diff options
| author | Julian Elischer <julian@FreeBSD.org> | 2009-10-11 05:59:43 +0000 |
|---|---|---|
| committer | Julian Elischer <julian@FreeBSD.org> | 2009-10-11 05:59:43 +0000 |
| commit | 0b4b0b0feea2734cdf46d8542dee3cc4a56fa52b (patch) | |
| tree | d481a2e714a210799fdaf274f5482c3e67e5c845 /sys/netinet/ip_input.c | |
| parent | 33cba7feacf4dfbdd9b2316a3e3a97056e2b5c26 (diff) | |
| download | src-0b4b0b0feea2734cdf46d8542dee3cc4a56fa52b.tar.gz src-0b4b0b0feea2734cdf46d8542dee3cc4a56fa52b.zip | |
Virtualize the pfil hooks so that different jails may chose different
packet filters. ALso allows ipfw to be enabled on on ejail and disabled
on another. In 8.0 it's a global setting.
Sitting aroung in tree waiting to commit for: 2 months
MFC after: 2 months
Notes
Notes:
svn path=/head/; revision=197952
Diffstat (limited to 'sys/netinet/ip_input.c')
| -rw-r--r-- | sys/netinet/ip_input.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 7886fa737163..50b66b564e7b 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -170,7 +170,7 @@ SYSCTL_VNET_INT(_net_inet_ip, OID_AUTO, check_interface, CTLFLAG_RW, &VNET_NAME(ip_checkinterface), 0, "Verify packet arrives on correct interface"); -struct pfil_head inet_pfil_hook; /* Packet filter hooks */ +VNET_DEFINE(struct pfil_head, inet_pfil_hook); /* Packet filter hooks */ static struct netisr_handler ip_nh = { .nh_name = "ip", @@ -318,6 +318,13 @@ ip_init(void) NULL, UMA_ALIGN_PTR, 0); maxnipq_update(); + /* Initialize packet filter hooks. */ + V_inet_pfil_hook.ph_type = PFIL_TYPE_AF; + V_inet_pfil_hook.ph_af = AF_INET; + if ((i = pfil_head_register(&V_inet_pfil_hook)) != 0) + printf("%s: WARNING: unable to register pfil hook, " + "error %d\n", __func__, i); + #ifdef FLOWTABLE TUNABLE_INT_FETCH("net.inet.ip.output_flowtable_size", &V_ip_output_flowtable_size); @@ -348,13 +355,6 @@ ip_init(void) ip_protox[pr->pr_protocol] = pr - inetsw; } - /* Initialize packet filter hooks. */ - inet_pfil_hook.ph_type = PFIL_TYPE_AF; - inet_pfil_hook.ph_af = AF_INET; - if ((i = pfil_head_register(&inet_pfil_hook)) != 0) - printf("%s: WARNING: unable to register pfil hook, " - "error %d\n", __func__, i); - /* Start ipport_tick. */ callout_init(&ipport_tick_callout, CALLOUT_MPSAFE); callout_reset(&ipport_tick_callout, 1, ipport_tick, NULL); @@ -510,11 +510,11 @@ tooshort: */ /* Jump over all PFIL processing if hooks are not active. */ - if (!PFIL_HOOKED(&inet_pfil_hook)) + if (!PFIL_HOOKED(&V_inet_pfil_hook)) goto passin; odst = ip->ip_dst; - if (pfil_run_hooks(&inet_pfil_hook, &m, ifp, PFIL_IN, NULL) != 0) + if (pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_IN, NULL) != 0) return; if (m == NULL) /* consumed by filter */ return; |