diff options
Diffstat (limited to 'sys/netinet/ipfw')
| -rw-r--r-- | sys/netinet/ipfw/ip_fw2.c | 194 | ||||
| -rw-r--r-- | sys/netinet/ipfw/ip_fw_nat.c | 14 | ||||
| -rw-r--r-- | sys/netinet/ipfw/ip_fw_pfil.c | 10 |
3 files changed, 98 insertions, 120 deletions
diff --git a/sys/netinet/ipfw/ip_fw2.c b/sys/netinet/ipfw/ip_fw2.c index cce1a4d44a69..95efc2b9869c 100644 --- a/sys/netinet/ipfw/ip_fw2.c +++ b/sys/netinet/ipfw/ip_fw2.c @@ -88,7 +88,6 @@ __FBSDID("$FreeBSD$"); #include <netinet/udp.h> #include <netinet/udp_var.h> #include <netinet/sctp.h> -#include <netinet/vinet.h> #include <netgraph/ng_ipfw.h> @@ -104,12 +103,6 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_framework.h> #endif -#ifndef VIMAGE -#ifndef VIMAGE_GLOBALS -struct vnet_ipfw vnet_ipfw_0; -#endif -#endif - /* * set_disable contains one bit per set value (0..31). * If the bit is set, all rules with the corresponding set @@ -118,12 +111,15 @@ struct vnet_ipfw vnet_ipfw_0; * and CANNOT be disabled. * Rules in set RESVD_SET can only be deleted explicitly. */ -#ifdef VIMAGE_GLOBALS -static u_int32_t set_disable; -static int fw_verbose; -static struct callout ipfw_timeout; -static int verbose_limit; -#endif +static VNET_DEFINE(u_int32_t, set_disable); +static VNET_DEFINE(int, fw_verbose); +static VNET_DEFINE(struct callout, ipfw_timeout); +static VNET_DEFINE(int, verbose_limit); + +#define V_set_disable VNET_GET(set_disable) +#define V_fw_verbose VNET_GET(fw_verbose) +#define V_ipfw_timeout VNET_GET(ipfw_timeout) +#define V_verbose_limit VNET_GET(verbose_limit) #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT static int default_to_accept = 1; @@ -137,9 +133,7 @@ struct ip_fw *ip_fw_default_rule; /* * list of rules for layer 3 */ -#ifdef VIMAGE_GLOBALS -struct ip_fw_chain layer3_chain; -#endif +VNET_DEFINE(struct ip_fw_chain, layer3_chain); MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); MALLOC_DEFINE(M_IPFW_TBL, "ipfw_tbl", "IpFw tables"); @@ -156,27 +150,26 @@ struct table_entry { u_int32_t value; }; -#ifdef VIMAGE_GLOBALS -static int autoinc_step; -#endif +static VNET_DEFINE(int, autoinc_step); +#define V_autoinc_step VNET_GET(autoinc_step) extern int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_V_PROC(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, enable, - CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, fw_enable, 0, +SYSCTL_VNET_PROC(_net_inet_ip_fw, OID_AUTO, enable, + CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_enable), 0, ipfw_chg_hook, "I", "Enable ipfw"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, autoinc_step, - CTLFLAG_RW, autoinc_step, 0, "Rule number auto-increment step"); -SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_ip_fw, OID_AUTO, one_pass, - CTLFLAG_RW | CTLFLAG_SECURE3, fw_one_pass, 0, +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, + CTLFLAG_RW, &VNET_NAME(autoinc_step), 0, "Rule number auto-increment step"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, one_pass, + CTLFLAG_RW | CTLFLAG_SECURE3, &VNET_NAME(fw_one_pass), 0, "Only do a single pass through ipfw when using dummynet(4)"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, verbose, +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose, CTLFLAG_RW | CTLFLAG_SECURE3, - fw_verbose, 0, "Log matches to ipfw rules"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, verbose_limit, - CTLFLAG_RW, verbose_limit, 0, + &VNET_NAME(fw_verbose), 0, "Log matches to ipfw rules"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, + CTLFLAG_RW, &VNET_NAME(verbose_limit), 0, "Set upper limit of matches of ipfw rules logged"); SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, default_rule, CTLFLAG_RD, NULL, IPFW_DEFAULT_RULE, "The default/max possible rule number."); @@ -223,11 +216,13 @@ TUNABLE_INT("net.inet.ip.fw.default_to_accept", &default_to_accept); * obey the 'randomized match', and we do not do multiple * passes through the firewall. XXX check the latter!!! */ -#ifdef VIMAGE_GLOBALS -static ipfw_dyn_rule **ipfw_dyn_v; -static u_int32_t dyn_buckets; -static u_int32_t curr_dyn_buckets; -#endif +static VNET_DEFINE(ipfw_dyn_rule **, ipfw_dyn_v); +static VNET_DEFINE(u_int32_t, dyn_buckets); +static VNET_DEFINE(u_int32_t, curr_dyn_buckets); + +#define V_ipfw_dyn_v VNET_GET(ipfw_dyn_v) +#define V_dyn_buckets VNET_GET(dyn_buckets) +#define V_curr_dyn_buckets VNET_GET(curr_dyn_buckets) static struct mtx ipfw_dyn_mtx; /* mutex guarding dynamic rules */ #define IPFW_DYN_LOCK_INIT() \ @@ -240,13 +235,19 @@ static struct mtx ipfw_dyn_mtx; /* mutex guarding dynamic rules */ /* * Timeouts for various events in handing dynamic rules. */ -#ifdef VIMAGE_GLOBALS -static u_int32_t dyn_ack_lifetime; -static u_int32_t dyn_syn_lifetime; -static u_int32_t dyn_fin_lifetime; -static u_int32_t dyn_rst_lifetime; -static u_int32_t dyn_udp_lifetime; -static u_int32_t dyn_short_lifetime; +static VNET_DEFINE(u_int32_t, dyn_ack_lifetime); +static VNET_DEFINE(u_int32_t, dyn_syn_lifetime); +static VNET_DEFINE(u_int32_t, dyn_fin_lifetime); +static VNET_DEFINE(u_int32_t, dyn_rst_lifetime); +static VNET_DEFINE(u_int32_t, dyn_udp_lifetime); +static VNET_DEFINE(u_int32_t, dyn_short_lifetime); + +#define V_dyn_ack_lifetime VNET_GET(dyn_ack_lifetime) +#define V_dyn_syn_lifetime VNET_GET(dyn_syn_lifetime) +#define V_dyn_fin_lifetime VNET_GET(dyn_fin_lifetime) +#define V_dyn_rst_lifetime VNET_GET(dyn_rst_lifetime) +#define V_dyn_udp_lifetime VNET_GET(dyn_udp_lifetime) +#define V_dyn_short_lifetime VNET_GET(dyn_short_lifetime) /* * Keepalives are sent if dyn_keepalive is set. They are sent every @@ -256,42 +257,57 @@ static u_int32_t dyn_short_lifetime; * than dyn_keepalive_period. */ -static u_int32_t dyn_keepalive_interval; -static u_int32_t dyn_keepalive_period; -static u_int32_t dyn_keepalive; +static VNET_DEFINE(u_int32_t, dyn_keepalive_interval); +static VNET_DEFINE(u_int32_t, dyn_keepalive_period); +static VNET_DEFINE(u_int32_t, dyn_keepalive); + +#define V_dyn_keepalive_interval VNET_GET(dyn_keepalive_interval) +#define V_dyn_keepalive_period VNET_GET(dyn_keepalive_period) +#define V_dyn_keepalive VNET_GET(dyn_keepalive) -static u_int32_t static_count; /* # of static rules */ -static u_int32_t static_len; /* size in bytes of static rules */ -static u_int32_t dyn_count; /* # of dynamic rules */ -static u_int32_t dyn_max; /* max # of dynamic rules */ -#endif /* VIMAGE_GLOBALS */ +static VNET_DEFINE(u_int32_t, static_count); /* # of static rules */ +static VNET_DEFINE(u_int32_t, static_len); /* bytes of static rules */ +static VNET_DEFINE(u_int32_t, dyn_count); /* # of dynamic rules */ +static VNET_DEFINE(u_int32_t, dyn_max); /* max # of dynamic rules */ + +#define V_static_count VNET_GET(static_count) +#define V_static_len VNET_GET(static_len) +#define V_dyn_count VNET_GET(dyn_count) +#define V_dyn_max VNET_GET(dyn_max) #ifdef SYSCTL_NODE -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_buckets, - CTLFLAG_RW, dyn_buckets, 0, "Number of dyn. buckets"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, - CTLFLAG_RD, curr_dyn_buckets, 0, "Current Number of dyn. buckets"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_count, - CTLFLAG_RD, dyn_count, 0, "Number of dyn. rules"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_max, - CTLFLAG_RW, dyn_max, 0, "Max number of dyn. rules"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, static_count, - CTLFLAG_RD, static_count, 0, "Number of static rules"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, - CTLFLAG_RW, dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, - CTLFLAG_RW, dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, - CTLFLAG_RW, dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, - CTLFLAG_RW, dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, - CTLFLAG_RW, dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, - CTLFLAG_RW, dyn_short_lifetime, 0, +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, + CTLFLAG_RW, &VNET_NAME(dyn_buckets), 0, "Number of dyn. buckets"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, + CTLFLAG_RD, &VNET_NAME(curr_dyn_buckets), 0, + "Current Number of dyn. buckets"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, + CTLFLAG_RD, &VNET_NAME(dyn_count), 0, "Number of dyn. rules"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, + CTLFLAG_RW, &VNET_NAME(dyn_max), 0, "Max number of dyn. rules"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, static_count, + CTLFLAG_RD, &VNET_NAME(static_count), 0, "Number of static rules"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, + CTLFLAG_RW, &VNET_NAME(dyn_ack_lifetime), 0, + "Lifetime of dyn. rules for acks"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, + CTLFLAG_RW, &VNET_NAME(dyn_syn_lifetime), 0, + "Lifetime of dyn. rules for syn"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, + CTLFLAG_RW, &VNET_NAME(dyn_fin_lifetime), 0, + "Lifetime of dyn. rules for fin"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, + CTLFLAG_RW, &VNET_NAME(dyn_rst_lifetime), 0, + "Lifetime of dyn. rules for rst"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, + CTLFLAG_RW, &VNET_NAME(dyn_udp_lifetime), 0, + "Lifetime of dyn. rules for UDP"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, + CTLFLAG_RW, &VNET_NAME(dyn_short_lifetime), 0, "Lifetime of dyn. rules for other situations"); -SYSCTL_V_INT(V_NET, vnet_ipfw, _net_inet_ip_fw, OID_AUTO, dyn_keepalive, - CTLFLAG_RW, dyn_keepalive, 0, "Enable keepalives for dyn. rules"); +SYSCTL_VNET_INT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive, + CTLFLAG_RW, &VNET_NAME(dyn_keepalive), 0, + "Enable keepalives for dyn. rules"); #endif /* SYSCTL_NODE */ #ifdef INET6 @@ -306,9 +322,8 @@ static struct sysctl_ctx_list ip6_fw_sysctl_ctx; static struct sysctl_oid *ip6_fw_sysctl_tree; #endif /* INET6 */ -#ifdef VIMAGE_GLOBALS -static int fw_deny_unknown_exthdrs; -#endif +static VNET_DEFINE(int, fw_deny_unknown_exthdrs); +#define V_fw_deny_unknown_exthdrs VNET_GET(fw_deny_unknown_exthdrs) /* * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T @@ -581,7 +596,6 @@ flow6id_match( int curr_flow, ipfw_insn_u32 *cmd ) static int search_ip6_addr_net (struct in6_addr * ip6_addr) { - INIT_VNET_NET(curvnet); struct ifnet *mdc; struct ifaddr *mdc2; struct in6_ifaddr *fdm; @@ -764,9 +778,9 @@ send_reject6(struct ip_fw_args *args, int code, u_int hlen, struct ip6_hdr *ip6) #endif /* INET6 */ -#ifdef VIMAGE_GLOBALS -static u_int64_t norule_counter; /* counter for ipfw_log(NULL...) */ -#endif +/* counter for ipfw_log(NULL...) */ +static VNET_DEFINE(u_int64_t, norule_counter); +#define V_norule_counter VNET_GET(norule_counter) #define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0 #define SNP(buf) buf, sizeof(buf) @@ -780,7 +794,6 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, struct ip *ip) { - INIT_VNET_IPFW(curvnet); struct ether_header *eh = args->eh; char *action; int limit_reached = 0; @@ -1054,7 +1067,6 @@ ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, static __inline int hash_packet(struct ipfw_flow_id *id) { - INIT_VNET_IPFW(curvnet); u_int32_t i; #ifdef INET6 @@ -1106,7 +1118,6 @@ hash_packet(struct ipfw_flow_id *id) static void remove_dyn_rule(struct ip_fw *rule, ipfw_dyn_rule *keep_me) { - INIT_VNET_IPFW(curvnet); static u_int32_t last_remove = 0; #define FORCE (keep_me == NULL) @@ -1177,7 +1188,6 @@ static ipfw_dyn_rule * lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction, struct tcphdr *tcp) { - INIT_VNET_IPFW(curvnet); /* * stateful ipfw extensions. * Lookup into dynamic session queue @@ -1334,7 +1344,6 @@ lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction, static void realloc_dynamic_table(void) { - INIT_VNET_IPFW(curvnet); IPFW_DYN_LOCK_ASSERT(); /* @@ -1374,7 +1383,6 @@ realloc_dynamic_table(void) static ipfw_dyn_rule * add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule) { - INIT_VNET_IPFW(curvnet); ipfw_dyn_rule *r; int i; @@ -1430,7 +1438,6 @@ add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule) static ipfw_dyn_rule * lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule) { - INIT_VNET_IPFW(curvnet); ipfw_dyn_rule *q; int i; @@ -1474,7 +1481,6 @@ static int install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, struct ip_fw_args *args, uint32_t tablearg) { - INIT_VNET_IPFW(curvnet); static int last_log; ipfw_dyn_rule *q; struct in_addr da; @@ -1636,7 +1642,6 @@ static struct mbuf * send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags) { - INIT_VNET_INET(curvnet); struct mbuf *m; struct ip *ip; struct tcphdr *tcp; @@ -2002,7 +2007,6 @@ check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif, u_int16_t src_port, struct ucred **uc, int *ugid_lookupp, struct inpcb *inp) { - INIT_VNET_INET(curvnet); struct inpcbinfo *pi; int wildcard; struct inpcb *pcb; @@ -2110,8 +2114,6 @@ check_uidgid(ipfw_insn_u32 *insn, int proto, struct ifnet *oif, int ipfw_chk(struct ip_fw_args *args) { - INIT_VNET_INET(curvnet); - INIT_VNET_IPFW(curvnet); /* * Local variables holding state during the processing of a packet: @@ -3491,7 +3493,6 @@ flush_rule_ptrs(struct ip_fw_chain *chain) static int add_rule(struct ip_fw_chain *chain, struct ip_fw *input_rule) { - INIT_VNET_IPFW(curvnet); struct ip_fw *rule, *f, *prev; int l = RULESIZE(input_rule); @@ -3580,7 +3581,6 @@ static struct ip_fw * remove_rule(struct ip_fw_chain *chain, struct ip_fw *rule, struct ip_fw *prev) { - INIT_VNET_IPFW(curvnet); struct ip_fw *n; int l = RULESIZE(rule); @@ -3793,7 +3793,6 @@ clear_counters(struct ip_fw *rule, int log_only) static int zero_entry(struct ip_fw_chain *chain, u_int32_t arg, int log_only) { - INIT_VNET_IPFW(curvnet); struct ip_fw *rule; char *msg; @@ -4167,7 +4166,6 @@ bad_size: static size_t ipfw_getrules(struct ip_fw_chain *chain, void *buf, size_t space) { - INIT_VNET_IPFW(curvnet); char *bp = buf; char *ep = bp + space; struct ip_fw *rule; @@ -4250,7 +4248,6 @@ static int ipfw_ctl(struct sockopt *sopt) { #define RULE_MAXSIZE (256*sizeof(u_int32_t)) - INIT_VNET_IPFW(curvnet); int error; size_t size; struct ip_fw *buf, *rule; @@ -4521,7 +4518,6 @@ ipfw_ctl(struct sockopt *sopt) static void ipfw_tick(void * __unused unused) { - INIT_VNET_IPFW(curvnet); struct mbuf *m0, *m, *mnext, **mtailp; int i; ipfw_dyn_rule *q; @@ -4576,7 +4572,6 @@ done: int ipfw_init(void) { - INIT_VNET_IPFW(curvnet); struct ip_fw default_rule; int error; @@ -4701,7 +4696,6 @@ ipfw_init(void) void ipfw_destroy(void) { - INIT_VNET_IPFW(curvnet); struct ip_fw *reap; ip_fw_chk_ptr = NULL; diff --git a/sys/netinet/ipfw/ip_fw_nat.c b/sys/netinet/ipfw/ip_fw_nat.c index 6ef30bbdd314..9ba2f5f13962 100644 --- a/sys/netinet/ipfw/ip_fw_nat.c +++ b/sys/netinet/ipfw/ip_fw_nat.c @@ -69,10 +69,8 @@ __FBSDID("$FreeBSD$"); MALLOC_DECLARE(M_IPFW); -#ifdef VIMAGE_GLOBALS -extern struct ip_fw_chain layer3_chain; -static eventhandler_tag ifaddr_event_tag; -#endif +static VNET_DEFINE(eventhandler_tag, ifaddr_event_tag); +#define V_ifaddr_event_tag VNET_GET(ifaddr_event_tag) extern ipfw_nat_t *ipfw_nat_ptr; extern ipfw_nat_cfg_t *ipfw_nat_cfg_ptr; @@ -83,7 +81,6 @@ extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; static void ifaddr_change(void *arg __unused, struct ifnet *ifp) { - INIT_VNET_IPFW(curvnet); struct cfg_nat *ptr; struct ifaddr *ifa; @@ -111,7 +108,6 @@ ifaddr_change(void *arg __unused, struct ifnet *ifp) static void flush_nat_ptrs(const int i) { - INIT_VNET_IPFW(curvnet); struct ip_fw *rule; IPFW_WLOCK_ASSERT(&V_layer3_chain); @@ -411,7 +407,6 @@ ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) static int ipfw_nat_cfg(struct sockopt *sopt) { - INIT_VNET_IPFW(curvnet); struct cfg_nat *ptr, *ser_n; char *buf; @@ -482,7 +477,6 @@ ipfw_nat_cfg(struct sockopt *sopt) static int ipfw_nat_del(struct sockopt *sopt) { - INIT_VNET_IPFW(curvnet); struct cfg_nat *ptr; int i; @@ -505,7 +499,6 @@ ipfw_nat_del(struct sockopt *sopt) static int ipfw_nat_get_cfg(struct sockopt *sopt) { - INIT_VNET_IPFW(curvnet); uint8_t *data; struct cfg_nat *n; struct cfg_redir *r; @@ -560,7 +553,6 @@ nospace: static int ipfw_nat_get_log(struct sockopt *sopt) { - INIT_VNET_IPFW(curvnet); uint8_t *data; struct cfg_nat *ptr; int i, size, cnt, sof; @@ -595,7 +587,6 @@ ipfw_nat_get_log(struct sockopt *sopt) static void ipfw_nat_init(void) { - INIT_VNET_IPFW(curvnet); IPFW_WLOCK(&V_layer3_chain); /* init ipfw hooks */ @@ -612,7 +603,6 @@ ipfw_nat_init(void) static void ipfw_nat_destroy(void) { - INIT_VNET_IPFW(curvnet); struct ip_fw *rule; struct cfg_nat *ptr, *ptr_temp; diff --git a/sys/netinet/ipfw/ip_fw_pfil.c b/sys/netinet/ipfw/ip_fw_pfil.c index 5fd6a05e8fb3..a763855d5396 100644 --- a/sys/netinet/ipfw/ip_fw_pfil.c +++ b/sys/netinet/ipfw/ip_fw_pfil.c @@ -62,17 +62,14 @@ __FBSDID("$FreeBSD$"); #include <netinet/ip_fw.h> #include <netinet/ip_divert.h> #include <netinet/ip_dummynet.h> -#include <netinet/vinet.h> #include <netgraph/ng_ipfw.h> #include <machine/in_cksum.h> -#ifdef VIMAGE_GLOBALS -int fw_enable = 1; +VNET_DEFINE(int, fw_enable) = 1; #ifdef INET6 -int fw6_enable = 1; -#endif +VNET_DEFINE(int, fw6_enable) = 1; #endif int ipfw_chg_hook(SYSCTL_HANDLER_ARGS); @@ -92,7 +89,6 @@ int ipfw_check_in(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, struct inpcb *inp) { - INIT_VNET_INET(curvnet); struct ip_fw_args args; struct ng_ipfw_tag *ng_tag; struct m_tag *dn_tag; @@ -226,7 +222,6 @@ int ipfw_check_out(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, struct inpcb *inp) { - INIT_VNET_INET(curvnet); struct ip_fw_args args; struct ng_ipfw_tag *ng_tag; struct m_tag *dn_tag; @@ -520,7 +515,6 @@ ipfw6_unhook(void) int ipfw_chg_hook(SYSCTL_HANDLER_ARGS) { - INIT_VNET_IPFW(curvnet); int enable = *(int *)arg1; int error; |