1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-29 12:03:03 +00:00
Mirror of the FreeBSD src repository https://git.FreeBSD.org/src.git .
Go to file
Andre Oppermann 9b932e9e04 Convert ipfw to use PFIL_HOOKS. This is change is transparent to userland
and preserves the ipfw ABI.  The ipfw core packet inspection and filtering
functions have not been changed, only how ipfw is invoked is different.

However there are many changes how ipfw is and its add-on's are handled:

 In general ipfw is now called through the PFIL_HOOKS and most associated
 magic, that was in ip_input() or ip_output() previously, is now done in
 ipfw_check_[in|out]() in the ipfw PFIL handler.

 IPDIVERT is entirely handled within the ipfw PFIL handlers.  A packet to
 be diverted is checked if it is fragmented, if yes, ip_reass() gets in for
 reassembly.  If not, or all fragments arrived and the packet is complete,
 divert_packet is called directly.  For 'tee' no reassembly attempt is made
 and a copy of the packet is sent to the divert socket unmodified.  The
 original packet continues its way through ip_input/output().

 ipfw 'forward' is done via m_tag's.  The ipfw PFIL handlers tag the packet
 with the new destination sockaddr_in.  A check if the new destination is a
 local IP address is made and the m_flags are set appropriately.  ip_input()
 and ip_output() have some more work to do here.  For ip_input() the m_flags
 are checked and a packet for us is directly sent to the 'ours' section for
 further processing.  Destination changes on the input path are only tagged
 and the 'srcrt' flag to ip_forward() is set to disable destination checks
 and ICMP replies at this stage.  The tag is going to be handled on output.
 ip_output() again checks for m_flags and the 'ours' tag.  If found, the
 packet will be dropped back to the IP netisr where it is going to be picked
 up by ip_input() again and the directly sent to the 'ours' section.  When
 only the destination changes, the route's 'dst' is overwritten with the
 new destination from the forward m_tag.  Then it jumps back at the route
 lookup again and skips the firewall check because it has been marked with
 M_SKIP_FIREWALL.  ipfw 'forward' has to be compiled into the kernel with
 'option IPFIREWALL_FORWARD' to enable it.

 DUMMYNET is entirely handled within the ipfw PFIL handlers.  A packet for
 a dummynet pipe or queue is directly sent to dummynet_io().  Dummynet will
 then inject it back into ip_input/ip_output() after it has served its time.
 Dummynet packets are tagged and will continue from the next rule when they
 hit the ipfw PFIL handlers again after re-injection.

 BRIDGING and IPFW_ETHER are not changed yet and use ipfw_chk() directly as
 they did before.  Later this will be changed to dedicated ETHER PFIL_HOOKS.

More detailed changes to the code:

 conf/files
	Add netinet/ip_fw_pfil.c.

 conf/options
	Add IPFIREWALL_FORWARD option.

 modules/ipfw/Makefile
	Add ip_fw_pfil.c.

 net/bridge.c
	Disable PFIL_HOOKS if ipfw for bridging is active.  Bridging ipfw
	is still directly invoked to handle layer2 headers and packets would
	get a double ipfw when run through PFIL_HOOKS as well.

 netinet/ip_divert.c
	Removed divert_clone() function.  It is no longer used.

 netinet/ip_dummynet.[ch]
	Neither the route 'ro' nor the destination 'dst' need to be stored
	while in dummynet transit.  Structure members and associated macros
	are removed.

 netinet/ip_fastfwd.c
	Removed all direct ipfw handling code and replace it with the new
	'ipfw forward' handling code.

 netinet/ip_fw.h
	Removed 'ro' and 'dst' from struct ip_fw_args.

 netinet/ip_fw2.c
	(Re)moved some global variables and the module handling.

 netinet/ip_fw_pfil.c
	New file containing the ipfw PFIL handlers and module initialization.

 netinet/ip_input.c
	Removed all direct ipfw handling code and replace it with the new
	'ipfw forward' handling code.  ip_forward() does not longer require
	the 'next_hop' struct sockaddr_in argument.  Disable early checks
	if 'srcrt' is set.

 netinet/ip_output.c
	Removed all direct ipfw handling code and replace it with the new
	'ipfw forward' handling code.

 netinet/ip_var.h
	Add ip_reass() as general function.  (Used from ipfw PFIL handlers
	for IPDIVERT.)

 netinet/raw_ip.c
	Directly check if ipfw and dummynet control pointers are active.

 netinet/tcp_input.c
	Rework the 'ipfw forward' to local code to work with the new way of
	forward tags.

 netinet/tcp_sack.c
	Remove include 'opt_ipfw.h' which is not needed here.

 sys/mbuf.h
	Remove m_claim_next() macro which was exclusively for ipfw 'forward'
	and is no longer needed.

Approved by:	re (scottl)
2004-08-17 22:05:54 +00:00
bin Add a "fillchar" command line argument to dd(1) that permits the user 2004-08-15 19:10:05 +00:00
contrib Make 'client DNS forward update' working again which got broken in rev. 2004-08-16 22:35:56 +00:00
crypto Add support for C3 Nehemiah ACE ("Padlock") AES crypto. This comes 2004-08-14 13:38:35 +00:00
etc Create temporary files safely. 2004-08-16 16:37:06 +00:00
games Add a useful snippet on limitations of inductive reasoning by Bertrand 2004-08-15 19:24:17 +00:00
gnu Improve the usage. Without any arguments, kgdb(1) works on /dev/mem 2004-08-15 02:39:20 +00:00
include Connect RAID3 GEOM class to the build. 2004-08-16 06:36:21 +00:00
kerberos5 Join the 21st century: Cryptography is no longer an optional component 2004-08-06 07:27:08 +00:00
lib /me kicks cvs update 2004-08-17 04:56:03 +00:00
libexec Instead of "OpenFirmware", "openfirmware", etc. use the official spelling 2004-08-16 15:45:27 +00:00
release Bring back 'NO_FLOPPIES', but as a user external knob. 2004-08-16 10:25:43 +00:00
rescue As with the non-rescue version don't build fore_dnld when NOATM is defined. 2004-08-16 03:16:48 +00:00
sbin Use a local "compress" symbol corresponding to a variable in BSS, 2004-08-16 07:02:14 +00:00
secure Add support for C3 Nehemiah ACE ("Padlock") AES crypto. This comes 2004-08-14 13:38:35 +00:00
share Update Document Date to match last change. 2004-08-17 07:44:25 +00:00
sys Convert ipfw to use PFIL_HOOKS. This is change is transparent to userland 2004-08-17 22:05:54 +00:00
tools Example configuration files for customize.sh. 2004-08-16 22:55:51 +00:00
usr.bin - Add my birthday. 24, yay. 2004-08-16 20:00:08 +00:00
usr.sbin We now handle SSDT tables. Remove a reference from the BUGS section 2004-08-16 20:33:20 +00:00
COPYRIGHT Update the COPYRIGHT file to include FreeBSD's compilation copyright 2003-12-31 22:35:22 +00:00
installworld_newk Commit the first set of files for changing time_t on freebsd/sparc64 2004-03-03 19:36:20 +00:00
installworld_oldk Commit the first set of files for changing time_t on freebsd/sparc64 2004-03-03 19:36:20 +00:00
MAINTAINERS Add myself as geom_raid3 maintainer. 2004-08-16 10:43:41 +00:00
Makefile Make make recurse into sub-directories and sub-makes when given 2004-08-09 11:38:41 +00:00
Makefile.inc1 sys/boot seems to compile fine on Alpha; unbreak ``make release''. 2004-08-16 18:17:14 +00:00
README KerberosIV de-orbit burn continues. Disconnect from "make world". 2003-03-08 10:01:26 +00:00
UPDATING Add a note about RANDOM_IP_ID. 2004-08-14 16:16:01 +00:00
UPDATING.64BTT Add a tip for people who are using database-related ports on a sparc64 2004-03-17 01:59:47 +00:00

This is the top level of the FreeBSD source directory.  This file
was last revised on:
$FreeBSD$

For copyright information, please see the file COPYRIGHT in this
directory (additional copyright information also exists for some
sources in this tree - please see the specific source directories for
more information).

The Makefile in this directory supports a number of targets for
building components (or all) of the FreeBSD source tree, the most
commonly used one being ``world'', which rebuilds and installs
everything in the FreeBSD system from the source tree except the
kernel, the kernel-modules and the contents of /etc.  The
``buildkernel'' and ``installkernel'' targets build and install
the kernel and the modules (see below).  Please see the top of
the Makefile in this directory for more information on the
standard build targets and compile-time flags.

Building a kernel is a somewhat more involved process, documentation
for which can be found at:
   http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html
And in the config(8) man page.
Note: If you want to build and install the kernel with the
``buildkernel'' and ``installkernel'' targets, you might need to build
world before.  More information is available in the handbook.

The sample kernel configuration files reside in the sys/<arch>/conf
sub-directory (assuming that you've installed the kernel sources), the
file named GENERIC being the one used to build your initial installation
kernel.  The file NOTES contains entries and documentation for all possible
devices, not just those commonly used.  It is the successor of the ancient
LINT file, but in contrast to LINT, it is not buildable as a kernel but a
pure reference and documentation file.


Source Roadmap:
---------------
bin		System/user commands.

contrib		Packages contributed by 3rd parties.

crypto		Cryptography stuff (see crypto/README).

etc		Template files for /etc.

games		Amusements.

gnu		Various commands and libraries under the GNU Public License.
		Please see gnu/COPYING* for more information.

include		System include files.

kerberos5	Kerberos5 (Heimdal) package.

lib		System libraries.

libexec		System daemons.

release		Release building Makefile & associated tools.

sbin		System commands.

secure		Cryptographic libraries and commands.

share		Shared resources.

sys		Kernel sources.

tools		Utilities for regression testing and miscellaneous tasks.

usr.bin		User commands.

usr.sbin	System administration commands.


For information on synchronizing your source tree with one or more of
the FreeBSD Project's development branches, please see:

  http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html