diff options
| author |   bluhm <bluhm@openbsd.org> | 2011-04-24 19:36:54 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2011-04-24 19:36:54 +0000 |
| commit | 806fbec1d553e93c38dd90d3d16e0d84e730756a (patch) | |
| tree | 1bfed0d9f934e624cafab1652a1ebe63e84ffa00 /sys/netinet6/raw_ip6.c | |
| parent | Prevent line breaks right before numbers. Groff does the same. (diff) | |
| download | wireguard-openbsd-806fbec1d553e93c38dd90d3d16e0d84e730756a.tar.xz wireguard-openbsd-806fbec1d553e93c38dd90d3d16e0d84e730756a.zip | |
Double link between pf states and sockets. Henning has already
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
Diffstat (limited to 'sys/netinet6/raw_ip6.c')
| -rw-r--r-- | sys/netinet6/raw_ip6.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index c40a77d171a..2e1140953ef 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip6.c,v 1.41 2011/04/04 11:07:18 claudio Exp $ */ +/* $OpenBSD: raw_ip6.c,v 1.42 2011/04/24 19:36:54 bluhm Exp $ */ /* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */ /* @@ -61,6 +61,8 @@ * @(#)raw_ip.c 8.2 (Berkeley) 1/4/94 */ +#include "pf.h" + #include <sys/param.h> #include <sys/malloc.h> #include <sys/mbuf.h> @@ -75,6 +77,9 @@ #include <net/if.h> #include <net/route.h> #include <net/if_types.h> +#if NPF > 0 +#include <net/pfvar.h> +#endif #include <netinet/in.h> #include <netinet/in_var.h> @@ -200,6 +205,16 @@ rip6_input(struct mbuf **mp, int *offp, int proto) continue; } } +#if NPF > 0 + if (m->m_pkthdr.pf.statekey && !in6p->inp_pf_sk && + !((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp && + (in6p->inp_socket->so_state & SS_ISCONNECTED) && + proto != IPPROTO_ICMPV6) { + ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = + in6p; + in6p->inp_pf_sk = m->m_pkthdr.pf.statekey; + } +#endif if (last) { struct mbuf *n; if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) { @@ -487,6 +502,11 @@ rip6_output(struct mbuf *m, ...) if (in6p->in6p_flags & IN6P_MINMTU) flags |= IPV6_MINMTU; +#if NPF > 0 + if (in6p->inp_socket->so_state & SS_ISCONNECTED && + so->so_proto->pr_protocol != IPPROTO_ICMPV6) + m->m_pkthdr.pf.inp = in6p; +#endif error = ip6_output(m, optp, &in6p->in6p_route, flags, in6p->in6p_moptions, &oifp, in6p); if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) { |