;
}
diff --git a/usr/src/cmd/ipf/tools/ipftest.c b/usr/src/cmd/ipf/tools/ipftest.c
index 37b47b6dbe..4463e132de 100644
--- a/usr/src/cmd/ipf/tools/ipftest.c
+++ b/usr/src/cmd/ipf/tools/ipftest.c
@@ -109,13 +109,11 @@ char *argv[];
#endif
ipftuneable_alloc(ifs);
- bzero((char *)ifs->ifs_frcache, sizeof(ifs->ifs_frcache));
MUTEX_INIT(&ifs->ifs_ipf_rw, "ipf rw mutex");
MUTEX_INIT(&ifs->ifs_ipf_timeoutlock, "ipf timeout lock");
RWLOCK_INIT(&ifs->ifs_ipf_global, "ipf filter load/unload mutex");
RWLOCK_INIT(&ifs->ifs_ipf_mutex, "ipf filter rwlock");
RWLOCK_INIT(&ifs->ifs_ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
- RWLOCK_INIT(&ifs->ifs_ipf_frcache, "ipf cache rwlock");
fr_loginit(ifs);
fr_authinit(ifs);
diff --git a/usr/src/uts/common/inet/ipf/fil.c b/usr/src/uts/common/inet/ipf/fil.c
index f8c8050062..f38a3a23a2 100644
--- a/usr/src/uts/common/inet/ipf/fil.c
+++ b/usr/src/uts/common/inet/ipf/fil.c
@@ -189,6 +189,9 @@ int fr_features = 0
#endif
;
+#define IPF_BUMP(x) (x)++
+
+static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
static INLINE int fr_ipfcheck __P((fr_info_t *, frentry_t *, int));
static int fr_portcheck __P((frpcmp_t *, u_short *));
static int frflushlist __P((int, minor_t, int *, frentry_t **,
@@ -1975,7 +1978,7 @@ u_32_t pass;
* it, except for increasing the hit counter.
*/
if ((passt & FR_CALLNOW) != 0) {
- ATOMIC_INC64(fr->fr_hits);
+ IPF_BUMP(fr->fr_hits);
if ((fr->fr_func != NULL) &&
(fr->fr_func != (ipfunc_t)-1)) {
frentry_t *frs;
@@ -2004,9 +2007,9 @@ u_32_t pass;
passt &= ~FR_CMDMASK;
passt |= FR_BLOCK|FR_QUICK;
}
- ATOMIC_INCL(ifs->ifs_frstats[fin->fin_out].fr_skip);
+ IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_skip);
}
- ATOMIC_INCL(ifs->ifs_frstats[fin->fin_out].fr_pkl);
+ IPF_BUMP(ifs->ifs_frstats[fin->fin_out].fr_pkl);
logged = 1;
}
#endif /* IPFILTER_LOG */
@@ -2019,7 +2022,7 @@ u_32_t pass;
if (passt & (FR_RETICMP|FR_FAKEICMP))
fin->fin_icode = fr->fr_icode;
FR_DEBUG(("pass %#x\n", pass));
- ATOMIC_INC64(fr->fr_hits);
+ IPF_BUMP(fr->fr_hits);
fin->fin_rule = rulen;
(void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
if (fr->fr_grp != NULL) {
@@ -2048,9 +2051,9 @@ u_32_t pass;
int out = fin->fin_out;
if (fr_addstate(fin, NULL, 0) != NULL) {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_ads);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_ads);
} else {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_bads);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_bads);
pass = passo;
continue;
}
@@ -2101,7 +2104,7 @@ u_32_t *passp;
fin->fin_fr = fr;
pass = fr_scanlist(fin, FR_NOMATCH);
if (FR_ISACCOUNT(pass)) {
- ATOMIC_INCL(ifs->ifs_frstats[0].fr_acct);
+ IPF_BUMP(ifs->ifs_frstats[0].fr_acct);
}
fin->fin_fr = frsave;
bcopy(group, fin->fin_group, FR_GROUPLEN);
@@ -2129,7 +2132,6 @@ fr_info_t *fin;
u_32_t *passp;
{
frentry_t *fr;
- fr_info_t *fc;
u_32_t pass;
int out;
ipf_stack_t *ifs = fin->fin_ifs;
@@ -2137,48 +2139,19 @@ u_32_t *passp;
out = fin->fin_out;
pass = *passp;
- /*
- * If a packet is found in the auth table, then skip checking
- * the access lists for permission but we do need to consider
- * the result as if it were from the ACL's.
- */
- fc = &ifs->ifs_frcache[out][CACHE_HASH(fin)];
- READ_ENTER(&ifs->ifs_ipf_frcache);
- if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
- /*
- * copy cached data so we can unlock the mutexes earlier.
- */
- bcopy((char *)fc, (char *)fin, FI_COPYSIZE);
- RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_chit);
-
- if ((fr = fin->fin_fr) != NULL) {
- ATOMIC_INC64(fr->fr_hits);
- pass = fr->fr_flags;
- }
- } else {
- RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
-
#ifdef USE_INET6
- if (fin->fin_v == 6)
- fin->fin_fr = ifs->ifs_ipfilter6[out][ifs->ifs_fr_active];
- else
+ if (fin->fin_v == 6)
+ fin->fin_fr = ifs->ifs_ipfilter6[out][ifs->ifs_fr_active];
+ else
#endif
- fin->fin_fr = ifs->ifs_ipfilter[out][ifs->ifs_fr_active];
- if (fin->fin_fr != NULL)
- pass = fr_scanlist(fin, ifs->ifs_fr_pass);
+ fin->fin_fr = ifs->ifs_ipfilter[out][ifs->ifs_fr_active];
+ if (fin->fin_fr != NULL)
+ pass = fr_scanlist(fin, ifs->ifs_fr_pass);
- if (((pass & FR_KEEPSTATE) == 0) &&
- ((fin->fin_flx & FI_DONTCACHE) == 0)) {
- WRITE_ENTER(&ifs->ifs_ipf_frcache);
- bcopy((char *)fin, (char *)fc, FI_COPYSIZE);
- RWLOCK_EXIT(&ifs->ifs_ipf_frcache);
- }
- if ((pass & FR_NOMATCH)) {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_nom);
- }
- fr = fin->fin_fr;
+ if ((pass & FR_NOMATCH)) {
+ IPF_BUMP(ifs->ifs_frstats[out].fr_nom);
}
+ fr = fin->fin_fr;
/*
* Apply packets per second rate-limiting to a rule as required.
@@ -2187,7 +2160,7 @@ u_32_t *passp;
!ppsratecheck(&fr->fr_lastpkt, &fr->fr_curpps, fr->fr_pps)) {
pass &= ~(FR_CMDMASK|FR_DUP|FR_RETICMP|FR_RETRST);
pass |= FR_BLOCK;
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_ppshit);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_ppshit);
}
/*
@@ -2229,12 +2202,12 @@ u_32_t *passp;
if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
if (fin->fin_flx & FI_FRAG) {
if (fr_newfrag(fin, pass) == -1) {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_bnfr);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_bnfr);
} else {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_nfr);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_nfr);
}
} else {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_cfr);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_cfr);
}
}
@@ -2243,9 +2216,9 @@ u_32_t *passp;
*/
if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) {
if (fr_addstate(fin, NULL, 0) != NULL) {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_ads);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_ads);
} else {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_bads);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_bads);
if (FR_ISPASS(pass)) {
pass &= ~FR_CMDMASK;
pass |= FR_BLOCK;
@@ -2341,10 +2314,8 @@ ipf_stack_t *ifs;
return 2;
# endif
- READ_ENTER(&ifs->ifs_ipf_global);
if (ifs->ifs_fr_running <= 0) {
- RWLOCK_EXIT(&ifs->ifs_ipf_global);
return 0;
}
@@ -2391,7 +2362,6 @@ ipf_stack_t *ifs;
# endif /* CSUM_DELAY_DATA */
# endif /* MENTAT */
#else
- READ_ENTER(&ifs->ifs_ipf_global);
bzero((char *)fin, sizeof(*fin));
m = *mp;
@@ -2413,7 +2383,7 @@ ipf_stack_t *ifs;
#ifdef USE_INET6
if (v == 6) {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_ipv6);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_ipv6);
/*
* Jumbo grams are quite likely too big for internal buffer
* structures to handle comfortably, for now, so just drop
@@ -2454,12 +2424,12 @@ ipf_stack_t *ifs;
if (v == 4) {
#ifdef _KERNEL
if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
- ATOMIC_INCL(ifs->ifs_frstats[0].fr_badsrc);
+ IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc);
fin->fin_flx |= FI_BADSRC;
}
#endif
if (fin->fin_ip->ip_ttl < ifs->ifs_fr_minttl) {
- ATOMIC_INCL(ifs->ifs_frstats[0].fr_badttl);
+ IPF_BUMP(ifs->ifs_frstats[0].fr_badttl);
fin->fin_flx |= FI_LOWTTL;
}
}
@@ -2468,12 +2438,12 @@ ipf_stack_t *ifs;
ip6 = (ip6_t *)ip;
#ifdef _KERNEL
if (ifs->ifs_fr_chksrc && !fr_verifysrc(fin)) {
- ATOMIC_INCL(ifs->ifs_frstats[0].fr_badsrc);
+ IPF_BUMP(ifs->ifs_frstats[0].fr_badsrc);
fin->fin_flx |= FI_BADSRC;
}
#endif
if (ip6->ip6_hlim < ifs->ifs_fr_minttl) {
- ATOMIC_INCL(ifs->ifs_frstats[0].fr_badttl);
+ IPF_BUMP(ifs->ifs_frstats[0].fr_badttl);
fin->fin_flx |= FI_LOWTTL;
}
}
@@ -2481,7 +2451,7 @@ ipf_stack_t *ifs;
}
if (fin->fin_flx & FI_SHORT) {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_short);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_short);
}
READ_ENTER(&ifs->ifs_ipf_mutex);
@@ -2526,11 +2496,11 @@ ipf_stack_t *ifs;
goto finished;
} else if ((ifs->ifs_fr_update_ipid != 0) && (v == 4)) {
if (fr_updateipid(fin) == -1) {
- ATOMIC_INCL(ifs->ifs_frstats[1].fr_ipud);
+ IPF_BUMP(ifs->ifs_frstats[1].fr_ipud);
pass &= ~FR_CMDMASK;
pass |= FR_BLOCK;
} else {
- ATOMIC_INCL(ifs->ifs_frstats[0].fr_ipud);
+ IPF_BUMP(ifs->ifs_frstats[0].fr_ipud);
}
}
}
@@ -2575,11 +2545,11 @@ ipf_stack_t *ifs;
else
dst = 0;
(void) fr_send_icmp_err(ICMP_UNREACH, fin, dst);
- ATOMIC_INCL(ifs->ifs_frstats[0].fr_ret);
+ IPF_BUMP(ifs->ifs_frstats[0].fr_ret);
} else if (((pass & FR_RETMASK) == FR_RETRST) &&
!(fin->fin_flx & FI_SHORT)) {
if (fr_send_reset(fin) == 0) {
- ATOMIC_INCL(ifs->ifs_frstats[1].fr_ret);
+ IPF_BUMP(ifs->ifs_frstats[1].fr_ret);
}
}
} else {
@@ -2632,13 +2602,13 @@ filtered:
finished:
if (!FR_ISPASS(pass)) {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_block);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_block);
if (*mp != NULL) {
FREE_MB_T(*mp);
m = *mp = NULL;
}
} else {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_pass);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_pass);
#if defined(_KERNEL) && defined(__sgi)
if ((fin->fin_hbuf != NULL) &&
(mtod(fin->fin_m, struct ip *) != fin->fin_ip)) {
@@ -2648,7 +2618,6 @@ finished:
}
SPL_X(s);
- RWLOCK_EXIT(&ifs->ifs_ipf_global);
#ifdef _KERNEL
# if OpenBSD >= 200311
@@ -2716,22 +2685,22 @@ u_32_t *passp;
if ((ifs->ifs_fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
pass |= FF_LOGNOMATCH;
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_npkl);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_npkl);
goto logit;
} else if (((pass & FR_LOGMASK) == FR_LOGP) ||
(FR_ISPASS(pass) && (ifs->ifs_fr_flags & FF_LOGPASS))) {
if ((pass & FR_LOGMASK) != FR_LOGP)
pass |= FF_LOGPASS;
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_ppkl);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_ppkl);
goto logit;
} else if (((pass & FR_LOGMASK) == FR_LOGB) ||
(FR_ISBLOCK(pass) && (ifs->ifs_fr_flags & FF_LOGBLOCK))) {
if ((pass & FR_LOGMASK) != FR_LOGB)
pass |= FF_LOGBLOCK;
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_bpkl);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_bpkl);
logit:
if (ipflog(fin, pass) == -1) {
- ATOMIC_INCL(ifs->ifs_frstats[out].fr_skip);
+ IPF_BUMP(ifs->ifs_frstats[out].fr_skip);
/*
* If the "or-block" option has been used then
@@ -3432,7 +3401,6 @@ ipf_stack_t *ifs;
int flushed = 0, set;
WRITE_ENTER(&ifs->ifs_ipf_mutex);
- bzero((char *)&ifs->ifs_frcache, sizeof (ifs->ifs_frcache));
set = ifs->ifs_fr_active;
if ((flags & FR_INACTIVE) == FR_INACTIVE)
@@ -4371,7 +4339,6 @@ ipf_stack_t *ifs;
fp->fr_cksum += *p;
WRITE_ENTER(&ifs->ifs_ipf_mutex);
- bzero((char *)&ifs->ifs_frcache, sizeof (ifs->ifs_frcache));
for (; (f = *ftail) != NULL; ftail = &f->fr_next) {
if ((fp->fr_cksum != f->fr_cksum) ||
@@ -4401,7 +4368,6 @@ ipf_stack_t *ifs;
* copied out into user space.
*/
bcopy((char *)f, (char *)fp, sizeof(*f));
- /* MUTEX_DOWNGRADE(&ipf_mutex); */
/*
* When we copy this rule back out, set the data
@@ -5144,12 +5110,15 @@ ipf_stack_t *ifs;
/*
* Is the operation here going to be a no-op ?
*/
- MUTEX_ENTER(&oifq->ifq_lock);
- if (oifq == nifq && *oifq->ifq_tail == tqe) {
- MUTEX_EXIT(&oifq->ifq_lock);
- return;
+ tqe->tqe_die = ifs->ifs_fr_ticks + nifq->ifq_ttl;
+ if (oifq == nifq) {
+ if (tqe->tqe_next == NULL)
+ return;
+ if (tqe->tqe_next->tqe_die == tqe->tqe_die)
+ return;
}
+ MUTEX_ENTER(&oifq->ifq_lock);
/*
* Remove from the old queue
*/
@@ -5181,7 +5150,6 @@ ipf_stack_t *ifs;
/*
* Add to the bottom of the new queue
*/
- tqe->tqe_die = ifs->ifs_fr_ticks + nifq->ifq_ttl;
tqe->tqe_pnext = nifq->ifq_tail;
*nifq->ifq_tail = tqe;
nifq->ifq_tail = &tqe->tqe_next;
@@ -5859,7 +5827,7 @@ fr_info_t *fin;
#if defined(_KERNEL)
if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) {
- ATOMIC_INCL(ifs->ifs_fr_badcoalesces[fin->fin_out]);
+ IPF_BUMP(ifs->ifs_fr_badcoalesces[fin->fin_out]);
# ifdef MENTAT
FREE_MB_T(*fin->fin_mp);
# endif
diff --git a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c
index e44f0c6967..36f374d586 100644
--- a/usr/src/uts/common/inet/ipf/ip_fil_solaris.c
+++ b/usr/src/uts/common/inet/ipf/ip_fil_solaris.c
@@ -73,15 +73,24 @@ static int ipf_nic_event_v4 __P((hook_event_token_t, hook_data_t,
netstack_t *));
static int ipf_nic_event_v6 __P((hook_event_token_t, hook_data_t,
netstack_t *));
-static int ipf_hook_out __P((hook_event_token_t, hook_data_t,
+static int ipf_hook4_out __P((hook_event_token_t, hook_data_t,
netstack_t *));
-static int ipf_hook_in __P((hook_event_token_t, hook_data_t,
+static int ipf_hook4_in __P((hook_event_token_t, hook_data_t,
netstack_t *));
-static int ipf_hook_loop_out __P((hook_event_token_t, hook_data_t,
+static int ipf_hook4_loop_out __P((hook_event_token_t, hook_data_t,
netstack_t *));
-static int ipf_hook_loop_in __P((hook_event_token_t, hook_data_t,
+static int ipf_hook4_loop_in __P((hook_event_token_t, hook_data_t,
netstack_t *));
-static int ipf_hook __P((hook_data_t, int, int, netstack_t *));
+static int ipf_hook4 __P((hook_data_t, int, int, netstack_t *));
+static int ipf_hook6_out __P((hook_event_token_t, hook_data_t,
+ netstack_t *));
+static int ipf_hook6_in __P((hook_event_token_t, hook_data_t,
+ netstack_t *));
+static int ipf_hook6_loop_out __P((hook_event_token_t, hook_data_t,
+ netstack_t *));
+static int ipf_hook6_loop_in __P((hook_event_token_t, hook_data_t,
+ netstack_t *));
+static int ipf_hook6 __P((hook_data_t, int, int, netstack_t *));
extern int ipf_geniter __P((ipftoken_t *, ipfgeniter_t *, ipf_stack_t *));
extern int ipf_frruleiter __P((void *, int, void *, ipf_stack_t *));
@@ -146,12 +155,12 @@ ipf_stack_t *ifs;
if (ifs->ifs_ipf_ipv6 != NULL) {
if (ifs->ifs_hook6_physical_in) {
ifs->ifs_hook6_physical_in = (net_unregister_hook(ifs->ifs_ipf_ipv6,
- NH_PHYSICAL_IN, &ifs->ifs_ipfhook_in) != 0);
+ NH_PHYSICAL_IN, &ifs->ifs_ipfhook6_in) != 0);
}
if (ifs->ifs_hook6_physical_out) {
ifs->ifs_hook6_physical_out =
(net_unregister_hook(ifs->ifs_ipf_ipv6,
- NH_PHYSICAL_OUT, &ifs->ifs_ipfhook_out) != 0);
+ NH_PHYSICAL_OUT, &ifs->ifs_ipfhook6_out) != 0);
}
if (ifs->ifs_hook6_nic_events) {
ifs->ifs_hook6_nic_events =
@@ -161,12 +170,12 @@ ipf_stack_t *ifs;
if (ifs->ifs_hook6_loopback_in) {
ifs->ifs_hook6_loopback_in =
(net_unregister_hook(ifs->ifs_ipf_ipv6,
- NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) != 0);
+ NH_LOOPBACK_IN, &ifs->ifs_ipfhook6_loop_in) != 0);
}
if (ifs->ifs_hook6_loopback_out) {
ifs->ifs_hook6_loopback_out =
(net_unregister_hook(ifs->ifs_ipf_ipv6,
- NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) != 0);
+ NH_LOOPBACK_OUT, &ifs->ifs_ipfhook6_loop_out) != 0);
}
if (net_release(ifs->ifs_ipf_ipv6) != 0)
@@ -181,12 +190,12 @@ ipf_stack_t *ifs;
if (ifs->ifs_hook4_physical_in) {
ifs->ifs_hook4_physical_in =
(net_unregister_hook(ifs->ifs_ipf_ipv4,
- NH_PHYSICAL_IN, &ifs->ifs_ipfhook_in) != 0);
+ NH_PHYSICAL_IN, &ifs->ifs_ipfhook4_in) != 0);
}
if (ifs->ifs_hook4_physical_out) {
ifs->ifs_hook4_physical_out =
(net_unregister_hook(ifs->ifs_ipf_ipv4,
- NH_PHYSICAL_OUT, &ifs->ifs_ipfhook_out) != 0);
+ NH_PHYSICAL_OUT, &ifs->ifs_ipfhook4_out) != 0);
}
if (ifs->ifs_hook4_nic_events) {
ifs->ifs_hook4_nic_events =
@@ -196,12 +205,12 @@ ipf_stack_t *ifs;
if (ifs->ifs_hook4_loopback_in) {
ifs->ifs_hook4_loopback_in =
(net_unregister_hook(ifs->ifs_ipf_ipv4,
- NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) != 0);
+ NH_LOOPBACK_IN, &ifs->ifs_ipfhook4_loop_in) != 0);
}
if (ifs->ifs_hook4_loopback_out) {
ifs->ifs_hook4_loopback_out =
(net_unregister_hook(ifs->ifs_ipf_ipv4,
- NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) != 0);
+ NH_LOOPBACK_OUT, &ifs->ifs_ipfhook4_loop_out) != 0);
}
if (net_release(ifs->ifs_ipf_ipv4) != 0)
@@ -267,7 +276,6 @@ netstack_t *ns;
ifs->ifs_fr_pass = (IPF_DEFAULT_PASS)|FR_NOMATCH;
#endif
- bzero((char *)ifs->ifs_frcache, sizeof(ifs->ifs_frcache));
MUTEX_INIT(&ifs->ifs_ipf_rw, "ipf rw mutex");
MUTEX_INIT(&ifs->ifs_ipf_timeoutlock, "ipf timeout lock mutex");
RWLOCK_INIT(&ifs->ifs_ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
@@ -279,11 +287,11 @@ netstack_t *ns;
HOOK_INIT(&ifs->ifs_ipfhook_nicevents, ipf_nic_event_v4,
"ipfilter_hook_nicevents");
- HOOK_INIT(&ifs->ifs_ipfhook_in, ipf_hook_in, "ipfilter_hook_in");
- HOOK_INIT(&ifs->ifs_ipfhook_out, ipf_hook_out, "ipfilter_hook_out");
- HOOK_INIT(&ifs->ifs_ipfhook_loop_in, ipf_hook_in,
+ HOOK_INIT(&ifs->ifs_ipfhook4_in, ipf_hook4_in, "ipfilter_hook_in");
+ HOOK_INIT(&ifs->ifs_ipfhook4_out, ipf_hook4_out, "ipfilter_hook_out");
+ HOOK_INIT(&ifs->ifs_ipfhook4_loop_in, ipf_hook4_in,
"ipfilter_hook_loop_in");
- HOOK_INIT(&ifs->ifs_ipfhook_loop_out, ipf_hook_out,
+ HOOK_INIT(&ifs->ifs_ipfhook4_loop_out, ipf_hook4_out,
"ipfilter_hook_loop_out");
/*
@@ -307,25 +315,25 @@ netstack_t *ns;
goto hookup_failed;
ifs->ifs_hook4_physical_in = (net_register_hook(ifs->ifs_ipf_ipv4,
- NH_PHYSICAL_IN, &ifs->ifs_ipfhook_in) == 0);
+ NH_PHYSICAL_IN, &ifs->ifs_ipfhook4_in) == 0);
if (!ifs->ifs_hook4_physical_in)
goto hookup_failed;
ifs->ifs_hook4_physical_out = (net_register_hook(ifs->ifs_ipf_ipv4,
- NH_PHYSICAL_OUT, &ifs->ifs_ipfhook_out) == 0);
+ NH_PHYSICAL_OUT, &ifs->ifs_ipfhook4_out) == 0);
if (!ifs->ifs_hook4_physical_out)
goto hookup_failed;
if (ifs->ifs_ipf_loopback) {
ifs->ifs_hook4_loopback_in =
(net_register_hook(ifs->ifs_ipf_ipv4,
- NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) == 0);
+ NH_LOOPBACK_IN, &ifs->ifs_ipfhook4_loop_in) == 0);
if (!ifs->ifs_hook4_loopback_in)
goto hookup_failed;
ifs->ifs_hook4_loopback_out =
(net_register_hook(ifs->ifs_ipf_ipv4,
- NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) == 0);
+ NH_LOOPBACK_OUT, &ifs->ifs_ipfhook4_loop_out) == 0);
if (!ifs->ifs_hook4_loopback_out)
goto hookup_failed;
}
@@ -336,6 +344,13 @@ netstack_t *ns;
if (ifs->ifs_ipf_ipv6 == NULL)
goto hookup_failed;
+ HOOK_INIT(&ifs->ifs_ipfhook6_in, ipf_hook6_in, "ipfilter_hook_in");
+ HOOK_INIT(&ifs->ifs_ipfhook6_out, ipf_hook6_out, "ipfilter_hook_out");
+ HOOK_INIT(&ifs->ifs_ipfhook6_loop_in, ipf_hook6_in,
+ "ipfilter_hook_loop_in");
+ HOOK_INIT(&ifs->ifs_ipfhook6_loop_out, ipf_hook6_out,
+ "ipfilter_hook_loop_out");
+
HOOK_INIT(&ifs->ifs_ipfhook_nicevents, ipf_nic_event_v6,
"ipfilter_hook_nicevents");
ifs->ifs_hook6_nic_events = (net_register_hook(ifs->ifs_ipf_ipv6,
@@ -344,25 +359,25 @@ netstack_t *ns;
goto hookup_failed;
ifs->ifs_hook6_physical_in = (net_register_hook(ifs->ifs_ipf_ipv6,
- NH_PHYSICAL_IN, &ifs->ifs_ipfhook_in) == 0);
+ NH_PHYSICAL_IN, &ifs->ifs_ipfhook6_in) == 0);
if (!ifs->ifs_hook6_physical_in)
goto hookup_failed;
ifs->ifs_hook6_physical_out = (net_register_hook(ifs->ifs_ipf_ipv6,
- NH_PHYSICAL_OUT, &ifs->ifs_ipfhook_out) == 0);
+ NH_PHYSICAL_OUT, &ifs->ifs_ipfhook6_out) == 0);
if (!ifs->ifs_hook6_physical_out)
goto hookup_failed;
if (ifs->ifs_ipf_loopback) {
ifs->ifs_hook6_loopback_in =
(net_register_hook(ifs->ifs_ipf_ipv6,
- NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) == 0);
+ NH_LOOPBACK_IN, &ifs->ifs_ipfhook6_loop_in) == 0);
if (!ifs->ifs_hook6_loopback_in)
goto hookup_failed;
ifs->ifs_hook6_loopback_out =
(net_register_hook(ifs->ifs_ipf_ipv6,
- NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) == 0);
+ NH_LOOPBACK_OUT, &ifs->ifs_ipfhook6_loop_out) == 0);
if (!ifs->ifs_hook6_loopback_out)
goto hookup_failed;
}
@@ -442,25 +457,25 @@ ipf_stack_t *ifs;
ifs->ifs_hook4_loopback_in =
(net_register_hook(ifs->ifs_ipf_ipv4,
- NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) == 0);
+ NH_LOOPBACK_IN, &ifs->ifs_ipfhook4_loop_in) == 0);
if (!ifs->ifs_hook4_loopback_in)
return EINVAL;
ifs->ifs_hook4_loopback_out =
(net_register_hook(ifs->ifs_ipf_ipv4,
- NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) == 0);
+ NH_LOOPBACK_OUT, &ifs->ifs_ipfhook4_loop_out) == 0);
if (!ifs->ifs_hook4_loopback_out)
return EINVAL;
ifs->ifs_hook6_loopback_in =
(net_register_hook(ifs->ifs_ipf_ipv6,
- NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) == 0);
+ NH_LOOPBACK_IN, &ifs->ifs_ipfhook6_loop_in) == 0);
if (!ifs->ifs_hook6_loopback_in)
return EINVAL;
ifs->ifs_hook6_loopback_out =
(net_register_hook(ifs->ifs_ipf_ipv6,
- NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) == 0);
+ NH_LOOPBACK_OUT, &ifs->ifs_ipfhook6_loop_out) == 0);
if (!ifs->ifs_hook6_loopback_out)
return EINVAL;
@@ -469,25 +484,25 @@ ipf_stack_t *ifs;
ifs->ifs_hook4_loopback_in =
(net_unregister_hook(ifs->ifs_ipf_ipv4,
- NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) != 0);
+ NH_LOOPBACK_IN, &ifs->ifs_ipfhook4_loop_in) != 0);
if (ifs->ifs_hook4_loopback_in)
return EBUSY;
ifs->ifs_hook4_loopback_out =
(net_unregister_hook(ifs->ifs_ipf_ipv4,
- NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) != 0);
+ NH_LOOPBACK_OUT, &ifs->ifs_ipfhook4_loop_out) != 0);
if (ifs->ifs_hook4_loopback_out)
return EBUSY;
ifs->ifs_hook6_loopback_in =
(net_unregister_hook(ifs->ifs_ipf_ipv6,
- NH_LOOPBACK_IN, &ifs->ifs_ipfhook_loop_in) != 0);
+ NH_LOOPBACK_IN, &ifs->ifs_ipfhook6_loop_in) != 0);
if (ifs->ifs_hook6_loopback_in)
return EBUSY;
ifs->ifs_hook6_loopback_out =
(net_unregister_hook(ifs->ifs_ipf_ipv6,
- NH_LOOPBACK_OUT, &ifs->ifs_ipfhook_loop_out) != 0);
+ NH_LOOPBACK_OUT, &ifs->ifs_ipfhook6_loop_out) != 0);
if (ifs->ifs_hook6_loopback_out)
return EBUSY;
}
@@ -633,9 +648,6 @@ int *rp;
error = EPERM;
else {
WRITE_ENTER(&ifs->ifs_ipf_mutex);
- /* Clear one fourth of the table */
- bzero((char *)&ifs->ifs_frcache,
- sizeof (ifs->ifs_frcache[0]) * 2);
error = COPYOUT((caddr_t)&ifs->ifs_fr_active,
(caddr_t)data,
sizeof(ifs->ifs_fr_active));
@@ -1829,9 +1841,14 @@ bad_fastroute:
/* Calling ipf_hook. */
/* ------------------------------------------------------------------------ */
/*ARGSUSED*/
-int ipf_hook_out(hook_event_token_t token, hook_data_t info, netstack_t *ns)
+int ipf_hook4_out(hook_event_token_t token, hook_data_t info, netstack_t *ns)
{
- return ipf_hook(info, 1, 0, ns);
+ return ipf_hook4(info, 1, 0, ns);
+}
+/*ARGSUSED*/
+int ipf_hook6_out(hook_event_token_t token, hook_data_t info, netstack_t *ns)
+{
+ return ipf_hook6(info, 1, 0, ns);
}
/* ------------------------------------------------------------------------ */
@@ -1843,9 +1860,14 @@ int ipf_hook_out(hook_event_token_t token, hook_data_t info, netstack_t *ns)
/* Calling ipf_hook. */
/* ------------------------------------------------------------------------ */
/*ARGSUSED*/
-int ipf_hook_in(hook_event_token_t token, hook_data_t info, netstack_t *ns)
+int ipf_hook4_in(hook_event_token_t token, hook_data_t info, netstack_t *ns)
{
- return ipf_hook(info, 0, 0, ns);
+ return ipf_hook4(info, 0, 0, ns);
+}
+/*ARGSUSED*/
+int ipf_hook6_in(hook_event_token_t token, hook_data_t info, netstack_t *ns)
+{
+ return ipf_hook6(info, 0, 0, ns);
}
@@ -1858,10 +1880,16 @@ int ipf_hook_in(hook_event_token_t token, hook_data_t info, netstack_t *ns)
/* Calling ipf_hook. */
/* ------------------------------------------------------------------------ */
/*ARGSUSED*/
-int ipf_hook_loop_out(hook_event_token_t token, hook_data_t info,
+int ipf_hook4_loop_out(hook_event_token_t token, hook_data_t info,
+ netstack_t *ns)
+{
+ return ipf_hook4(info, 1, FI_NOCKSUM, ns);
+}
+/*ARGSUSED*/
+int ipf_hook6_loop_out(hook_event_token_t token, hook_data_t info,
netstack_t *ns)
{
- return ipf_hook(info, 1, 1, ns);
+ return ipf_hook6(info, 1, FI_NOCKSUM, ns);
}
/* ------------------------------------------------------------------------ */
@@ -1873,10 +1901,16 @@ int ipf_hook_loop_out(hook_event_token_t token, hook_data_t info,
/* Calling ipf_hook. */
/* ------------------------------------------------------------------------ */
/*ARGSUSED*/
-int ipf_hook_loop_in(hook_event_token_t token, hook_data_t info,
+int ipf_hook4_loop_in(hook_event_token_t token, hook_data_t info,
+ netstack_t *ns)
+{
+ return ipf_hook4(info, 0, FI_NOCKSUM, ns);
+}
+/*ARGSUSED*/
+int ipf_hook6_loop_in(hook_event_token_t token, hook_data_t info,
netstack_t *ns)
{
- return ipf_hook(info, 0, 1, ns);
+ return ipf_hook6(info, 0, FI_NOCKSUM, ns);
}
/* ------------------------------------------------------------------------ */
@@ -1890,10 +1924,10 @@ int ipf_hook_loop_in(hook_event_token_t token, hook_data_t info,
/* parameters out of the info structure and forms them up to be useful for */
/* calling ipfilter. */
/* ------------------------------------------------------------------------ */
-int ipf_hook(hook_data_t info, int out, int loopback, netstack_t *ns)
+int ipf_hook4(hook_data_t info, int out, int loopback, netstack_t *ns)
{
hook_pkt_event_t *fw;
- int rval, v, hlen;
+ int rval, hlen;
qpktinfo_t qpi;
u_short swap;
phy_if_t phy;
@@ -1905,30 +1939,20 @@ int ipf_hook(hook_data_t info, int out, int loopback, netstack_t *ns)
phy = (out == 0) ? fw->hpe_ifp : fw->hpe_ofp;
ip = fw->hpe_hdr;
- v = ip->ip_v;
- if (v == IPV4_VERSION) {
- swap = ntohs(ip->ip_len);
- ip->ip_len = swap;
- swap = ntohs(ip->ip_off);
- ip->ip_off = swap;
-
- hlen = IPH_HDR_LENGTH(ip);
- } else
- hlen = sizeof (ip6_t);
-
- bzero(&qpi, sizeof (qpktinfo_t));
+ swap = ntohs(ip->ip_len);
+ ip->ip_len = swap;
+ swap = ntohs(ip->ip_off);
+ ip->ip_off = swap;
+ hlen = IPH_HDR_LENGTH(ip);
qpi.qpi_m = fw->hpe_mb;
qpi.qpi_data = fw->hpe_hdr;
qpi.qpi_off = (char *)qpi.qpi_data - (char *)fw->hpe_mb->b_rptr;
qpi.qpi_ill = (void *)phy;
- qpi.qpi_flags = 0;
- if (fw->hpe_flags & HPE_MULTICAST)
- qpi.qpi_flags |= FI_MBCAST|FI_MULTICAST;
- else if (fw->hpe_flags & HPE_BROADCAST)
- qpi.qpi_flags = FI_MBCAST|FI_BROADCAST;
- if (loopback)
- qpi.qpi_flags |= FI_NOCKSUM;
+ qpi.qpi_flags = fw->hpe_flags & (HPE_MULTICAST|HPE_BROADCAST);
+ if (qpi.qpi_flags)
+ qpi.qpi_flags |= FI_MBCAST;
+ qpi.qpi_flags |= loopback;
rval = fr_check(fw->hpe_hdr, hlen, qpi.qpi_ill, out,
&qpi, fw->hpe_mp, ns->netstack_ipf);
@@ -1937,10 +1961,10 @@ int ipf_hook(hook_data_t info, int out, int loopback, netstack_t *ns)
if (rval == 0 && *(fw->hpe_mp) == NULL)
rval = 1;
- /* Notify IP the packet mblk_t and IP header pointers. */
+ /* Notify IP the packet mblk_t and IP header pointers. */
fw->hpe_mb = qpi.qpi_m;
fw->hpe_hdr = qpi.qpi_data;
- if ((rval == 0) && (v == IPV4_VERSION)) {
+ if (rval == 0) {
ip = qpi.qpi_data;
swap = ntohs(ip->ip_len);
ip->ip_len = swap;
@@ -1950,6 +1974,42 @@ int ipf_hook(hook_data_t info, int out, int loopback, netstack_t *ns)
return rval;
}
+int ipf_hook6(hook_data_t info, int out, int loopback, netstack_t *ns)
+{
+ hook_pkt_event_t *fw;
+ int rval, hlen;
+ qpktinfo_t qpi;
+ phy_if_t phy;
+
+ fw = (hook_pkt_event_t *)info;
+
+ ASSERT(fw != NULL);
+ phy = (out == 0) ? fw->hpe_ifp : fw->hpe_ofp;
+
+ hlen = sizeof (ip6_t);
+
+ qpi.qpi_m = fw->hpe_mb;
+ qpi.qpi_data = fw->hpe_hdr;
+ qpi.qpi_off = (char *)qpi.qpi_data - (char *)fw->hpe_mb->b_rptr;
+ qpi.qpi_ill = (void *)phy;
+ qpi.qpi_flags = fw->hpe_flags & (HPE_MULTICAST|HPE_BROADCAST);
+ if (qpi.qpi_flags)
+ qpi.qpi_flags |= FI_MBCAST;
+ qpi.qpi_flags |= loopback;
+
+ rval = fr_check(fw->hpe_hdr, hlen, qpi.qpi_ill, out,
+ &qpi, fw->hpe_mp, ns->netstack_ipf);
+
+ /* For fastroute cases, fr_check returns 0 with mp set to NULL */
+ if (rval == 0 && *(fw->hpe_mp) == NULL)
+ rval = 1;
+
+ /* Notify IP the packet mblk_t and IP header pointers. */
+ fw->hpe_mb = qpi.qpi_m;
+ fw->hpe_hdr = qpi.qpi_data;
+ return rval;
+
+}
/* ------------------------------------------------------------------------ */
diff --git a/usr/src/uts/common/inet/ipf/ip_nat.c b/usr/src/uts/common/inet/ipf/ip_nat.c
index e13fe79053..994a9eb034 100644
--- a/usr/src/uts/common/inet/ipf/ip_nat.c
+++ b/usr/src/uts/common/inet/ipf/ip_nat.c
@@ -3699,11 +3699,11 @@ int fr_checknatout(fin, passp)
fr_info_t *fin;
u_32_t *passp;
{
+ ipnat_t *np = NULL, *npnext;
struct ifnet *ifp, *sifp;
icmphdr_t *icmp = NULL;
tcphdr_t *tcp = NULL;
int rval, natfailed;
- ipnat_t *np = NULL;
u_int nflags = 0;
u_32_t ipa, iph;
int natadd = 1;
@@ -3769,15 +3769,13 @@ u_32_t *passp;
* If there is no current entry in the nat table for this IP#,
* create one for it (if there is a matching rule).
*/
- RWLOCK_EXIT(&ifs->ifs_ipf_nat);
msk = 0xffffffff;
nmsk = ifs->ifs_nat_masks;
- WRITE_ENTER(&ifs->ifs_ipf_nat);
maskloop:
iph = ipa & htonl(msk);
hv = NAT_HASH_FN(iph, 0, ifs->ifs_ipf_natrules_sz);
- for (np = ifs->ifs_nat_rules[hv]; np; np = np->in_mnext)
- {
+ for (np = ifs->ifs_nat_rules[hv]; np; np = npnext) {
+ npnext = np->in_mnext;
if ((np->in_ifps[1] && (np->in_ifps[1] != ifp)))
continue;
if (np->in_v != fin->fin_v)
@@ -3804,12 +3802,20 @@ maskloop:
continue;
}
- if ((nat = nat_new(fin, np, NULL, nflags,
- NAT_OUTBOUND))) {
+ ATOMIC_INC32(np->in_use);
+ RWLOCK_EXIT(&ifs->ifs_ipf_nat);
+ WRITE_ENTER(&ifs->ifs_ipf_nat);
+ nat = nat_new(fin, np, NULL, nflags, NAT_OUTBOUND);
+ if (nat != NULL) {
+ np->in_use--;
np->in_hits++;
+ MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
break;
- } else
- natfailed = -1;
+ }
+ natfailed = -1;
+ npnext = np->in_mnext;
+ fr_ipnatderef(&np, ifs);
+ MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
}
if ((np == NULL) && (nmsk != 0)) {
while (nmsk) {
@@ -3823,7 +3829,6 @@ maskloop:
goto maskloop;
}
}
- MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
}
if (nat != NULL) {
@@ -3986,7 +3991,7 @@ u_32_t nflags;
i = 1;
} else
i = 1;
- ATOMIC_INCL(ifs->ifs_nat_stats.ns_mapped[1]);
+ ifs->ifs_nat_stats.ns_mapped[1]++;
fin->fin_flx |= FI_NATED;
return i;
}
@@ -4012,13 +4017,13 @@ fr_info_t *fin;
u_32_t *passp;
{
u_int nflags, natadd;
+ ipnat_t *np, *npnext;
int rval, natfailed;
struct ifnet *ifp;
struct in_addr in;
icmphdr_t *icmp;
tcphdr_t *tcp;
u_short dport;
- ipnat_t *np;
nat_t *nat;
u_32_t iph;
ipf_stack_t *ifs = fin->fin_ifs;
@@ -4079,10 +4084,8 @@ u_32_t *passp;
} else {
u_32_t hv, msk, rmsk;
- RWLOCK_EXIT(&ifs->ifs_ipf_nat);
rmsk = ifs->ifs_rdr_masks;
msk = 0xffffffff;
- WRITE_ENTER(&ifs->ifs_ipf_nat);
/*
* If there is no current entry in the nat table for this IP#,
* create one for it (if there is a matching rule).
@@ -4090,7 +4093,8 @@ u_32_t *passp;
maskloop:
iph = in.s_addr & htonl(msk);
hv = NAT_HASH_FN(iph, 0, ifs->ifs_ipf_rdrrules_sz);
- for (np = ifs->ifs_rdr_rules[hv]; np; np = np->in_rnext) {
+ for (np = ifs->ifs_rdr_rules[hv]; np; np = npnext) {
+ npnext = np->in_rnext;
if (np->in_ifps[0] && (np->in_ifps[0] != ifp))
continue;
if (np->in_v != fin->fin_v)
@@ -4117,12 +4121,20 @@ maskloop:
}
}
+ ATOMIC_INC32(np->in_use);
+ RWLOCK_EXIT(&ifs->ifs_ipf_nat);
+ WRITE_ENTER(&ifs->ifs_ipf_nat);
nat = nat_new(fin, np, NULL, nflags, NAT_INBOUND);
if (nat != NULL) {
+ np->in_use--;
np->in_hits++;
+ MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
break;
- } else
- natfailed = -1;
+ }
+ natfailed = -1;
+ npnext = np->in_rnext;
+ fr_ipnatderef(&np, ifs);
+ MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
}
if ((np == NULL) && (rmsk != 0)) {
@@ -4137,7 +4149,6 @@ maskloop:
goto maskloop;
}
}
- MUTEX_DOWNGRADE(&ifs->ifs_ipf_nat);
}
if (nat != NULL) {
rval = fr_natin(fin, nat, natadd, nflags);
@@ -4303,7 +4314,7 @@ u_32_t nflags;
}
#endif
- ATOMIC_INCL(ifs->ifs_nat_stats.ns_mapped[0]);
+ ifs->ifs_nat_stats.ns_mapped[0]++;
fin->fin_flx |= FI_NATED;
if (np != NULL && np->in_tag.ipt_num[0] != 0)
fin->fin_nattag = &np->in_tag;
@@ -4837,7 +4848,7 @@ ipf_stack_t *ifs;
/* ------------------------------------------------------------------------ */
/* Function: fr_ipnatderef */
/* Returns: Nil */
-/* Parameters: isp(I) - pointer to pointer to NAT rule */
+/* Parameters: inp(I) - pointer to pointer to NAT rule */
/* Write Locks: ipf_nat */
/* */
/* ------------------------------------------------------------------------ */
@@ -4849,7 +4860,6 @@ ipf_stack_t *ifs;
in = *inp;
*inp = NULL;
- in->in_space++;
in->in_use--;
if (in->in_use == 0 && (in->in_flags & IPN_DELETE)) {
if (in->in_apr)
diff --git a/usr/src/uts/common/inet/ipf/ip_state.c b/usr/src/uts/common/inet/ipf/ip_state.c
index cbeb2a47d6..b33b7a2b84 100644
--- a/usr/src/uts/common/inet/ipf/ip_state.c
+++ b/usr/src/uts/common/inet/ipf/ip_state.c
@@ -688,6 +688,7 @@ ipf_stack_t *ifs;
fr->fr_ref = 0;
fr->fr_dsize = 0;
fr->fr_data = NULL;
+ fr->fr_type = FR_T_NONE;
fr_resolvedest(&fr->fr_tif, fr->fr_v, ifs);
fr_resolvedest(&fr->fr_dif, fr->fr_v, ifs);
diff --git a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
index 5859bfa419..dbdbaef7e9 100644
--- a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
+++ b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
@@ -240,13 +240,13 @@ typedef struct fr_ip {
/*
* For use in fi_flx
*/
-#define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/
-#define FI_OPTIONS 0x0002
+#define FI_MULTICAST 0x0001
+#define FI_BROADCAST 0x0002
#define FI_FRAG 0x0004
#define FI_SHORT 0x0008
#define FI_NATED 0x0010
-#define FI_MULTICAST 0x0020
-#define FI_BROADCAST 0x0040
+#define FI_TCPUDP 0x0020 /* TCP/UCP implied comparison*/
+#define FI_OPTIONS 0x0040
#define FI_MBCAST 0x0080
#define FI_STATE 0x0100
#define FI_BADNAT 0x0200
diff --git a/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h b/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h
index 002fb091f4..23f291c866 100644
--- a/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h
+++ b/usr/src/uts/common/inet/ipf/netinet/ipf_stack.h
@@ -44,7 +44,6 @@ struct ipf_stack {
netstack_t *ifs_netstack;
/* ipf module */
- fr_info_t ifs_frcache[2][8];
filterstats_t ifs_frstats[2];
frentry_t *ifs_ipfilter[2][2];
@@ -91,7 +90,6 @@ struct ipf_stack {
ipfmutex_t ifs_ipf_timeoutlock;
ipfrwlock_t ifs_ipf_mutex;
ipfrwlock_t ifs_ipf_global;
- ipfrwlock_t ifs_ipf_frcache;
ipfrwlock_t ifs_ip_poolrw;
ipfrwlock_t ifs_ipf_frag;
ipfrwlock_t ifs_ipf_state;
@@ -110,11 +108,15 @@ struct ipf_stack {
ipftuneable_t *ifs_ipf_tunelist;
/* ip_fil_solaris.c */
- hook_t ifs_ipfhook_in;
- hook_t ifs_ipfhook_out;
- hook_t ifs_ipfhook_loop_in;
- hook_t ifs_ipfhook_loop_out;
- hook_t ifs_ipfhook_nicevents;
+ hook_t ifs_ipfhook4_in;
+ hook_t ifs_ipfhook4_out;
+ hook_t ifs_ipfhook4_loop_in;
+ hook_t ifs_ipfhook4_loop_out;
+ hook_t ifs_ipfhook6_in;
+ hook_t ifs_ipfhook6_out;
+ hook_t ifs_ipfhook6_loop_in;
+ hook_t ifs_ipfhook6_loop_out;
+ hook_t ifs_ipfhook_nicevents;
/* flags to indicate whether hooks are registered. */
boolean_t ifs_hook4_physical_in;
diff --git a/usr/src/uts/common/inet/ipf/solaris.c b/usr/src/uts/common/inet/ipf/solaris.c
index 671c6303d6..a48a3250cf 100644
--- a/usr/src/uts/common/inet/ipf/solaris.c
+++ b/usr/src/uts/common/inet/ipf/solaris.c
@@ -384,7 +384,6 @@ ipf_stack_init(netstackid_t stackid, netstack_t *ns)
*/
RWLOCK_INIT(&ifs->ifs_ipf_global, "ipf filter load/unload mutex");
RWLOCK_INIT(&ifs->ifs_ipf_mutex, "ipf filter rwlock");
- RWLOCK_INIT(&ifs->ifs_ipf_frcache, "ipf cache rwlock");
#ifdef KERNEL
ipf_kstat_init(ifs, stackid);
#endif
@@ -494,7 +493,6 @@ ipf_stack_fini(netstackid_t stackid, void *arg)
RWLOCK_EXIT(&ifs->ifs_ipf_global);
RW_DESTROY(&ifs->ifs_ipf_mutex);
- RW_DESTROY(&ifs->ifs_ipf_frcache);
RW_DESTROY(&ifs->ifs_ipf_global);
KFREE(ifs);
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-24 15:52:30 +0000